Open mildred opened 3 years ago
-p 2
could mean SASL Security Layer, which is not TLS, like GSSAPI Security Layer.
You are entitled to configure the front-end server to do the rewritings. With nginx this done with the proxy_redirect directive.
I personally add by the front-end server a Forwarded header: proxy_set_header Forwarded "proto=https;host=example.org"; and within httpd evaluate the proto= part.
This results correct results, e.g. when it comes to /freebusy/user/zzz answers.
I have a server with a cyrus listening on HTTP on localhost port 8080 with a reverse proxy doing the TLS termination.
To ensure that Cyrus understands the connection is secure, the
cyrus.conf
line for this service contains-p 2
:Now, when I make a request to
https://hostname/.well-known/jmap
I get redirected withLocation: http://hostname/.well-known/jmap
. I believe the problem is with this code:https://github.com/cyrusimap/cyrus-imapd/blob/463507c667052ea80e088c05b10ce91a7dbd5534/imap/httpd.c#L1624
It redirects with
https
only if thehttps
variable is true, which happens only if Cyrus itself is doing the TLS part. It should check also the variableextprops_ssf
to ensure that an external reverse proxy that does https will count as well.I suggest the following change:
Or provide a new CLI flag to tell specifically that we are using the https protocol.