From fead9087ac455fa422d7d98730f56117e33a48a2 Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Thu, 21 Dec 2017 12:44:08 -0300
Subject: [PATCH] Validate x-forwarded-proto and connection scheme before
 redirecting to https (#1844)

---
 rootfs/etc/nginx/template/nginx.tmpl | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 290a9078d..f2f177033 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -189,6 +189,12 @@ http {
         ''               $scheme;
     }
 
+    # validate $pass_access_scheme and $scheme are http to force a redirect
+    map "$scheme:$pass_access_scheme" $redirect_to_https {
+        default          0;
+        "http:http"      1;
+    }
+
     map $http_x_forwarded_port $pass_server_port {
         default           $http_x_forwarded_port;
         ''                $server_port;
@@ -685,7 +691,7 @@ stream {
 
             {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
             # enforce ssl on server side
-            if ($pass_access_scheme = http) {
+            if ($redirect_to_https) {
                 {{ if ne $all.ListenPorts.HTTPS 443 }}
                 {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
                 return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri;