[GH-ISSUE #730] [BUG] session redirect on http, not https behind reverse proxy #465

New issue

Closed

opened 2026-02-25 20:35:49 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 20:35:49 +03:00

Owner

Originally created by @spitsw on GitHub (Apr 22, 2022).
Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/730

Describe the bug
When whoogle is deployed behind a https enabled reverse proxy, the session initiation redirect (307) still uses the http scheme. The Location header in the redirect still begins with http://. It is expected that https:// be the target of the redirect. HTTPS_ONLY environment variable does not have any affect the behaviour of this issue.

To Reproduce
Steps to reproduce the behavior:

Deploy whoogle using any of the supported methods in the README.md
Deploy a reverse proxy with https enabled (such as Traefik)
Execute curl -v https://whoogle.url/
See the Location header

TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 307
< content-type: text/html; charset=utf-8
< date: Fri, 22 Apr 2022 07:17:03 GMT
< location: http://whoogle.url/session/be68d74b-7eba-44ca-93fd-b5cd1e9ba627?follow=https%3A%2F%2Fwhoogle.url%2F
< server: waitress
< set-cookie: __Secure-session=f56385f2-f924-4c5f-b8f4-2558fb8684cb; Expires=Mon, 23-May-2022 07:17:04 GMT; Secure; HttpOnly; Path=/; SameSite=Strict
< x-content-type-options: nosniff
< x-frame-options: DENY
< content-length: 387
<

Deployment Method

Heroku (one-click deploy)
Docker
run executable
pip/pipx
Other: [describe setup]
fly.io

Version of Whoogle Search

Latest build from [source] (i.e. GitHub, Docker Hub, pip, etc)
Version [version number]
Not sure

Originally created by @spitsw on GitHub (Apr 22, 2022). Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/730 **Describe the bug** When whoogle is deployed behind a https enabled reverse proxy, the session initiation redirect (307) still uses the http scheme. The Location header in the redirect still begins with http://. It is expected that https:// be the target of the redirect. HTTPS_ONLY environment variable does not have any affect the behaviour of this issue. **To Reproduce** Steps to reproduce the behavior: 1. Deploy whoogle using any of the supported methods in the README.md 2. Deploy a reverse proxy with https enabled (such as Traefik) 3. Execute curl -v https://whoogle.url/ 4. See the Location header > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 307 < content-type: text/html; charset=utf-8 < date: Fri, 22 Apr 2022 07:17:03 GMT < location: http://whoogle.url/session/be68d74b-7eba-44ca-93fd-b5cd1e9ba627?follow=https%3A%2F%2Fwhoogle.url%2F < server: waitress < set-cookie: __Secure-session=f56385f2-f924-4c5f-b8f4-2558fb8684cb; Expires=Mon, 23-May-2022 07:17:04 GMT; Secure; HttpOnly; Path=/; SameSite=Strict < x-content-type-options: nosniff < x-frame-options: DENY < content-length: 387 < **Deployment Method** - [ ] Heroku (one-click deploy) - [x] Docker - [ ] `run` executable - [ ] pip/pipx - [x] Other: [describe setup] fly.io **Version of Whoogle Search** - [x] Latest build from [source] (i.e. GitHub, Docker Hub, pip, etc) - [ ] Version [version number] - [ ] Not sure