diff plugins/mod_http.lua @ 11383:98b7ae7064b2

mod_http: Consider x-forwarded-proto from trusted proxies Should be better than setting consider_{bosh,websocket}_secure as that may end up causing actually insecure requests to be considered secure. Doing it here, as with IP, should make this apply to all HTTP modules.
author Kim Alvefur <zash@zash.se>
date Thu, 18 Feb 2021 10:00:56 +0100
parents a0477656258c
children c81b6b8c6b19
line wrap: on
line diff
--- a/plugins/mod_http.lua	Thu Feb 18 12:02:11 2021 +0100
+++ b/plugins/mod_http.lua	Thu Feb 18 10:00:56 2021 +0100
@@ -259,6 +259,10 @@
 	if request and is_trusted_proxy(request.conn:ip()) then
 		-- Not included in eg http-error events
 		request.ip = get_ip_from_request(request);
+
+		if not request.secure and request.headers.x_forwarded_proto == "https" then
+			request.secure = true;
+		end
 	end
 	return handlers(event_name, event_data);
 end);