fix: configure nginx to handle Cloudflare Flexible SSL mode without redirect loop

- Support X-Forwarded-Proto header from Cloudflare - HTTP server now serves traffic when X-Forwarded-Proto: https is set - Prevents redirect loop when Cloudflare uses Flexible SSL mode - Maintains HTTPS redirect for direct HTTP access
2025-11-18 07:30:25 +00:00 · 2025-11-18 07:30:25 +00:00 · c918d4721a
commit c918d4721a
parent 62d7aa4a16
1 changed files with 57 additions and 3 deletions
--- a/backend/nginx.conf
+++ b/backend/nginx.conf
@ -47,7 +47,7 @@ http {
        keepalive 32;
    }

-    # HTTP redirect to HTTPS
+    # HTTP server - handles both Let's Encrypt and Cloudflare Flexible SSL
    server {
        listen 80;
        server_name mtd.runfoo.run www.mtd.runfoo.run;
@ -57,10 +57,64 @@ http {
            root /var/www/certbot;
        }

-        # Redirect all other traffic to HTTPS
+        # For Cloudflare Flexible SSL: if X-Forwarded-Proto is https, serve the app
+        # Otherwise redirect to HTTPS (for direct HTTP access)
        location / {
+            # Check if coming from Cloudflare with HTTPS
+            set $redirect_to_https 1;
+            if ($http_x_forwarded_proto = "https") {
+                set $redirect_to_https 0;
+            }
+
+            # Redirect direct HTTP to HTTPS
+            if ($redirect_to_https = 1) {
                return 301 https://$server_name$request_uri;
            }
+
+            # Cloudflare Flexible SSL: serve through proxy
+            proxy_pass http://frontend:3000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_cache_bypass $http_upgrade;
+        }
+
+        # API endpoints for Cloudflare Flexible SSL
+        location /api/v1/ {
+            proxy_pass http://api;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Connection "";
+            proxy_redirect off;
+        }
+
+        location /docs {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /redoc {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /openapi.json {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+        }
    }

    # HTTPS API server