Closed gparent closed 1 month ago
Send PR if it solves the issue
I've already included a patch, but my understanding is that my fix would break other configurations (Like ones without a frontend proxy). So I'm leaving this here for maintainers to consider it (or not).
recently i came accross an bug in frappe builder where the browser blocks some js and css of the webpage build in builder as it uses http instead of https (bug related to these https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content?utm_source=mozilla&utm_medium=firefox-console-errors&utm_campaign=default
the fix mentioned in this issue fixed it
This issue has been automatically marked as stale. You have a week to explain why you believe this is an error.
Description of the issue
The nginx template sets the
X-Forwarded-Proto
header to$scheme
, which is HTTP when Nginx is used as a HTTP frontend while Traefik does TLS termination.This renders some URLs (like password resets and OpenID connections redirect URIs) being HTTP instead of HTTPS as intended.
There are probably some workarounds to this, however the core issue seems to be that wrong information is given to the backend in
nginx-template.conf
.$scheme
is correct$http_x_forwarded_proto;
Context information (for bug reports)
Here's a patch that I have only tested in HTTPS (so it may break HTTP):
Steps to reproduce the issue
Observed result
Some URIs like password resets and OpenID redirects are HTTP
Expected result
Those URIs should be using the same protocol as the frontend, which could (but isn't necessarily!) HTTPS.