inception-project
Login fails to redirect when running behind https proxy
Describe the bug
I have Inception running behind Apache over https.
When I try to log in, the redirect fails, because it uses http instead of https
To Reproduce
- Run inception behind an Apache server over a https connection
- Try to log in, nothing happens
- Open the inspector of the browser, look at headers:
- Request URL: https://.../login.html?-1.-body-localLoginPanel
- Status Code: 302 Found
- Referrer Policy: strict-origin-when-cross-origin
- Response header: Location: http://.../?continu
Please complete the following information:
- Version and build ID: INCEpTION -- 35.4 (2025-03-04 11:15:35, build f7e74899)
- OS: Linux
- Browser: Brave
Additional context
Apache config:
ProxyPreserveHost On
<Location "/">
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
</Location>
ProxyPass / http://example.com/
ProxyPassReverse / http://example.com/
Apache version 2.4.41
With the proxy at server proxy.example.com, this seems to work in Apache config:
ProxyPassReverse https://proxy.example.com/ http://example.com/
It is necessary to tell INCEpTION what the public URL is.
# Port INCEpTION is listening on
server.port=8080
# If your reverse proxy is running on the same host as {product-name},
# you can use the next line to prevent direct access to INCEpTION from other hosts
server.address=127.0.0.1
# In our examples, we run {product-name} at `your.public.domain.name.com/inception`
# If you want to Run {product-name} directly under the host name without an
# additional path, remove this line
server.servlet.context-path=/inception
# Tell {product-name} which URL your users will enter into their browsers to access it.
# Make sure you have an entry with and an entry without the protocol.
# If you also allow unencrypted http (not recommended) then also add a line with
# the http protocol
wicket.core.csrf.accepted-origins[0]=your.public.domain.name.com
wicket.core.csrf.accepted-origins[1]=https://your.public.domain.name.com
Cf. https://inception-project.github.io/releases/35.4/docs/admin-guide.html#sect_reverse_proxy
It is necessary to tell INCEpTION what the public URL is.
I already did this.
What is your current state anyway. You write that this works:
ProxyPassReverse https://proxy.example.com/ http://example.com/
So is there still a problem at all?
My site is working now, but the docs say you should do this:
ProxyPassReverse / http://example.com/
And that is not working.
Ok, I understand. You suggest we should update the documentation.
I checked on one of my systems where I see this:
ProxyPass /inception-stable http://localhost:18080/inception-stable retry=0
ProxyPassReverse /inception-stable https://public-host.com/inception-stable
So I didn't put the full host name on the first argument of the ProxyPass/ProxyPassReverse, only on the second.
And I used https on the ProxyPassReverse but not on the ProxyPass.
It seems odd to me to put a full URL as the first argument to the ProxyPassReverse.
Could you maybe check if this works for you?
ProxyPassReverse / https://example.com/
I checked. It works without full url on the first argument of ProxyPassReverse. Now I have something like this:
ProxyPass /inception http://internal.example.org:8080/inception
ProxyPassReverse /inception http://internal.example.org:8080/inception
ProxyPassReverse /inception http://example.org/inception
The public address voor Inception is https://example.org/inception
So external access is through https, but internally access is through http, to another machine on the local network.
In the example, the first two lines are according to the documentation. I needed to add the third line to handle the Location header that starts with a full http address.
I don't see how you would access Inception directly through https, anyway.
By the way, as an administator on the web interface, under System Status, I get two errors:
- Reverse proxy does not seem to be trusted. Add server.tomcat.internal-proxies to your settings.properties file and ensure it matches the IP address of your proxy server. Prepend dots in the address with double slashes, e.g. aaa\.bbb\.ccc\.ddd.
- Server-generated URLs use a different protocol than the browser
I believe you should only need
ProxyPass /inception http://internal.example.org:8080/inception
ProxyPassReverse /inception https://example.org/inception
Reverse proxy does not seem to be trusted. Add server.tomcat.internal-proxies to your settings.properties file and ensure it matches the IP address of your proxy server. Prepend dots in the address with double slashes, e.g. aaa.bbb.ccc.ddd.
This can happen if the IP address of your reverse proxy that is reported to INCEpTION is not on a private network (e.g. 10.x.x.x or 192.168.x.x). If you internal network does not use private IP addresses, you need to configure INCEpTION to trust your internal network (or at least the reverse proxy).
Server-generated URLs use a different protocol than the browser
That happens if INCEpTION thinks it generates e.g. http addresses while being accessed through https. It typically happens if the reverse proxy does not properly set "x-forwarded-scheme or x-forwarded-proto.