nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

force ssl with cloudflared not working

Open realies opened this issue 2 years ago • 9 comments

the toggle is enabled, and the inclusion of the force-ssl.conf file is part of the proxy config; however, curl -v http://some.example.com returns without a redirect to https

if relevant, npm is exposed via cloudflared with config like:

tunnel: ***
credentials-file: ***

ingress:
  - service: https://nginx-proxy-manager
    originRequest:
      originServerName: proxy.example.com

realies avatar Dec 03 '23 09:12 realies

+1

Relax-87 avatar Dec 10 '23 16:12 Relax-87

It looks like somewhere along the line HSTS and SSL parts are not added to the config. All the host's I added over the last 2 weeks are missing those parts. Here is a diff from old to new config.

34,35d33
<   # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
<   add_header Strict-Transport-Security "max-age=63072000; preload" always;
41,42d38
<     # Force SSL
<     include conf.d/include/force-ssl.conf;
< proxy_ssl_verify off;
< proxy_read_timeout 300;
< proxy_connect_timeout 300;
< proxy_send_timeout 300;
> proxy_ssl_verify off;
66,70d54
<   # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
<   add_header Strict-Transport-Security "max-age=63072000; preload" always;

23atomist avatar Dec 10 '23 18:12 23atomist

It turns out cloudflared handles http connections and it routes them over https to the local service as per the config line:

  - service: https://nginx-proxy-manager

Managed to fix this by changing /etc/nginx/conf.d/include/force-ssl.conf from

if ($scheme = "http") {

to

if ($http_x_forwarded_proto = "http") {

realies avatar Feb 27 '24 22:02 realies

I'll take a look at the issue of force SSL not working in a vanilla way.

Running this project behind a proxy isn't really its intended purpose, however http_x_forwarded_proto is an industry standard header that can be supported.

jc21 avatar May 20 '24 04:05 jc21

This can be solved creating a file with the name force-ssl.conf at the same directory of the docker-compose.yaml with:

set $test "";
if ($scheme = "http") {
	set $test "H";
}
if ($http_x_forwarded_proto = "https") {
	set $test "";
}
if ($request_uri = /.well-known/acme-challenge/test-challenge) {
	set $test "${test}T";
}
if ($test = H) {
	return 301 https://$host$request_uri;
}

And add a volume in the docker-compose-yaml as:

volumes:
  # others volumes here
  - ./force-ssl.conf:/etc/nginx/conf.d/include/force-ssl.conf

paucapo avatar Jun 22 '24 12:06 paucapo

This doesn't work when you have Cloudflare Tunnel (cloudflared) connecting to an https nginx endpoint and they requested HTTP.

The working code changes this:

if ($http_x_forwarded_proto = "https") {
	set $test "";
}

to this:

if ($http_x_forwarded_proto = "http") {
	set $test "H";
}

It then works as expected.

cbenard avatar Aug 15 '24 04:08 cbenard

i have the same problem, but if use:

tunnel: ***
credentials-file: ***

ingress:
  - service: https://nginx-proxy-manager
    originRequest:
      originServerName: proxy.example.com

cloudflared not working with error:

Rule #1 is matching the hostname '', but this will match every hostname, meaning the rules which follow it will never be triggered.

and the force-ssl.conf cause ERR_TOO_MANY_REDIRECTS

antwal avatar Jan 31 '25 10:01 antwal

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Aug 07 '25 02:08 github-actions[bot]

Have the same problem with my cloudflare domain and latest nginx proxy manager. Still no stable solution provided?

foxm2k avatar Nov 07 '25 19:11 foxm2k