From f5b78ffff0dd652cf147121795ce6019fd7b7ce5 Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Mon, 4 Dec 2017 21:16:08 +0100
Subject: [PATCH] Properly use x-forwarded-proto with redirects in the webui,
 related to #347

(cherry picked from commit a4f46ced4902c985141dfd6e6f9306f86231b2a7)
---
 core/admin/mailu/__init__.py | 5 ++++-
 core/nginx/conf/nginx.conf   | 5 +++--
 core/nginx/conf/proxy.conf   | 5 +++++
 core/nginx/config.py         | 1 +
 4 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 core/nginx/conf/proxy.conf

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index c573332..2e1b695 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -12,6 +12,8 @@ import docker
 import socket
 import uuid
 
+from werkzeug.contrib import fixers
+
 # Create application
 app = flask.Flask(__name__)
 
@@ -110,9 +112,10 @@ class PrefixMiddleware(object):
         self.app = app
 
     def __call__(self, environ, start_response):
+        print(environ)
         prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '')
         if prefix:
             environ['SCRIPT_NAME'] = prefix
         return self.app(environ, start_response)
 
-app.wsgi_app = PrefixMiddleware(app.wsgi_app)
+app.wsgi_app = PrefixMiddleware(fixers.ProxyFix(app.wsgi_app))
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 96a0458..2d4be91 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -71,7 +71,7 @@ http {
       location {{ WEB_WEBMAIL }} {
         rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
         rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
-        proxy_set_header Host $host;
+        include /etc/nginx/proxy.conf;
         proxy_pass http://$webmail;
       }
       {% endif %}
@@ -83,8 +83,8 @@ http {
 
       location ~ {{ WEB_ADMIN }}/(ui|static) {
         rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
+        include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
-        proxy_set_header Host $host;
         proxy_pass http://$admin;
       }
 
@@ -102,6 +102,7 @@ http {
         rewrite ^/webdav/(.*) /$1 break;
         auth_request /internal/auth/basic;
         auth_request_set $user $upstream_http_x_user;
+        include /etc/nginx/proxy.conf;
         proxy_set_header X-Remote-User $user;
         proxy_set_header X-Script-Name /webdav;
         proxy_pass http://$webdav;
diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
new file mode 100644
index 0000000..c5308a4
--- /dev/null
+++ b/core/nginx/conf/proxy.conf
@@ -0,0 +1,5 @@
+# Default proxy setup
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 7650aa7..55fd2f9 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -29,5 +29,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
 
 # Build final configuration paths
 convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
+convert("/conf/proxy.conf", "/etc/nginx/proxy.conf", args)
 convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
 os.system("nginx -s reload")