SSO login redirect ignores HTTPS

(Felix Freiberger) #1

I’m running my Discourse installation behind an nginx proxy (in addition to the one in the container) that handles HTTPS and routes requests to either Discourse or Apache. I’m also a SSO user, and have enabled login required as well as use https.

This is working fine: Discourse always uses https links, http requests are caught by nginx and redirected to HTTPS, and not-logged-in users are sent to the SSO provider.

But I have noticed an HTTP request in the round-trip: If a not-logged-in user visits the Discourse instance using HTTPS, Discourse initiates the login process by redirecting to http://discourse/session/sso, not https://discourse/session/sso. This is understandable since Discourse never sees HTTPS anywhere, but I think this is a bug: If use https is enabled, Discourse should never send clients to any HTTP URL (except for external links).

(Kane York) #2

Is X-Forwarded-Proto being passed along correctly?

(Felix Freiberger) #3

No – and that has been the issue. Thanks!

Although I still think that with require https, Discourse should enforce HTTPS before even caring about whether the client is logged in.