Conflicting secure headers cause request parsing failure

warning

configurationUpdated Jan 1, 2024(via Exa)

Sources

Settings — Gunicorn 23.0.0 documentationdocs.gunicorn.org

Technologies:

Gunicornsubject

NGINXThe root cause of this issue originates in NGINX

HAProxyThe root cause of this issue originates in HAProxy

How to detect:

When multiple secure headers are present in request (e.g., X-Forwarded-SSL: on and X-Forwarded-Proto: http) and disagree about HTTPS usage, Gunicorn raises InvalidSchemeHeaders exception causing request to fail.

Recommended action:

Configure front-end proxy to send only one consistent secure header (e.g., only X-Forwarded-Proto). Review secure_scheme_headers and remove unused header mappings. Audit proxy configuration for header consistency.