feat: add trust_forwarded_proto option for SSL redirect handling in reverse proxy scenarios

When Nginx is behind another proxy server (like CloudFlare or AWS ALB), the force-SSL feature can cause redirect loops because Nginx sees the connection as plain HTTP while SSL is already handled upstream. This adds a new boolean option to trust the X-Forwarded-Proto header from upstream proxies. Changes: - Add `trust_forwarded_proto` column to proxy_host table (migration) - Update model and API schema to support the new boolean field - Modify force-ssl Nginx template to check X-Forwarded-Proto/X-Forwarded-Scheme - Add map directives in nginx.conf to validate and sanitize forwarded headers - Add advanced option toggle in frontend UI with i18n support (EN/ZH) - Set proxy headers from validated map variables instead of $scheme This allows administrators to control SSL redirect behavior when Nginx is deployed behind a TLS-terminating proxy.
2026-02-27 04:45:22 +00:00 · 2026-01-31 13:11:47 +00:00
parent bad3eac515
commit 187d21a0d5
15 changed files with 120 additions and 4 deletions
--- a/frontend/src/components/Form/SSLOptionsFields.tsx
+++ b/frontend/src/components/Form/SSLOptionsFields.tsx
@@ -15,7 +15,7 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain

 	const newCertificate = v?.certificateId === "new";
 	const hasCertificate = newCertificate || (v?.certificateId && v?.certificateId > 0);
-	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, meta } = v;
+	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, trustForwardedProto, meta } = v;
 	const { dnsChallenge } = meta || {};

 	if (forceDNSForNew && newCertificate && !dnsChallenge) {
@@ -140,6 +140,31 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 					{dnsChallenge ? <DNSProviderFields showBoundaryBox /> : null}
 				</>
 			) : null}
+			{<div>
+				<details>
+					<summary className="mb-1"><T id="domains.advanced" /></summary>
+					<div className="row">
+						<div className="col-12">
+							<Field name="trustForwardedProto">
+								{({ field }: any) => (
+									<label className="form-check form-switch mt-1">
+										<input
+											className={trustForwardedProto ? toggleEnabled : toggleClasses}
+											type="checkbox"
+											checked={!!trustForwardedProto}
+											onChange={(e) => handleToggleChange(e, field.name)}
+											disabled={!hasCertificate || !sslForced}
+										/>
+										<span className="form-check-label">
+											<T id="domains.trust-forwarded-proto" />
+										</span>
+									</label>
+								)}
+							</Field>
+						</div>
+					</div>
+				</details>
+			</div>}
 		</div>
 	);
 }