cgi redirecting to non-https URL

I have a private ikiwiki (3.20170111) which is running on a host that serves HTTP and HTTPS, but ikiwiki is configured for (and only served on) HTTPS:

url: https://redacted/phd/
cgiurl: https://redacted/phd/cgi

However, form submissions from ikiwiki are going to a HTTP URL and thus not being served. Example headers from submitting a comment:

Request URL:https://redacted/phd/cgi
Request Method:POST
Status Code:302 Found
Remote Address:redacted:443
Referrer Policy:no-referrer-when-downgrade

Response Headers

HTTP/1.1 302 Found
Server: nginx/1.10.3
Date: Fri, 08 Dec 2017 11:53:35 GMT
Content-Length: 0
Connection: keep-alive
Status: 302 Found
Location: http://redacted/phd/blog/38th_Dec/?updated#comment-bd0549eb2464b5ca0544f68e6c32221e

Your form submission was in fact done successfully. The failing redirection to http is when ikiwiki follows up the successful edit by redirecting you from the form submission URL to the updated page, which is done by IkiWiki::redirect. --smcv

The CGI is served by lighttpd, but the whole site is front-ended by nginx, which reverse-proxies to lighttpd.

I think this might be to do with nginx not rewriting POST URLs when reverse-proxying, but I'm not sure why they would be generated in an HTTP form in any case, except perhaps by lighttpd's CGI handler since the back end is HTTP. A workaround is for nginx to redirect any HTTP URI to the HTTPS equivalent. I initially disabled that so as to have the path for letsencrypt negotiation not redirected.-- Jon

Do you have the reverse_proxy option set to 1? (It affects how ikiwiki generates self-referential URLs).

Is the connection between nginx and lighttpd http or https?

I think this is maybe a bug in IkiWiki::redirect when used in conjunction with reverse_proxy: 1: when marked as behind a reverse proxy, IkiWiki::redirect sent Location: /phd/foo/bar/, which your backend web server might be misinterpreting. ikiwiki git master now sends Location: https://redacted/phd/foo/bar/ instead: does that resolve this for you?

Assuming nginx has a reasonable level of configuration, you can redirect http to https for the entire server except /.well-known/acme-challenge/ as a good way to bootstrap ACME negotiation. --smcv