When hosting Password Pusher with a proxy, you can take advantage of the proxy’s features to enhance security, scalability, and performance. A proxy is often used to act as an SSL termination endpoint as well.

Required Proxy Headers

An occasional issue is that when using Password Pusher behind a proxy, the generated secret URLs are incorrect. They often have the backend URL & port instead of the public fully qualified URL - or use HTTP instead of HTTPS (or all of the preceding).

To resolve this, make sure your proxy properly forwards the X-Forwarded-Host, X-Forwarded-Port and X-Forwarded-Proto headers.

The values in these headers represent the front end request. When these headers are sent, Password Pusher can then build the correct URLs.

Nginx Example

As an example, for nginx, the addition could be:

proxy_set_header  X-Forwarded-Port $server_port;
proxy_set_header  X-Forwarded-Host $host;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_set_header  X-Forwarded-Ssl on;

Alternative Option

If you are unable to have these headers passed to the application for any reason, you could instead force an override of the base URL using the PWP__OVERRIDE_BASE_URL environment variable.

Environment Variable Description Example Value
PWP__OVERRIDE_BASE_URL Set this value (without a trailing slash) to force the base URL of generated links. ‘https://subdomain.domain.dev’

Updated: