proxy_set_header   Host                 $host;
proxy_set_header   X-Real-IP            $remote_addr;
proxy_set_header   X-Scheme             $scheme;
proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
proxy_set_header   X-Forwarded-Proto    $scheme;
proxy_set_header   X-Forwarded-Host     $server_name;
proxy_set_header   X-Forwarded-Scheme   $scheme;
proxy_set_header   X-Forwarded-Ssl      $https;
proxy_set_header   X-Forwarded-Server   $host;

# Mainly for websocket support but shouldn't hurt to set it globally
proxy_http_version 1.1;
proxy_set_header   Upgrade              $http_upgrade;
proxy_set_header   Connection           $connection_upgrade;

# Clean auth headers to ensure that the client can't inject any header for authentication
# The Authorization header cannot be force-cleared here, because some apps do have auth mechanism that depend on other things than the YunoHost SSO (cf other basic-auth based stuff like Webdav(?) or "Bearer"-type auth
# proxy_set_header   Authorization        "";
proxy_set_header   Ynh-User             "";
proxy_set_header   Ynh-User-Email       "";
proxy_set_header   Ynh-User-Fullname    "";
proxy_set_header   REMOTE_USER          "";
proxy_set_header   X-Forwarded-User     "";
