WEBLATE_SECURE_PROXY_SSL_HEADER not working

[andrea689]

Describe the issue

I set this env:

WEBLATE_ENABLE_HTTPS=1
WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR
WEBLATE_SECURE_PROXY_SSL_HEADER=HTTP_X_CUSTOM_PROTO,https

This curl return 301 Moved Permanently:
curl -I <MY_IP> -H "X_CUSTOM_PROTO: HTTPS"

And this curl return 200
curl -I <MY_IP> -H "X-FORWARDED-PROTO: https"

It seems that Django does not use the custom header but the default one.

I already tried

• I've read and searched the documentation.
• I've searched for similar filed issues in this repository.

Steps to reproduce the behavior

1. run weblate docker with env WEBLATE_SECURE_PROXY_SSL_HEADER=HTTP_X_CUSTOM_PROTO,https
2. curl -I <MY_IP> -H "X_CUSTOM_PROTO: HTTPS"
3. 301 redirect :(

Expected behavior

No response

Screenshots

No response

Exception traceback

How do you run Weblate?

Docker container

Weblate versions

• Weblate: 5.11.4
• Django: 5.2.1
• siphashc: 2.5
• translate-toolkit: 3.15.2
• lxml: 5.4.0
• pillow: 11.2.1
• nh3: 0.2.21
• python-dateutil: 2.9.0.post0
• social-auth-core: 4.6.1
• social-auth-app-django: 5.4.3
• django-crispy-forms: 2.4
• oauthlib: 3.2.2
• django-compressor: 4.5.1
• djangorestframework: 3.16.0
• django-filter: 25.1
• django-appconf: 1.1.0
• user-agents: 2.2.0
• filelock: 3.18.0
• RapidFuzz: 3.13.0
• openpyxl: 3.1.5
• celery: 5.5.2
• django-celery-beat: 2.8.0
• kombu: 5.5.3
• translation-finder: 2.19
• weblate-language-data: 2025.5
• html2text: 2025.4.15
• pycairo: 1.28.0
• PyGObject: 3.52.3
• diff-match-patch: 20241021
• requests: 2.32.3
• django-redis: 5.4.0
• hiredis: 3.1.0
• sentry-sdk: 2.27.0
• Cython: 3.0.12
• mistletoe: 1.4.0
• GitPython: 3.1.44
• borgbackup: 1.4.1
• pyparsing: 3.2.3
• ahocorasick_rs: 0.22.2
• python-redis-lock: 4.0.0
• charset-normalizer: 3.4.2
• cyrtranslit: 1.1.1
• drf-spectacular: 0.28.0
• Python: 3.13.3
• Git: 2.49.0
• psycopg: 3.2.7
• psycopg-binary: 3.2.7
• phply: 1.2.6
• ruamel.yaml: 0.18.10
• tesserocr: 2.8.0
• boto3: 1.38.10
• aeidon: 1.15
• iniparse: 0.5
• mysqlclient: 2.2.7
• google-cloud-translate: 3.20.2
• openai: 1.77.0
• Mercurial: 7.0.2
• git-svn: 2.49.0
• git-review: 2.4.0
• PostgreSQL server: 14.7
• Database backends: django.db.backends.postgresql
• PostgreSQL implementation: psycopg3 (binary)
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: smtp.sendgrid.net
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://cache:6379/1, redis://cache:6379/1, regular
• Platform: Linux 5.10.109-104.500.amzn2.x86_64 (x86_64)

Weblate deploy checks

System check identified some issues:

WARNINGS:
?: (security.W018) You should not have DEBUG set to True in deployment.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
	HINT: https://docs.weblate.org/en/weblate-5.11.4/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
	HINT: https://docs.weblate.org/en/weblate-5.11.4/admin/backup.html

Additional context

No response

[nijel]

What do you use for SSL termination? Isn't the SSL termination proxy doing the redirect?

[andrea689]

Hi @nijel, I use AWS CloudFront as proxy, and every https request to CloudFront is translated to http request with X_CUSTOM_PROTO: HTTPS header to an EC2 with docker and weblate.

If weblate receive standard header X-FORWARDED-PROTO: https it works successfully, but if I try to use the custom header X_CUSTOM_PROTO: HTTPS, weblate always return 301 redirect in loop so the error "Too many redirects"

Unfortunately I'm forced to use the custom header because CloudFront does not allow X-FORWARDED-PROTO to be set

This env WEBLATE_SECURE_PROXY_SSL_HEADER does not seem to work in weblate docker

[nijel]

There is nginx running inside Weblate container which might be causing this (but it should just pass custom headers).

The setting seems to be correctly parsed from the environment:

weblate/weblate/settings_docker.py

Lines 1007 to 1009 in 44cbd0b

	WEBLATE_SECURE_PROXY_SSL_HEADER = get_env_list("WEBLATE_SECURE_PROXY_SSL_HEADER")
	if WEBLATE_SECURE_PROXY_SSL_HEADER:
	SECURE_PROXY_SSL_HEADER = WEBLATE_SECURE_PROXY_SSL_HEADER

And passed to Django: https://docs.djangoproject.com/en/5.2/ref/settings/#secure-proxy-ssl-header

[andrea689]

Ah ok, so the nginx inside the weblate docker block custom headers.

I think this is the file need fix https://github.com/WeblateOrg/docker/blob/main/etc/nginx/default.tpl in order to handle WEBLATE_SECURE_PROXY_SSL_HEADER

[nijel]

According to the documentation, it should not modify custom headers.

[nijel]

X_CUSTOM_PROTO: HTTPS

WEBLATE_SECURE_PROXY_SSL_HEADER=HTTP_X_CUSTOM_PROTO,https

I think this is the issue, you pass HTTPS as value, but tell Django that it should look for https and it compares it case-sensitive (see https://github.com/django/django/blob/b2407e4d7d25e4a5839bb512cb2fdf71e9e30a21/django/http/request.py#L318).