fix nginx well-known redirects when behind another reverse proxy

[icewind1991]

if nginx is behind another reverse proxy that handles the ssl termination it currently returns the wrong (non-https) redirect for well-known urls.

This change causes the redirect urls to only contain the path

[MichaIng]

The same should be required then for location /remote, right?

As you say it contains "only the path", the query string is contained as well, i.e. all URL elements that are not explicitly part of the redirect directive are omitted? So return 301 /nextcloud/index.php$request_uri; will return /nextcloud/index.php$request_uri while by default Nginx adds (it's own) scheme and host so that e.g. http://<local_hostname>/nextcloud/index.php$request_uri could be returned when it's an instance behind a reverse proxy or load balancer in the same LAN, right?

That's actually very good to know as IMO not intuitive.

[icewind1991]

I believe that the query string is not part of the redirect url (with both the current config and this PR), from how I understand the nginx config the absolute_redirect only effects the scheme, hostname and port

So return 301 /nextcloud/index.php$request_uri; will return /nextcloud/index.php$request_uri while by default Nginx adds (it's own) scheme and host so that e.g. http://<local_hostname>/nextcloud/index.php$request_uri could be returned when it's an instance behind a reverse proxy or load balancer in the same LAN, right?

Yes, by default nginx seems to transform the redirect into a full url when only the path is provided

[MichaIng]

I believe that the query string is not part of the redirect url (with both the current config and this PR)

That would be a problem. We just changed $uri to $request_uri to have the query strings preserved and at least the Apache2 Redirect and RewriteRule both do preserve the query string, so we would have failed to "clone" the .htaccess and would need to switch to Nginx's rewrite instead? I think it is important as we redirect all .well-known requests, even possible unknown ones, so cutting away the query string will definitely break some backends.

Apache2 Redirect btw appends the current servers scheme and hostname as well, so should suffer from the same issue with proxies: https://httpd.apache.org/docs/2.4/mod/mod_alias.html#redirect
The .htaccess uses RewriteRule with R=301 flag, where it is the same: https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_r
I'm wondering whether a reasonable proxy that terminates SSL would not as well adjust redirects sent back to the client?

Actually... a redirect MUST be an absolute URI according to the RFC:

• https://tools.ietf.org/html/rfc2616#section-14.30
• https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30

So what we'd do with this change is creating an invalid redirect (Location header), even that all modern browsers seem to support it. That actually is a good reason for the above assumption, that a proxy should alter the redirect the same way it alters the client request before forwarding it, isn't it?