Firstly, I've checked via the manually created /Headers page as well -> we are also already sending the "X-Forwarded-Proto: https" header from the Apache.
So I've checked the Tomcat side for an issue -> SOLUTION: it is necessary to add the [RemoteIpValve|https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve] valve into the Tomcat's configuration (tested adding it to <Engine> in server.xml, but more specific locations should work as well; no need to set _scheme="https"_ as described previously): {noformat} <Valve className="org.apache.catalina.valves.RemoteIpValve"/>{noformat} In fact, this valve IS mentioned in the instructions for setup with _nginx -_ [here|https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationWAR/InstallationTomcat/#HHttps28secure29]. ISSUE: For an unknown reason, probably just by a mistake, the valve is not mentioned in the section dedicated to setup with _Apache_ - so quite logically, people can miss this step. _What about putting this instruction one level up on the linked wiki page?_
[~tmortagne], hopefully you can confirm my findings.
What still remains a mystery is why sending "Forwarded: proto=https" _instead of_ "X-Forwarded-Proto: https" should also work according to your findings (I haven't tested this myself) and your wiki. Because according to all the documentation and Tomcat's valve/filter (there is also this RemoteIpFilter that does the very same job) source code, support for "Forwarded" simply shouldn't be there...
(And of course, the XWiki's inconsistency in implementing similar "create page" use cases and in handling creation of various absolute URLs is also still an issue IMHO, but I don't have enough insight to suggest a solution.)
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)
If image attachments aren't displayed, see this article.
