From 1a12f7f3a847f1a66d0bae372b09c03dab49acfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pau=20Cap=C3=B3?= <paucapo@users.noreply.github.com>
Date: Sat, 22 Jun 2024 14:56:52 +0200
Subject: [PATCH 1/4] force-ssl behind another proxy using
 http_x_forwarded_proto

---
 docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
index aa52f335..b0acd36a 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
@@ -2,6 +2,9 @@ set $test "";
 if ($scheme = "http") {
 	set $test "H";
 }
+if ($http_x_forwarded_proto = "http") {
+        set $test "H";
+}
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";
 }

From 54d6196d362817d02a59503a45630cb29e1ed467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pau=20Cap=C3=B3?= <paucapo@users.noreply.github.com>
Date: Sat, 22 Jun 2024 15:01:39 +0200
Subject: [PATCH 2/4] use tabs instead of spaces

---
 docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
index b0acd36a..1ff8c2d5 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
@@ -3,7 +3,7 @@ if ($scheme = "http") {
 	set $test "H";
 }
 if ($http_x_forwarded_proto = "http") {
-        set $test "H";
+	set $test "H";
 }
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";

From 81b7661849285ad80ba76f5313dfd980f6c2d0b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pau=20Cap=C3=B3?= <paucapo@users.noreply.github.com>
Date: Sat, 22 Jun 2024 18:08:58 +0200
Subject: [PATCH 3/4] fix logic

---
 docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
index 1ff8c2d5..2a568bd3 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf
@@ -2,8 +2,8 @@ set $test "";
 if ($scheme = "http") {
 	set $test "H";
 }
-if ($http_x_forwarded_proto = "http") {
-	set $test "H";
+if ($http_x_forwarded_proto = "https") {
+	set $test "";
 }
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";

From 43e2d1d0739ebed8a4865672c8c91c0408ec67ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pau=20Cap=C3=B3?= <paucapo@users.noreply.github.com>
Date: Sat, 22 Jun 2024 19:15:43 +0200
Subject: [PATCH 4/4] propagate X-Forwarded-Proto header

---
 docker/rootfs/etc/nginx/conf.d/include/proxy.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
index d346c4ef..7fa1da31 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
@@ -1,7 +1,13 @@
 add_header       X-Served-By $host;
 proxy_set_header Host $host;
-proxy_set_header X-Forwarded-Scheme $scheme;
-proxy_set_header X-Forwarded-Proto  $scheme;
+
+set $origin_scheme $scheme;
+if ($http_x_forwarded_proto != "") {
+	set $origin_scheme $http_x_forwarded_proto;
+}
+proxy_set_header X-Forwarded-Scheme $origin_scheme;
+proxy_set_header X-Forwarded-Proto  $origin_scheme;
+
 proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP          $remote_addr;
 proxy_pass       $forward_scheme://$server:$port$request_uri;