listen proxy_protocol and rewrite redirect scheme

Francis Daly francis at
Fri Sep 16 18:46:56 UTC 2016

On Fri, Sep 16, 2016 at 11:12:16AM -0400, adrhc wrote:

Hi there,

> the browser request (https on 443) is received by sshttp which sends it to
> stunnel:1443 which proxy it to nginx:1080.
> When nginx receives the request it has $scheme = "http"; so, for any rewrite
> with "permanent" or "redirect" the Location header uses "http" while I
> really need "https" scheme.
> Is there any way for forcing nginx to change $scheme according to my will? 
> or at least to generate the Location header with no scheme or with my
> desired scheme?

I think that stock nginx does not have a way to do this.

For any "rewrite" that you create, you can explicitly include "https://"
at the start -- but that will not help internally-generated things like
the trailing-slash redirect for directories.

If you want those, and your nginx is not doing its own ssl, I think you
would need a code change to get https: in the Location headers.

Not tested, but I suspect that removing four lines from
src/http/ngx_http_header_filter_module.c so that "*b->last++ ='s';" is
always called, might be enough for your newly-compiled nginx to always
redirect to https.

A proper fix would presumably involve a more general config option so
that it is selectable.


Francis Daly        francis at

More information about the nginx mailing list