Centralize x-forwarded-proto handling; fixes #542

src/web/jade.js

@@ -29,14 +29,7 @@ function merge(locals, res) {
 
 function getBaseUrl(res) {
     var req = res.req;
-    var proto;
+    return req.realProtocol + "://" + req.header("host");
-    if (["http", "https"].indexOf(req.header("x-forwarded-proto")) >= 0) {
-        proto = req.header("x-forwarded-proto");
-    } else {
-        proto = req.protocol;
-    }
-
-    return proto + "://" + req.header("host");
 }
 
 /**

src/web/middleware/x-forwarded-for.js

@@ -22,9 +22,19 @@ export default function initialize(app, webConfig) {
         return req.ip;
     }
 
+    function getForwardedProto(req) {
+        const xForwardedProto = req.header('x-forwarded-proto');
+        if (xForwardedProto && xForwardedProto.match(/^https?$/)) {
+            return xForwardedProto;
+        } else {
+            return req.protocol;
+        }
+    }
+
     app.use((req, res, next) => {
         if (isTrustedProxy(req.ip)) {
             req.realIP = getForwardedIP(req);
+            req.realProtocol = getForwardedProto(req);
         }
 
         next();

src/web/webserver.js

@@ -31,7 +31,8 @@ function initializeLog(app) {
  * Redirects a request to HTTPS if the server supports it
  */
 function redirectHttps(req, res) {
-    if (!req.secure && Config.get('https.enabled') && Config.get('https.redirect')) {
+    if (req.realProtocol !== 'https' && Config.get('https.enabled') &&
+            Config.get('https.redirect')) {
         var ssldomain = Config.get('https.full-address');
         if (ssldomain.indexOf(req.hostname) < 0) {
             return false;