btcpayserver-docker icon indicating copy to clipboard operation
btcpayserver-docker copied to clipboard

Published 20 hours ago verified publisher icon btcpayserver

X-Forwarded-Host presence falsely triggers no https warning

Open rokups opened this issue 4 years ago • 2 comments

I mentioned my issue at https://github.com/btcpayserver/btcpayserver-docker/issues/375#issuecomment-761810439.

As it turns out, presence of proxy_set_header X-Forwarded-Host $host:$server_port; triggers BTCPay is expecting you to access this website from https://btcpay.*.com:443/. If you use a reverse proxy, please set the X-Forwarded-Proto header to https warning. It really shouldn't. Especially when header contains 443 port to begin with.

Edit: Now that i think of it, this is a wrong repo to report this. Please move it where appropriate and excuse me for posting issues too hastily 🙏🏻

rokups avatar Jan 18 '21 15:01 rokups

hey @rokups using port 443 does not mean it is using HTTPs.

The error says that the HTTP request is having the HOST of the request set to http, which is insecure (outside of onion)

As the error say, if the reverse proxy is handling https, it need to signal it to btcpay with the X-Forwarded-Proto header.

NicolasDorier avatar Feb 17 '21 10:02 NicolasDorier

OK let me rephrase.

Following config produces BTCPay is expecting you to access this website from https://btcpay.*.com:443/. If you use a reverse proxy, please set the X-Forwarded-Proto header to https warning:

proxy_set_header Host              $host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host  $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade           $http_upgrade;
port_in_redirect off;
proxy_pass http://127.0.0.1:8086;

Following config produces no warnings:

proxy_set_header Host              $host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Host  $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade           $http_upgrade;
port_in_redirect off;
proxy_pass http://127.0.0.1:8086;

Both configs have proxy_set_header X-Forwarded-Proto $scheme; and $scheme is https. The only difference is that presence of X-Forwarded-Host confuses btcpay and server no longer recognizes it is using https.

rokups avatar Feb 23 '21 08:02 rokups