Reverse Proxy

How to use SCM-Manager with common reverse proxies

SCM-Manager can run behind any reverse proxy, but a few rules must be respected. The reverse proxy should not encode slashes and the X-Forwarded-For and X-Forwarded-Host headers must be send to SCM-Manager. If the proxy uses a different protocol as the SCM-Manager e.g. https on proxy and http on scm-manager, the X-Forwarded-Proto header must be send too. If XSRF protection is enabled on the SCM-Manager server, the cookie has to be HttpOnly=false and must not be modified.


# set required forward headers
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# if https is used make sure X-Forwarded-Proto header is send
proxy_set_header X-Forwarded-Proto $scheme;

# assuming scm-manager is running on localhost at port 8080
location /scm {
    proxy_pass http://scm:8080;


# Ensure mod_proxy and mod_proxy_http modules are loaded
LoadModule proxy_module modules/
LoadModule proxy_http_module modules/

# avoid encoding of slashes
AllowEncodedSlashes NoDecode

# if https is used, make sure X-Forwarded-Proto is send
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

# assuming scm-manager is running on localhost at port 8080
ProxyPass /scm http://localhost:8080/scm nocanon
ProxyPassReverse /scm http://localhost:8080/scm
ProxyPassReverse  /scm  http://localhost:8080/scm

<Location /scm>
    Order allow,deny
    Allow from all


  • Setting ProxyPassReverseCookiePath would most likely cause problems with session handling!
  • If you encounter timeout problems, please have a look at Apache Module mod_proxy#Workers.


backend scm
    # use http as proxy protocol
    mode http
    # sets X-Forwarded-For header
    option forwardfor
    # check if scm is running
    option httpchk GET /scm/api/v2
    # assuming scm-manager is running on localhost at port 8080
    server dcscm1 localhost:8080 check
    # sets X-Forwarded-Host header
    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
    # sets X-Forwarded-Proto to https if ssl is enabled
    http-request set-header X-Forwarded-Proto https if { ssl_fc }