From 88667a30ee8409f717228c81c60e26f6687d935d Mon Sep 17 00:00:00 2001
From: Danilo Hoffmann <dhhyi@aol.com>
Date: Fri, 20 Oct 2023 09:12:47 +0200
Subject: [PATCH] fix: forward proto from reverse proxy

---
 nginx/nginx.conf                        | 6 ++++++
 nginx/templates/multi-channel.conf.tmpl | 6 +++---
 server.ts                               | 4 ++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 9b2c01a052..e883141901 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -69,5 +69,11 @@ http {
 
     include /etc/nginx/conf.d/features.conf;
 
+    # use the scheme from the X-Forwarded-Proto header if present or default to $scheme
+    map $http_x_forwarded_proto $thescheme {
+        default $http_x_forwarded_proto;
+        ''      $scheme;
+    }
+
     include /etc/nginx/conf.d/multi-channel.conf;
 }
diff --git a/nginx/templates/multi-channel.conf.tmpl b/nginx/templates/multi-channel.conf.tmpl
index 8ad50d04a8..715055d636 100644
--- a/nginx/templates/multi-channel.conf.tmpl
+++ b/nginx/templates/multi-channel.conf.tmpl
@@ -23,7 +23,7 @@
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $thescheme;
 
         add_header X-Cache-Status $upstream_cache_status;
         proxy_ignore_headers Cache-Control;
@@ -135,7 +135,7 @@ server {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $thescheme;
 
         proxy_no_cache true;
         proxy_cache_bypass true;
@@ -155,7 +155,7 @@ server {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $thescheme;
 
         proxy_ignore_headers Cache-Control;
         proxy_cache_valid 200 302 {{ getenv "CACHE_DURATION_NGINX_OK" }};
diff --git a/server.ts b/server.ts
index 8c2a8d40ac..eef8b83e71 100644
--- a/server.ts
+++ b/server.ts
@@ -489,6 +489,10 @@ export function app() {
 
   console.log('ICM_BASE_URL is', ICM_BASE_URL);
 
+  // running behind nginx - make sure to use all x-forwarded headers correctly
+  // see https://expressjs.com/en/guide/behind-proxies.html
+  server.set('trust proxy', true);
+
   return server;
 }