From 3957b10e92672ebd4e22d9d24d82f301e7eeec66 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Tue, 4 Jul 2023 15:00:02 +0200
Subject: [PATCH] nginx: replace $http_host by $host, cf
 https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md /
 Credit to A.Wolski

---
 conf/nginx/redirect_to_admin.conf | 2 +-
 conf/nginx/server.tpl.conf        | 2 +-
 conf/nginx/yunohost_api.conf.inc  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/conf/nginx/redirect_to_admin.conf b/conf/nginx/redirect_to_admin.conf
index 22748daa3..1d7933c6a 100644
--- a/conf/nginx/redirect_to_admin.conf
+++ b/conf/nginx/redirect_to_admin.conf
@@ -1,3 +1,3 @@
 location / {
-    return 302 https://$http_host/yunohost/admin;
+    return 302 https://$host/yunohost/admin;
 }
diff --git a/conf/nginx/server.tpl.conf b/conf/nginx/server.tpl.conf
index 16b5c46c2..ccba8a082 100644
--- a/conf/nginx/server.tpl.conf
+++ b/conf/nginx/server.tpl.conf
@@ -25,7 +25,7 @@ server {
     {# Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #}
     {% if redirect_to_https != "False" %}
     location / {
-        return 301 https://$http_host$request_uri;
+        return 301 https://$host$request_uri;
     }
     {# The app config snippets are not included in the HTTP conf unless HTTPS redirect is disabled, because app's location may blocks will conflict or bypass/ignore the HTTPS redirection. #}
     {% else %}
diff --git a/conf/nginx/yunohost_api.conf.inc b/conf/nginx/yunohost_api.conf.inc
index c9ae34f82..f434dbe96 100644
--- a/conf/nginx/yunohost_api.conf.inc
+++ b/conf/nginx/yunohost_api.conf.inc
@@ -4,7 +4,7 @@ location /yunohost/api/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
-    proxy_set_header Host $http_host;
+    proxy_set_header Host $host;
 
     {% if webadmin_allowlist_enabled == "True" %}
     {% for ip in webadmin_allowlist.split(',') %}