Purpose:
Verify that the application correctly handles traffic when deployed behind a reverse proxy (e.g., Nginx), including protocol forwarding, headers, redirects, and asset loading.
โ Steps to Validate
-
Access via Proxy URL
-
Navigate to the public-facing URL (e.g.,
https://wiki.example.com) -
Confirm the site loads without redirect loops or protocol errors
-
-
Inspect Headers
-
Use browser dev tools or
curl -Ito check:-
X-Forwarded-For -
X-Forwarded-Proto -
Host
-
โ Confirm these are being passed and respected
-
-
Load Assets
-
Confirm that CSS, JS, and images load correctly
-
No mixed content warnings if proxy uses HTTPS
-
-
Login Handling
-
Log in as a user from the proxy-facing URL
-
Confirm session and redirect behavior work correctly
-
-
Force Redirects (if configured)
-
Access via
http://(if enabled) -
Confirm redirection to
https://is enforced
-
๐ Things to Watch For
-
โ Mixed content warnings (HTTPS site pulling HTTP assets)
-
โ Redirect loops (
httpsโhttp) -
โ Incorrect client IPs (caused by missing
X-Forwarded-For) -
โ Inconsistent login behavior due to cookie domain mismatch
๐งผ Bonus: Test Internal vs External Access
-
Internal URL:
http://localhost:3000 -
External/proxy URL:
https://wiki.company.com -
โ Ensure both work correctly in their contexts
-
โ But public-facing users only use the proxied endpoint