NGINX Reverse Proxy not working ERR_INVALID_REDIRECT with "flexible" cloudflare SSL

[JohnB17]

Explain what happens

1. Go to URL
2. Get ERR_INVALID_REDIRECT
   9090 is not allowed through firewall, but I can curl it on the localhost.

NGINX Configuration:

server {
    listen         443 ssl;
    server_name    admin.example.com;
    
    ssl_certificate      /etc/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/admin.example.com/privkey.pem;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

Cockpit config (/etc/cockpit/cockpit.conf):

[WebService]
Origins = https://admin.example.com wss://admin.example.com
ProtocolHeader = X-Forwarded-Proto

Version of Cockpit

Latest, just installed today but I can't see because Cockpit is not working

Where is the problem in Cockpit?

Unknown or not applicable

Server operating system

Ubuntu

Server operating system version

22.04

What browsers are you using?

Chrome

System log

No response

[martinpitt]

Where exactly do you get the ERR_INVALID_REDIRECT? Is that an error message from nginx already? What do its logs (access.log and error.log) say?

proxy_pass https://127.0.0.1:9090;

Are you sure that you want to proxy to https? Normally you'd use a reverse proxy to terminate TLS, and talk unencrypted http to the backend service (cockpit in this case).

[JohnB17]

I am getting the error from the browser. I did try http but it got the same error. There us also nothing in NGINX error or access logs.

[JohnB17]

I don't know how to close a discussion, but I fixed it. I needed to set cloudflare SSL to full instead of flexible.

[martinpitt]

Ah, cloudflare! That's good to know, we didn't try that either yet.