Lighttpd

Committed revision r2052

this is not fixed (I'm on 1.4.31-4+deb7u3)

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: _pk_id.2.9fb9=cd6f3dc8e22665d5.1427806151.5.1432309044.1432303252.; _pk_ses.2.9fb9=*
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-Proto: https
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-SSL-cipher: TLSv1.2/ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES Mac=SHA1
X-Forwarded-For: X.X.X.X

2015-05-22 17:49:11: (response.c.241) run condition
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.273) 10 global/HTTPscheme==https nej
8<--------
2015-05-22 17:49:11: (configfile-glue.c.471) HTTP["scheme"] ( http ) compare to https
2015-05-22 17:49:11: (configfile-glue.c.534) 1 (uncached) result: false
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.235) go parent global/HTTPscheme==https
2015-05-22 17:49:11: (configfile-glue.c.541) 1 (cached) result: false
2015-05-22 17:49:11: (configfile-glue.c.534) 2 (uncached) result: false
2015-05-22 17:49:11: (configfile-glue.c.583) === start of condition block ===
2015-05-22 17:49:11: (configfile-glue.c.471) HTTP["scheme"] ( http ) compare to http
2015-05-22 17:49:11: (configfile-glue.c.534) 3 (uncached) result: true
8<--------

Partially fixed. Another follow-up patch is further below.

commit 05858f6cf2d93f49c8995aed05e79b7bc68538b3
Author: Stefan Bühler <stbuehler@web.de>
Date:   Wed Jul 31 20:23:21 2013 +0000

    [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)

    con->conf.is_ssl got removed and replaced by:
     * con->conf.ssl_enabled for the config var "ssl.engine" - it is only
       used to determine which server-sockets should use ssl. (usually not
       needed as it is mandatory and enough to set ssl.pemfile anyway)
     * con->srv_socket->is_ssl to detect the actual ssl status of the
       bound socket, which is the same as the ssl status of the connection
     * con->uri.scheme for the actual $HTTP["scheme"] value, also used for
       the CGI "HTTPS=ON" variable. This defaults to "https" if the
       connection uses ssl, but can be changed for example by mod_extforward
       if X-Forwarded-Proto: is set to either "http" or "https" (other values
       are ignored right now)

    Also removed the broken srv_socket->is_proxy_ssl as it was a connection
    value in a server_socket struct...

    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2887 152afb58-edef-0310-8abb-c4023f1b3aa9

Looks like mod_extforward.c also needs to reset the condition cache when the scheme is changed. This additional patch should address that:

diff --git a/src/mod_extforward.c b/src/mod_extforward.c
index fdb3c11..4a56f55 100644
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -352,6 +352,7 @@ static void ipstr_to_sockaddr(server *srv, const char *host, sock_addr *sock) {

 static void clean_cond_cache(server *srv, connection *con) {
        config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
+       config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
 }

 URIHANDLER_FUNC(mod_extforward_uri_handler) {

updated in e5e5548b