starred/SignTools
1
0
Fork 0
mirror of https://github.com/SignTools/SignTools.git synced 2026-04-27 02:45:56 +03:00
Code Issues 20 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #335] OTA Install not working: Manifest Proxy in use despite reverse HTTPS proxy #92

New issue
Closed
opened 2026-03-04 00:23:49 +03:00 by kerem · 3 comments
kerem commented 2026-03-04 00:23:49 +03:00
Owner
Copy link

Originally created by @dwahdany on GitHub (Jun 20, 2023).
Original GitHub issue: https://github.com/SignTools/SignTools/issues/335

I tried basic troubleshooting first

Describe the bug
OTA installation fails with a Provision Profile and NGINX Reverse Proxy using HTTPs. The Webserver still shows the HTTP base-url despite actually being reachable over HTTPs and the config entry server_url: https://{DOMAIN}

{DOMAIN} -HTTPS> Cloudflared (Docker) -HTTPS> Nginx (Docker) -HTTP?> SignTools (Docker)

To reproduce

Steps to reproduce the behavior:

  1. Use a Cloudflare Tunnel deployed in a custom docker network
  2. Run Nginx in a separate container
  3. Deploy a letsencrypt certificate to the nginx host {DOMAIN}
  4. Setup SignTools to use https://{DOMAIN} and forward the nginx reverse proxy to http://signtools:8080 with the correct proxy settings (i.e. keeping scheme)
  5. Site is reachable via HTTPS. Signing works. OTA fails.

Expected behavior

OTA installation should succeed over the HTTPS reverse proxy.

Logs

WRN using OTA manifest proxy, installation may not work base_url=http://{DOMAIN}

System configuration

  • SignTools version: 2.6.2
  • Installation type: Cloudflared (Docker) -> Nginx (Docker) -> SignTools (Docker)
  • Builder type: SignTools-CI
  • Builder version: 5148bc4

Question
How do we make SignTools aware that it's begin accessed via https? Or is something truly misconfigured?

Originally created by @dwahdany on GitHub (Jun 20, 2023). Original GitHub issue: https://github.com/SignTools/SignTools/issues/335 **I tried basic troubleshooting first** - [x] Updated **both** [SignTools](https://github.com/SignTools/SignTools) **and** the builder ([SignTools-CI](https://github.com/SignTools/SignTools-CI) or [SignTools-Builder](https://github.com/SignTools/SignTools-Builder)) to the latest version - [x] Read through the [FAQ page](https://github.com/SignTools/SignTools/blob/master/FAQ.md) **Describe the bug** OTA installation fails with a Provision Profile and NGINX Reverse Proxy using HTTPs. The Webserver still shows the HTTP base-url despite actually being reachable over HTTPs and the config entry `server_url: https://{DOMAIN}` {DOMAIN} -HTTPS> Cloudflared (Docker) -HTTPS> Nginx (Docker) -HTTP?> SignTools (Docker) **To reproduce** Steps to reproduce the behavior: 1. Use a Cloudflare Tunnel deployed in a custom docker network 2. Run Nginx in a separate container 3. Deploy a letsencrypt certificate to the nginx host {DOMAIN} 4. Setup SignTools to use `https://{DOMAIN}` and forward the nginx reverse proxy to `http://signtools:8080` with the correct proxy settings (i.e. keeping scheme) 5. Site is reachable via HTTPS. Signing works. OTA fails. **Expected behavior** OTA installation should succeed over the HTTPS reverse proxy. **Logs** `WRN using OTA manifest proxy, installation may not work base_url=http://{DOMAIN}` **System configuration** - SignTools version: [2.6.2](https://hub.docker.com/layers/signtools/signtools/2.6.2/images/sha256-7b73160424e38cac4fac71e1b519cfb4b1678f59535bc832f860796de65e3a9a?context=explore) - Installation type: Cloudflared (Docker) -> Nginx (Docker) -> SignTools (Docker) - Builder type: SignTools-CI - Builder version: [5148bc4](https://github.com/SignTools/SignTools-CI/commit/5148bc4296c4ba583b0444945d621efd150f11c9) **Question** How do we make SignTools aware that it's begin accessed via https? Or is something truly misconfigured?
kerem 2026-03-04 00:23:49 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-04 00:23:50 +03:00
Author
Owner
Copy link

