config.Opts.HTTPS gets overwritten if there are both HTTPS and HTTP reverse proxies

miniflux / v2

Minimalist and opinionated feed reader

https://miniflux.app

Apache License 2.0

6.82k stars 718 forks source link

config.Opts.HTTPS gets overwritten if there are both HTTPS and HTTP reverse proxies #856

Open yelite opened 3 years ago

yelite commented 3 years ago

At service/httpd/middleware.go#L22,

        if r.Header.Get("X-Forwarded-Proto") == "https" {
            config.Opts.HTTPS = true
        }

If there are traffic from both HTTPS and HTTP reverse proxy, config.Opts.HTTPS will be updated to true after the first request from the HTTPS proxy. After that, all HTTP traffic will get secure cookie which breaks lots of things.

I believe this is one of the cause of #414

yelite commented 3 years ago

I have a fix on https://github.com/yelite/v2/tree/fix-http-secure-cookies. It's deployed to my home server and solved the problem. Since I haven't written go before, I am not sure if it's the best way to fix it.