Proxy header override issue

[zarkerus]

When I added stac-auth-proxy between my reverse proxy (nginx) and stac-fastapi-pgstac, all of my links changed to http instead of https

"links": [
{
"rel": "self",
"type": "application/json",
"title": "This document",
"href": "http://stac-api.example.com/"
},

stac-auth-proxy/src/stac_auth_proxy/handlers/reverse_proxy.py

Line 41 in 418c3d5

proxy_proto = request.url.scheme

I don't know much about python but I think this line of code is override the header X-Forwarded-Proto coming to stac-auth-proxy
request.url.scheme comes from the request that arrived at stac-auth-proxy (Which is TLS terminated), not what Nginx passed

Possible fix
proxy_proto = request.headers.get("X-Forwarded-Proto", request.url.scheme)

[alukach]

Could you share your NGINX config file? Or even better, could you create a reusable example (likely via a docker-compose file?).

Thinking out loud: You seem to be describing a situation where we are sending the Forwarded header based on bad data. This seems reasonable, but I note two things:

1. We start by copying all the headers in the request (headers = MutableHeaders(request.headers))
2. We only set Forwarded if it is unset, via setdefault (headers.setdefault("Forwarded", ...))

stac-auth-proxy/src/stac_auth_proxy/handlers/reverse_proxy.py

Lines 37 to 47 in 418c3d5

	headers = MutableHeaders(request.headers)
	headers.setdefault("Via", f"1.1 {self.proxy_name}")
	proxy_client = request.client.host if request.client else "unknown"
	proxy_proto = request.url.scheme
	proxy_host = request.url.netloc
	proxy_path = request.base_url.path
	headers.setdefault(
	"Forwarded",
	f"for={proxy_client};host={proxy_host};proto={proxy_proto};path={proxy_path}",
	)

So my guess is that your NGINX config is using the non-standard (but defacto standard) X-Forwarded-* headers (which would still be present in the request leaving the STAC Auth Proxy) while your upstream API is utilizing the Forwarded header that the STAC Auth Proxy is creating (albeit with bad data).

I'm not saying that this is not a bug, but I would be curious to hear if you could fix your problem by setting the Forwarded header in your NGINX configuration (which I predict is currently not set).

[zarkerus]

Your guess is correct, I was using the nginx config in stac-fastapi-pgstac example which used X-Forwarded-*

    location / {
        proxy_set_header   Host $http_host;
        proxy_pass         http://stac-api;
        proxy_set_header   X-Real-IP          $remote_addr;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto  $scheme;
        # Can use this header instead of X-Forwarded-For and X-Forwarded-Proto
        proxy_set_header   Forwarded          "for=$remote_addr;proto=$scheme;host=$host";

        # To support websockets
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";

After replace with Forwarded header, the proxy work properly now, thanks for your help.

[alukach]

Thanks for closing this. I committed #88 to prevent this in the future.