brandur.org

X-Forwarded-Proto

We use rack-ssl to redirect users making requests over raw HTTP and force users onto a secure connection. We also terminate TLS at a reverse proxy, and have it make privileged internal requests over plain HTTP.

This architecture tends to work very well, but can make issuing internal requests with a tool like Curl somewhat difficult because individual servers will deny HTTP connections in favor of HTTPS, but those same servers don’t know how to serve HTTPS!

This is where X-Forwarded-Proto comes in. This unstandardized but de facto standard allows a proxy to hint to backends that a particular protocol was used to serve the request, avoiding a spurious redirect from something like rack-ssl. The same technique can be used with Curl to “fake” a secure request internally:

curl -H "X-Forwarded-Proto: https" ...

Did I make a mistake? Please consider sending a pull request.