feat: add trust_forwarded_proto option for SSL redirect handling in reverse proxy scenarios

When Nginx is behind another proxy server (like CloudFlare or AWS ALB), the force-SSL feature can cause redirect loops because Nginx sees the connection as plain HTTP while SSL is already handled upstream. This adds a new boolean option to trust the X-Forwarded-Proto header from upstream proxies. Changes: - Add `trust_forwarded_proto` column to proxy_host table (migration) - Update model and API schema to support the new boolean field - Modify force-ssl Nginx template to check X-Forwarded-Proto/X-Forwarded-Scheme - Add map directives in nginx.conf to validate and sanitize forwarded headers - Add advanced option toggle in frontend UI with i18n support (EN/ZH) - Set proxy headers from validated map variables instead of $scheme This allows administrators to control SSL redirect behavior when Nginx is deployed behind a TLS-terminating proxy.
2026-02-11 21:22:57 +00:00 · 2026-01-31 13:11:47 +00:00
parent bad3eac515
commit 187d21a0d5
15 changed files with 120 additions and 4 deletions
--- a/frontend/src/api/backend/models.ts
+++ b/frontend/src/api/backend/models.ts
@@ -127,6 +127,7 @@ export interface ProxyHost {
 	locations?: ProxyLocation[];
 	hstsEnabled: boolean;
 	hstsSubdomains: boolean;
+	trustForwardedProto: boolean;
 	// Expansions:
 	owner?: User;
 	accessList?: AccessList;
--- a/frontend/src/components/Form/SSLOptionsFields.tsx
+++ b/frontend/src/components/Form/SSLOptionsFields.tsx
@@ -15,7 +15,7 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain

 	const newCertificate = v?.certificateId === "new";
 	const hasCertificate = newCertificate || (v?.certificateId && v?.certificateId > 0);
-	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, meta } = v;
+	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, trustForwardedProto, meta } = v;
 	const { dnsChallenge } = meta || {};

 	if (forceDNSForNew && newCertificate && !dnsChallenge) {
@@ -140,6 +140,31 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 					{dnsChallenge ? <DNSProviderFields showBoundaryBox /> : null}
 				</>
 			) : null}
+			{<div>
+				<details>
+					<summary className="mb-1"><T id="domains.advanced" /></summary>
+					<div className="row">
+						<div className="col-12">
+							<Field name="trustForwardedProto">
+								{({ field }: any) => (
+									<label className="form-check form-switch mt-1">
+										<input
+											className={trustForwardedProto ? toggleEnabled : toggleClasses}
+											type="checkbox"
+											checked={!!trustForwardedProto}
+											onChange={(e) => handleToggleChange(e, field.name)}
+											disabled={!hasCertificate || !sslForced}
+										/>
+										<span className="form-check-label">
+											<T id="domains.trust-forwarded-proto" />
+										</span>
+									</label>
+								)}
+							</Field>
+						</div>
+					</div>
+				</details>
+			</div>}
 		</div>
 	);
 }
--- a/frontend/src/hooks/useProxyHost.ts
+++ b/frontend/src/hooks/useProxyHost.ts
@@ -24,6 +24,7 @@ const fetchProxyHost = (id: number | "new") => {
 			enabled: true,
 			hstsEnabled: false,
 			hstsSubdomains: false,
+			trustForwardedProto: false,
 		} as ProxyHost);
 	}
 	return getProxyHost(id, ["owner"]);
--- a/frontend/src/locale/src/en.json
+++ b/frontend/src/locale/src/en.json
@@ -347,6 +347,9 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "Wildcards not supported for this CA"
 	},
+	"domains.advanced": {
+		"defaultMessage": "Advanced"
+	},
 	"domains.force-ssl": {
 		"defaultMessage": "Force SSL"
 	},
@@ -359,6 +362,9 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 Support"
 	},
+	"domains.trust-forwarded-proto": {
+		"defaultMessage": "Trust Upstream Forwarded Proto Headers"
+	},
 	"domains.use-dns": {
 		"defaultMessage": "Use DNS Challenge"
 	},
--- a/frontend/src/locale/src/zh.json
+++ b/frontend/src/locale/src/zh.json
@@ -275,6 +275,9 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "此 CA 不支持通配符"
 	},
+	"domains.advanced": {
+		"defaultMessage": "高级选项"
+	},
 	"domains.force-ssl": {
 		"defaultMessage": "强制 SSL"
 	},
@@ -287,6 +290,9 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 支持"
 	},
+	"domains.trust-forwarded-proto": {
+		"defaultMessage": "信任上游代理传递的协议类型头"
+	},
 	"domains.use-dns": {
 		"defaultMessage": "使用DNS验证"
 	},
--- a/frontend/src/modals/ProxyHostModal.tsx
+++ b/frontend/src/modals/ProxyHostModal.tsx
@@ -88,6 +88,7 @@ const ProxyHostModal = EasyModal.create(({ id, visible, remove }: Props) => {
 							http2Support: data?.http2Support || false,
 							hstsEnabled: data?.hstsEnabled || false,
 							hstsSubdomains: data?.hstsSubdomains || false,
+							trustForwardedProto: data?.trustForwardedProto || false,
 							// Advanced tab
 							advancedConfig: data?.advancedConfig || "",
 							meta: data?.meta || {},