Redirect request based on source $scheme !!

Francis Daly francis at
Wed Nov 11 13:32:58 UTC 2015

On Wed, Nov 11, 2015 at 03:25:11PM +0500, shahzaib shahzaib wrote:

Hi there,

> Actually we've video sharing website from where people embed http/https
> links to there websites. Now the problem is, some of the HTTPS  websites
> have embedded HTTP URL links from our website instead of HTTPS due to which
> the code is unable to execute on their HTTPS website because it is making
> call from https -> http which is wrong.

Before you put too much time into building the solution, can you do a
quick test to confirm that it can work?

As in:

* on a https site, include a link to http on your server to one particular
url that you control.
* in your config, redirect that one url to something https on your site
* for that https request, return the response that you want

When you do that -- does it work?

As in: do you know that the client (browser) that you care about, will
access your http url and accept the https redirection and then make use
of the code that you return over that https link?

Because if that does not work, then it does not matter what else you do.

> So we're thinking to have some condition in place that if the request for
> HTTP embedded link comes from any HTTPS domain , nginx will detect that
> source $scheme and redirect that request to HTTPS.

You cannot reliably detect where the link came from.

If you are willing to accept unreliably detecting where the link came
from, knowing that some innocent cases and some malicious cases will be
handled wrongly, then you can just examine $http_referer.

If it starts with "https://", then probably the link was on a https site.

If it starts with "http://", then probably the link was on a http site.

If it is blank, then probably the link was on a https site and it is
accessing your http site.

Each "probably" is because the Referer header is set to whatever the
browser wants. Some browsers lie. Some browsers omit it always. Some
browsers set it to a non-default value because that's what the user
configured it to do. Other possibilities exist.

Francis Daly        francis at

More information about the nginx mailing list