What’s the de facto standard for a Reverse Proxy to tell the backend SSL is used?

by

The proxy can add extra (or overwrite) headers to requests it receives and passes through to the back-end. These can be used to communicate information to the back-end.

So far I’ve seen a couple used for forcing the use of https in URL scheme:

X-Forwarded-Protocol: https
X-Forwarded-Ssl: on
X-Url-Scheme: https

And wikipedia also mentions:

# a de facto standard:
X-Forwarded-Proto: https
# Non-standard header used by Microsoft applications and load-balancers:
Front-End-Https: on

This what you should add to the VirtualHost on apache: other proxies should have similar functionality

RequestHeader set X-FORWARDED-PROTOCOL https
RequestHeader set X-Forwarded-Ssl on
# etc.

I think it’s best to set them all, or set one that works and remove the other known ones. To prevent evil clients messing with them.

More Related Contents:

  1. PhantomJS failing to open HTTPS site
  2. Is it possible to have SSL certificate for IP address, not domain name? [closed]
  3. Ideal HTTP cache control headers for different types of resources
  4. HTTP Basic Authentication credentials passed in URL and encryption
  5. How to fix HttpException: Connection closed before full header was received
  6. Is GET data also encrypted in HTTPS?
  7. How to run Vue.js dev serve with https?
  8. Is HTTP header Referer sent when going to a http page from a https page?
  9. What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
  10. Replay attacks for HTTPS requests
  11. Gradle Could not HEAD https://..pom > peer not authenticated
  12. How do I disable HTTPS in ASP.NET Core 2.1 + Kestrel?
  13. Why do web browsers not support h2c (HTTP/2 without TLS)?
  14. Response.Redirect with POST instead of Get?
  15. What character encoding should I use for a HTTP header?
  16. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  17. Secure HTTP Post in Android
  18. How to force HTTPS using a web.config file
  19. Android WebView not loading an HTTPS URL
  20. Chrome redirects .dev to https
  21. How to make an HTTP get request in C without libcurl?
  22. Problems connecting via HTTPS/SSL through own Java client
  23. Should I hash the password before sending it to the server side?
  24. How to remove ASP.Net MVC Default HTTP Headers?
  25. How to redirect HTTP to HTTPS in MVC application (IIS7.5)
  26. Specifying HTTP referer in embedded UIWebView
  27. Requesting html over https with c# Webclient
  28. Differentiating Between an AJAX Call / Browser Request
  29. Debugging failing HTTPS WebRequest
  30. Does the order of headers in an HTTP response ever matter?

Leave a Comment