mirror of
https://github.com/fosrl/newt.git
synced 2026-07-11 13:40:01 -05:00
[PR #353] [MERGED] Fix X-Forwarded-Proto always set to "http" for TLS connections #7434
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/newt/pull/353
Author: @rinseaid
Created: 5/14/2026
Status: ✅ Merged
Merged: 5/14/2026
Merged by: @oschwartz10612
Base:
main← Head:fix/x-forwarded-proto-tls📝 Commits (3)
817824bFix X-Forwarded-Proto always set to "http" for TLS connectionsb6e2d61Add workflow to build patched image to ghcr.io/rinseaid/newt:patched55ca18aDelete .github/workflows/build-patched.yml📊 Changes
1 file changed (+7 additions, -0 deletions)
View changed files
📝
netstack2/http_handler.go(+7 -0)📄 Description
Community Contribution License Agreement
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Preface
This PR was developed with Claude Code (claude-opus-4-6). I identified the bug, traced the root cause through the code, and directed the fix. Claude wrote the patch. I reviewed and validated all changes.
Description
When Newt terminates TLS on incoming connections,
X-Forwarded-Protois always set tohttpin requests forwarded to downstream targets. Backend applications that rely on this header to construct callback URLs (OIDC redirect URIs, CSRF origin checks, etc.) generate incorrecthttp://URLs.HandleConnwraps*tls.ConninsidehttpConnCtx, which embedsnet.Conn. Go'shttp.Serverdetects TLS by type-asserting the accepted connection to*tls.Conn, but this assertion fails against the wrapper type.http.Request.TLSis always nil, sohttputil.ProxyRequest.SetXForwarded()always writesX-Forwarded-Proto: http.The fix reuses the
isTLSflag already stored on the request context byConnContext(the same flag used for the HTTP-to-HTTPS redirect inhandleRequest). AfterSetXForwarded(), ifisTLSis true, overrideX-Forwarded-Prototohttps.How to test?
ssl: true(HTTPS termination) proxying to an HTTP backend that echoes or logsX-Forwarded-Proto.http. After fix: header ishttps.X-Forwarded-Proto: http.https://callback URLs.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.