mod_http: Consider x-forwarded-proto from trusted proxies
Should be better than setting consider_{bosh,websocket}_secure as that
may end up causing actually insecure requests to be considered secure.
Doing it here, as with IP, should make this apply to all HTTP modules.
--- a/plugins/mod_http.lua Thu Feb 18 12:02:11 2021 +0100
+++ b/plugins/mod_http.lua Thu Feb 18 10:00:56 2021 +0100
@@ -259,6 +259,10 @@
if request and is_trusted_proxy(request.conn:ip()) then
-- Not included in eg http-error events
request.ip = get_ip_from_request(request);
+
+ if not request.secure and request.headers.x_forwarded_proto == "https" then
+ request.secure = true;
+ end
end
return handlers(event_name, event_data);
end);