check X-Forwarded-Proto when constructing an URI, useful behind a reverse proxy

1 files changed, 16 insertions, 2 deletions

diff --git a/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c b/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c
index 3953fa06..8bd5b64f 100644
--- a/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c
+++ b/src/backend/taler-merchant-httpd_private-post-orders-ID-refund.c
@@ -84,6 +84,8 @@ make_taler_refund_uri (struct MHD_Connection *connection,
 {
   const char *host;
   const char *forwarded_host;
+  const char *forwarded_proto;
+  bool proxy_says_https;
   const char *uri_path;
   struct GNUNET_Buffer buf = { 0 };
 
@@ -95,6 +97,13 @@ make_taler_refund_uri (struct MHD_Connection *connection,
   forwarded_host = MHD_lookup_connection_value (connection,
                                                 MHD_HEADER_KIND,
                                                 "X-Forwarded-Host");
+  forwarded_proto = MHD_lookup_connection_value (connection,
+                                                MHD_HEADER_KIND,
+                                                "X-Forwarded-Proto");
+  proxy_says_https = ( (NULL != forwarded_proto) && 
+                       (0 == strcmp ("https",
+                                    forwarded_proto)))
+
   uri_path = MHD_lookup_connection_value (connection,
                                           MHD_HEADER_KIND,
                                           "X-Forwarded-Prefix");
@@ -107,8 +116,13 @@ make_taler_refund_uri (struct MHD_Connection *connection,
     return NULL;
   }
   GNUNET_buffer_write_str (&buf, "taler");
-  if (GNUNET_NO == TALER_mhd_is_https (connection))
-    GNUNET_buffer_write_str (&buf, "+http");
+
+  if (GNUNET_NO == TALER_mhd_is_https (connection) &&
+      ! proxy_says_https)
+  {
+    GNUNET_buffer_write_str (&buf,
+                             "+http");
+  }
   GNUNET_buffer_write_str (&buf, "://refund/");
   GNUNET_buffer_write_str (&buf, host);
   if (NULL != uri_path)