X-Forwarded-* headers are not used for resolving the URI
kaosko opened this issue · comments
Kalle Korhonen commented
Function redirect-uri should use X-Forwarded-* header values to resolve the URI, at least request.getHeader("X-Forwarded-Proto"). Currently, if your application is behind a reverse proxy that handles https and you resolve a relative redirect link, the generated URI will have http:// instead of https://.
James Reeves commented
Take a look at the wrap-forwarded-scheme function in the Ring-SSL library. Rather than making every middleware check both the :scheme
and the X-Forwarded-Proto
header, it's less code to normalize the request map first.