From 817824bd6fee04b188e6c657de39e17b4d06f19f Mon Sep 17 00:00:00 2001
From: rinseaid <rinseaid@rinseaid.net>
Date: Wed, 13 May 2026 22:38:35 -0400
Subject: [PATCH] Fix X-Forwarded-Proto always set to "http" for TLS
 connections

httpConnCtx wraps *tls.Conn behind net.Conn, so Go's http.Server
cannot detect TLS via type assertion and r.TLS is always nil.
SetXForwarded() then always writes X-Forwarded-Proto: http.

Override using the isTLS context flag already set by ConnContext.
---
 netstack2/http_handler.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/netstack2/http_handler.go b/netstack2/http_handler.go
index ece82e9..ba0495f 100644
--- a/netstack2/http_handler.go
+++ b/netstack2/http_handler.go
@@ -315,6 +315,13 @@ func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy {
 			// Director means the proxy does not append its own automatic
 			// X-Forwarded-For entry, so the header is set exactly once.
 			pr.SetXForwarded()
+
+			// SetXForwarded derives X-Forwarded-Proto from pr.In.TLS,
+			// which is nil because httpConnCtx wraps *tls.Conn behind
+			// net.Conn. Override using the context flag set by ConnContext.
+			if isTLS, _ := pr.In.Context().Value(connTLSKey{}).(bool); isTLS {
+				pr.Out.Header.Set("X-Forwarded-Proto", "https")
+			}
 		},
 		Transport: transport,
 	}