ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-02-11 21:22:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: add trust_forwarded_proto option for SSL redirect handling in reverse proxy scenarios

Browse Source 
When Nginx is behind another proxy server (like CloudFlare or AWS ALB), the force-SSL
feature can cause redirect loops because Nginx sees the connection as plain HTTP
while SSL is already handled upstream. This adds a new boolean option to trust
the X-Forwarded-Proto header from upstream proxies.

Changes:
- Add `trust_forwarded_proto` column to proxy_host table (migration)
- Update model and API schema to support the new boolean field
- Modify force-ssl Nginx template to check X-Forwarded-Proto/X-Forwarded-Scheme
- Add map directives in nginx.conf to validate and sanitize forwarded headers
- Add advanced option toggle in frontend UI with i18n support (EN/ZH)
- Set proxy headers from validated map variables instead of $scheme

This allows administrators to control SSL redirect behavior when Nginx is deployed
behind a TLS-terminating proxy.
This commit is contained in:
jerry-yuan
2026-01-31 13:11:47 +00:00
parent bad3eac515
commit 187d21a0d5
15 changed files with 120 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
View File

@@ -5,9 +5,25 @@ if ($scheme = "http") {
if ($request_uri = /.well-known/acme-challenge/test-challenge) {
set $test "${test}T";
}
# Check if the ssl staff has been handled
set $test_proto "";
if ($trust_forwarded_proto = T){
set $test_proto "${test_proto}T";
}
if ($http_x_forwarded_proto = "https") {
set $test_proto "${test_proto}S";
}
if ($http_x_forwarded_scheme = "https") {
set $test_proto "${test_proto}S";
}
if ($test_proto = "TSS") {
set $test_proto "TS";
}
if ($test_proto = "TS") {
set $test "${test}S";
}
if ($test = H) {
return 301 https://$host$request_uri;
}

4
docker/rootfs/etc/nginx/conf.d/include/proxy.conf
View File

@@ -1,7 +1,7 @@
add_header X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $x_forwarded_scheme;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass $forward_scheme://$server:$port$request_uri;