Running with https behind CloudFront and LoadBalancer runs into endless loop

dennis4scotty · November 5, 2018, 7:47pm

Hi,

I want to run ghost as Docker container. Any request made to the blog is going through CloudFront which is the https endpoint and does some caching. From there it forwards requests (with http only) to a reverse-proxy and load balancer (traefik). This allows me to use the HOST header and run several services for different hostnames, but all available on tcp port 80 and on the same machine.

The issue I ran into now is, that configuring ghost URL with http:// prefix causes it to generate such insecure type of URLs and Browsers start to complain about that. When I switch the config to use https:// prefix, it ends in an endless loop and the browser stops “Too Many Redirects”.

Mainly I think this is caused because ghost tries to be smart and detects that it should run https, but the incoming request is detected as insecure and therefore its middleware logic issues a 301 redirect response, which in this scenario is unwanted and a dead end.

Other services I run with the same setup work totally fine and behave as expected.

But how can I get the whole setup to work with ghost? I thought already to patch the redirect middleware and allow setting an env variable to switch the default behavior to what it needs in my scenario. Filing a PR would be no prob for me. But: is there really no other option?

Thanks in advance for your ideas!

vikaspotluri123 · November 6, 2018, 5:01am

The fully production installation using ghost-cli is https → nginx → ghost - nginx makes requests to Ghost over HTTP (not HTTPS)

Check out how Ghost configures nginx when proxying requests:

github.com

TryGhost/Ghost-CLI/blob/2111ffe14aa150eafee1898b18a195aa6562615d/extensions/nginx/templates/nginx-ssl.conf#L13-L17


      
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $http_host;
          proxy_pass http://127.0.0.1:<%= port %>;

The big thing you need to focus on is proxy_set_header X-Forwarded-Proto $scheme :)

dennis4scotty · November 6, 2018, 5:45am

Thanks for your reply. I use the official Docker image and do not have the nginx, and unfortunately I already found this info in the ghost template and was trying to adopt that with traefik. As far as I know the proto is not forwarded by traefik because reasons and likely never will be.

Is there nothing else? I mean there should be something to make ghost work in such circumstance?

system · November 20, 2018, 5:45am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Self hosting: ec2 + cloudfront Developer help	1	599	September 23, 2021
Run Ghost without Nginx but with Cloudfront and HTTPS Using Ghost	0	631	April 16, 2020
Cannot setup HTTPS the correct way with CloudFlare Proxy and NginxProxyManager Self-hosting	1	578	May 16, 2023
Nginx Reverse Proxy and Cloudflare Developer help	6	3846	July 15, 2023
Unable to install Ghost on Nginx Installation	10	1046	December 9, 2020

Running with https behind CloudFront and LoadBalancer runs into endless loop

Related Topics