Merge branch 'move-x-forwarded-proto-for-https' into 'master'

Only include X-Forwarded-Proto when HTTPS is enabled

Be explicit about X-Forwarded-Proto scheme used based on HTTPS setting. In the case of multiple reverse proxies, the scheme may appear to be HTTP, which could cause 422 errors.

[Unicorn only checks if the setting is "https"](4e7cab9f17/ext/unicorn_http/unicorn_http.rl (L476)) and otherwise defaults to "http".

Closes gitlab-org/gitlab-ce#2091

See merge request !435

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb

@@ -72,7 +72,7 @@ server {
     proxy_connect_timeout   300;
     proxy_redirect          off;
 
-    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   X-Forwarded-Proto <%= @https ? "https" : "http" %>;
     proxy_set_header   Host              $http_host;
     proxy_set_header   X-Real-IP         $remote_addr;
     proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -115,7 +115,7 @@ server {
     proxy_set_header    X-Forwarded-Ssl     on;
     <% end %>
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Forwarded-Proto   <%= @https ? "https" : "http" %>;
     proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb

@@ -54,7 +54,7 @@ server {
     proxy_connect_timeout   300;
     proxy_redirect          off;
 
-    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   X-Forwarded-Proto <%= @https ? "https" : "http" %>;
     proxy_set_header   Host              $http_host;
     proxy_set_header   X-Real-IP         $remote_addr;
     proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;