X-Forwarded-Proto header

matbgn · April 6, 2022, 5:18am

Do I totally screwed or I read somewhere that we could add some headers to boringproxy?

How would I come to the solution with proxy_set_header X-Forwarded-Proto $scheme;?

I would be also very glad of a boring simple solution for that kind of situation like on Cloudflare services:

Make sure you have working SSL and HTTPS on Heroku (or wherever you’re serving your Rails application.) Turn Cloudflare SSL to Full mode. Problem solved.

Many thanks in advance for your advices

anders · April 6, 2022, 10:05pm

There’s no way to set custom headers in boringproxy. I could add it (or add X-Forwarded-Proto explicitly), but I’m not sure when I’d get to it. Can I ask what specifically you need the header for?

matbgn · April 8, 2022, 6:36am

I already got for two projects (the first one, I abandoned it and can even remember it)

But most recently I tried to use InvoiceNinja on reverse proxy and snappdf refuse to render PDFs if this header is not present.

Is this a lot of work?

anders · April 11, 2022, 6:16pm

I went ahead and implemented it real quick. You’ll need to use the master builds though, which have quite a few other changes at this point:

https://gemdrive.io/apps/delver/?drive=https://files.apitman.com&path=/public/boringproxy/master

Let me know if that works for you.

matbgn · April 11, 2022, 6:20pm

After digging into API config I could investigate more and listed the maximal required headers:

location ~* /api/ {
proxy_pass http://gunicorn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

Just for knowing, which one of those are already implemented?

matbgn · April 11, 2022, 6:21pm

Side note you are just AMAZING!!! Really!

Thank you so much for this quick fix you’re a Lord

anders · April 11, 2022, 6:26pm

I appreciate the appreciation.

I believe boringproxy currently supports Host, X-Forwarded-For, and now X-Forwarded-Proto.

X-Real-IP is redundant with X-Forwarded-For and shouldn’t be required.

matbgn · April 11, 2022, 6:29pm

And it’s sincere!

Thanks

I will make some tests to validate X-Real-IP redundancy to be sure

matbgn · May 4, 2022, 7:49am

Due to a new stop of serving tunnels between clients and server I took time to update to the alpha master version.

Unfortunately I was not able to confirm that the proxy_set_header X-Forwarded-Proto $scheme; worked. Since I have always the http call at the end.

Maybe I have to use a new TLS Termination, since till then I used Server RAW TLS?

Thanks in advance

matbgn · May 4, 2022, 8:03am

To be sure I tried them all with no luck.

But I still think that the X-Real-IP is needed when I look at network tool

Scheme is still not propagated, but it seems that IP also have to be forwarded

What do you mean?

matbgn · May 9, 2022, 6:02am

After returning on the corresponding project impacted by this issue (my invoice manager), I have noticed that the schema propagation is now perfectly OK.

I guess there must have been some caching somewhere, but in any case everything is fixed and I confirm that the X-Real-IP header is redundant.

Thanks again

anders · May 11, 2022, 6:07pm

Glad you got it working!