@ViRb3 commented on GitHub (Jun 20, 2023):

Yes, this is because nginx reverse proxies the request over HTTP and completely hides the fact that HTTPS was used by the client. To fix, make sure you add the special "hint" headers as specified in the guide: https://github.com/SignTools/SignTools/blob/master/INSTALL-ADVANCED.md#4a-reverse-proxy

<!-- gh-comment-id:1598638538 --> @ViRb3 commented on GitHub (Jun 20, 2023): Yes, this is because nginx reverse proxies the request over HTTP and completely hides the fact that HTTPS was used by the client. To fix, make sure you add the special "hint" headers as specified in the guide: https://github.com/SignTools/SignTools/blob/master/INSTALL-ADVANCED.md#4a-reverse-proxy
kerem commented 2026-03-04 00:23:50 +03:00
Author
Owner
Copy link

@dwahdany commented on GitHub (Jun 20, 2023):

Thanks for the response. I had added them but there was no way for nginx to realise it was an https request, because cloudflared was actually using the HTTP scheme to connect to nginx. Hope this helps anyone encountering the same issue.

<!-- gh-comment-id:1598654646 --> @dwahdany commented on GitHub (Jun 20, 2023): Thanks for the response. I had added them but there was no way for nginx to realise it was an https request, because cloudflared was actually using the HTTP scheme to connect to nginx. Hope this helps anyone encountering the same issue.
kerem commented 2026-03-04 00:23:50 +03:00
Author
Owner
Copy link

@ViRb3 commented on GitHub (Jun 20, 2023):

Ah I see. You should be able to force the scheme signaling then, like:

proxy_set_header X-Forwarded-Proto https;

<!-- gh-comment-id:1598659003 --> @ViRb3 commented on GitHub (Jun 20, 2023): Ah I see. You should be able to force the scheme signaling then, like: proxy_set_header X-Forwarded-Proto https;
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/npm_and_yarn/prettier-3.8.2
dependabot/docker/golang-1.26.2-alpine
dependabot/github_actions/docker/build-push-action-7.1.0
dependabot/go_modules/golang.org/x/crypto-0.50.0
dependabot/github_actions/docker/login-action-4.1.0
dependabot/github_actions/actions/setup-go-6.4.0
dependabot/go_modules/github.com/rs/zerolog-1.35.0
dependabot/go_modules/golang.org/x/oauth2-0.36.0
dependabot/github_actions/docker/metadata-action-6.0.0
dependabot/github_actions/docker/setup-buildx-action-4.0.0
dependabot/github_actions/docker/setup-qemu-action-4.0.0
dependabot/go_modules/github.com/labstack/echo/v4-4.15.1
dependabot/github_actions/goreleaser/goreleaser-action-7.0.0
dependabot/docker/alpine-3.23.3
dependabot/github_actions/actions/checkout-6.0.2
develop
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.6.2
v2.6.1
v2.6.0
v2.5.21
v2.5.20
v2.5.19
v2.5.18
v2.5.17
v2.5.16
v2.5.15
v2.5.14
v2.5.13
v2.5.12
v2.5.11
v2.5.10
v2.5.9
v2.5.8
v2.5.7
v2.5.6
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.18
v2.4.17
v2.4.16
v2.4.15
v2.4.14
v2.4.13
v2.4.12
v2.4.11
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.15
v2.3.14
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.0
v1.1.0
v1.0.1
v1.0.0
Labels
Clear labels   
bug

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
enhancement
enhancement
good first issue
help wanted
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SignTools#92
No description provided.