What’s the de facto standard for a Reverse Proxy to tell the backend SSL is used?

The proxy can add extra (or overwrite) headers to requests it receives and passes through to the back-end. These can be used to communicate information to the back-end.

So far I’ve seen a couple used for forcing the use of https in URL scheme:

X-Forwarded-Protocol: https
X-Forwarded-Ssl: on
X-Url-Scheme: https

And wikipedia also mentions:

# a de facto standard:
X-Forwarded-Proto: https
# Non-standard header used by Microsoft applications and load-balancers:
Front-End-Https: on

This what you should add to the VirtualHost on apache: other proxies should have similar functionality

RequestHeader set X-FORWARDED-PROTOCOL https
RequestHeader set X-Forwarded-Ssl on
# etc.

I think it’s best to set them all, or set one that works and remove the other known ones. To prevent evil clients messing with them.

Leave a Comment

tech