Skip to content

Add HTTP to HTTPS redirect in nginx gateway #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maor-rozenfeld merged 1 commit into from
Feb 20, 2026
Merged

Add HTTP to HTTPS redirect in nginx gateway #24

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions chart/templates/configmap-nginx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ data:
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 16k;

{{- if include "openops.isHttps" . }}
# Redirect HTTP to HTTPS when behind a TLS-terminating load balancer
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return 301 may cause some clients/browsers to change non-GET/HEAD requests into a GET when following the redirect (dropping the request body). For an HTTP→HTTPS upgrade redirect this can break POST/PUT API calls; consider using a 308 (or 307) redirect to preserve method and body semantics.

Suggested change
return 301 https://$host$request_uri;
return 308 https://$host$request_uri;

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The redirect target uses $host, which is derived from the client-supplied Host header and also strips any port. This can lead to (a) redirects to an attacker-controlled host if Host is spoofed, and (b) broken redirects when global.publicUrl uses a non-443 HTTPS port. Prefer redirecting to the configured canonical host/port derived from global.publicUrl (or a trusted variable like $server_name if it matches the external hostname) rather than $host.

Suggested change
return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;

Copilot uses AI. Check for mistakes.
}
{{- end }}

# Security headers
{{- if .Values.nginx.securityHeaders.enabled }}
Expand Down