Running with https behind CloudFront and LoadBalancer runs into endless loop


#1

Hi,

I want to run ghost as Docker container. Any request made to the blog is going through CloudFront which is the https endpoint and does some caching. From there it forwards requests (with http only) to a reverse-proxy and load balancer (traefik). This allows me to use the HOST header and run several services for different hostnames, but all available on tcp port 80 and on the same machine.

The issue I ran into now is, that configuring ghost URL with http:// prefix causes it to generate such insecure type of URLs and Browsers start to complain about that. When I switch the config to use https:// prefix, it ends in an endless loop and the browser stops “Too Many Redirects”.

Mainly I think this is caused because ghost tries to be smart and detects that it should run https, but the incoming request is detected as insecure and therefore its middleware logic issues a 301 redirect response, which in this scenario is unwanted and a dead end.

Other services I run with the same setup work totally fine and behave as expected.

But how can I get the whole setup to work with ghost? I thought already to patch the redirect middleware and allow setting an env variable to switch the default behavior to what it needs in my scenario. Filing a PR would be no prob for me. But: is there really no other option?

Thanks in advance for your ideas!


#2

The fully production installation using ghost-cli is https -> nginx -> ghost - nginx makes requests to Ghost over HTTP (not HTTPS)

Check out how Ghost configures nginx when proxying requests:

The big thing you need to focus on is proxy_set_header X-Forwarded-Proto $scheme :slight_smile:


#3

Thanks for your reply. I use the official Docker image and do not have the nginx, and unfortunately I already found this info in the ghost template and was trying to adopt that with traefik. As far as I know the proto is not forwarded by traefik because reasons and likely never will be.

Is there nothing else? I mean there should be something to make ghost work in such circumstance?