SSL reverse proxy redirect

[fnpanic]

Hi,

i am using nginx + script server. The http example works perfect. As soon as i add SSL support proxy_pass redirects to https://127.0.0.1:5000/index.html in the browser instead of doing this in the backend. This is my config:

# Redirect http to https
server {
   listen 80;
   server_tokens off;
   server_name scripts.cloud;
   return 301 https://$server_name$request_uri;
}

server {
   listen 443 ssl http2;
   server_name scripts.cloud;
   server_tokens off;
   autoindex off;

   ssl_certificate /etc/nginx/ssl/ssl.crt;
   ssl_certificate_key /etc/nginx/ssl/ssl.rsa;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;

   location ^~ / {
        proxy_pass_header Server;
        proxy_set_header Host $proxy_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:5000/;

        # needed for websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Origin http://$proxy_host;
   }
   location ~ /\. {
       access_log off;
       log_not_found off;
       deny all;
   }

}

Not really show why...

[bugy]

Hi @fnpanic I'm not a network administrator and unfortunately i don't fully understand the problem By specifying 301 redirect, it should happen kind of in browser. Did you check network tab in a browser? Which requests are actually executed?

[fnpanic]

I found the problem.

proxy_set_header X-Scheme $scheme;

This passes the protocol to the proxy_pass directive which then upgrades to https no matter what is set in the proxy_pass uri. Remvoing this solves the problem. Maybe it is helpful for someone else also.