I’m running my Discourse installation behind an nginx proxy (in addition to the one in the container) that handles HTTPS and routes requests to either Discourse or Apache. I’m also a SSO user, and have enabled
login required as well as
This is working fine: Discourse always uses https links, http requests are caught by nginx and redirected to HTTPS, and not-logged-in users are sent to the SSO provider.
But I have noticed an HTTP request in the round-trip: If a not-logged-in user visits the Discourse instance using HTTPS, Discourse initiates the login process by redirecting to
https://discourse/session/sso. This is understandable since Discourse never sees HTTPS anywhere, but I think this is a bug: If
use https is enabled, Discourse should never send clients to any HTTP URL (except for external links).