Post-login redirect ignores subpath when using USE_X_SETTINGS=1 behind reverse proxy

[matthewlenz]

Title: Post-login redirect ignores subpath when using USE_X_SETTINGS=1 behind reverse proxy

Describe the bug

When changedetection.io is deployed at a subpath (e.g. https://example.com/changedetection/) behind an nginx reverse proxy with USE_X_SETTINGS=1 and password protection enabled, a successful login redirects to the root domain (https://example.com/) instead of the correct subpath (https://example.com/changedetection/).

The X-Forwarded-Prefix header is being set correctly by the proxy — asset loading, navigation, and the login form action (/changedetection/login) all work correctly. The issue is isolated to the post-login redirect.

Version

0.54.9

How did you install?

Docker (dgtlmoon/changedetection.io)

To Reproduce

1. Run changedetection.io behind a reverse proxy at a subpath (e.g. /changedetection/)
2. Set USE_X_SETTINGS=1 on the container
3. Configure the proxy to set X-Forwarded-Prefix /changedetection in the location block
4. Enable password protection in Settings → General
5. Log out and log back in
6. Observe the post-login redirect goes to https://example.com/ instead of https://example.com/changedetection/

Expected behavior

After a successful login, the app should redirect to https://example.com/changedetection/, honouring the X-Forwarded-Prefix header.

Additional context

The login form action is correctly generated as /changedetection/login, so USE_X_SETTINGS=1 is partially working. General navigation and asset loading work correctly once the user manually returns to the subpath URL.

[dgtlmoon]

I'll park this is in discussions for now, we are doing exactly the same thing in production and it works. can you paste your whole nginx config?

[matthewlenz]

@dgtlmoon few more details while I put together my info for you later today. This issue is just about the redirect parameter on login.

If after logging in and I am redirected to https://www.example.com/ I can then go to the correct https://www.example.com/changedetection/ and use the site perfectly.

If I am logged out and go to https://www.example.com/changedetection/ it redirects me to https://www.example.com/changedetection/login?redirect=/ (I didn't even notice the redirect parameter in my original bug report)

If I am logged in and on a specific page like settings and click log out it redirects me to https://www.example.com/changedetection/login?redirect=/settings

If I am logged out and I go directly to https://www.example.com/changedetection/login (no redirect parameter) and login it redirects me to the correct https://www.example.com/changedetection/

I'll try to dig up my config. I want to check and see if nginx-proxy is generating the correct conf.d for this path. I have several other services running behind it without issue, some with custom vhost.d configurations.

[dgtlmoon]

Does anything here help you? https://github.com/dgtlmoon/changedetection.io/wiki/Running-changedetection.io-behind-a-reverse-proxy

[dgtlmoon]

nginx-proxy i dont know what that is, is that a different package to nginx?

[matthewlenz]

nginx-proxy i dont know what that is, is that a different package to nginx?

it's proxy service that is designed to allow you to run one or more services behind an nginx-proxy. sorry for the delay. I'll try to follow up with more info in the next day or so. I've been slammed at work.

[matthewlenz]

@dgtlmoon ... Not asking you to learn nginx-proxy or anything but this does follow the instructions provided and like I said, ultimately everything works EXCEPT prefix query parameter generation for login/logout flow. The app works perfectly when going directly to /changedetection/ after logging in (even though it redirects me to the wrong location).

docker-compose.yml:

services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    restart: unless-stopped
    networks:
      - proxy-net
    ports:
      - "80:80"
      - "443:443"
    environment:
      TZ: America/Chicago
    volumes:
      - ./nginx-proxy/vhost.d:/etc/nginx/vhost.d
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - certs:/etc/nginx/certs
      - html:/usr/share/nginx/html

  nginx-proxy-acme:
    image: nginxproxy/acme-companion
    container_name: nginx-proxy-acme
    restart: unless-stopped
    networks:
      - proxy-net
    depends_on:
      - nginx-proxy
    environment:
      DEFAULT_EMAIL: xxxxxxx@xxxxxxxx.xxx
      NGINX_PROXY_CONTAINER: nginx-proxy
      TZ: America/Chicago
    volumes:
      - ./nginx-proxy/vhost.d:/etc/nginx/vhost.d
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certs:/etc/nginx/certs
      - html:/usr/share/nginx/html
      - acme:/etc/acme.sh

  selenium:
    image: selenium/standalone-chrome
    container_name: selenium
    restart: unless-stopped
    networks:
      - proxy-net
    ports:
      - "4444:4444"
    environment:
      TZ: America/Chicago
    shm_size: "2g"

  changedetection:
    image: dgtlmoon/changedetection.io
    container_name: changedetection
    restart: unless-stopped
    networks:
      - proxy-net
    expose:
      - "5000"
    depends_on:
      - nginx-proxy
      - selenium
    environment:
      LETSENCRYPT_HOST: xxx.xxxxxxxx.xxx
      VIRTUAL_HOST: xxx.xxxxxxxx.xxx
      VIRTUAL_PATH: /changedetection/
      VIRTUAL_DEST: /
      VIRTUAL_PORT: "5000"
      TZ: America/Chicago
      USE_X_SETTINGS: "1"
      WEBDRIVER_URL: http://selenium:4444/wd/hub
    volumes:
      - ./changedetection:/datastore

networks:
  proxy-net:
    name: proxy-net

volumes:
  certs:
  html:
  acme:

/etc/nginx/vhost.d/xxx.xxxxxxxxx.xxx_719f9e445834115f2a1f78f3bf006f57d1c3d242_location:
## This file is used to add per-path rules to the for a specific path in the generated nginx default.conf
## the hashed section is just a hashed version of the path

proxy_set_header X-Forwarded-Prefix /changedetection;

/etc/nginx/conf.d/default.conf: 
## This file is auto generated by nginx-proxy and here is the related server {} block
## The proxy_pass just points to an upstream with the IP/PORT of the discovered service.

location /changedetection/ {
        proxy_pass http://xxx.xxxxxxxxx.xxx-719f9e445834115f2a1f78f3bf006f57d1c3d242/;
        set $upstream_keepalive true;
        include /etc/nginx/vhost.d/xxx.xxxxxxxxx.xxx_719f9e445834115f2a1f78f3bf006f57d1c3d242_location;
}