Question: producing https addresses using url_for

Note: If in a hurry, skip to the end.

The way this information is passed to the app is via the ASGI spec itself. The server (Uvicorn, Hypercorn, or any other) is the one that tells the app if it is running on HTTPS or HTTP.

If you provide the HTTPS certificates to the ASGI server (e.g. Uvicorn) it will know it is running on HTTPS and pass that information to the framework (Starlette, FastAPI, or anything else).

But it’s very common to have a “TLS Proxy” on top of it. That would be something that has the HTTPS certificates, handles the connection, and passes the pure HTTP to the thing running behind (in this case, Uvicorn, running your Starlette/FastAPI app). Examples of programs that can run as TLS Proxies include Nginx, HAProxy, Traefik (I recommend Traefik 😉 ). The same would be done by Heroku or jwilder’s Docker image (based on Nginx).

But these TLS Proxies (and actually many other layers and servers) create some HTTP headers to let the thing that runs after them know that they are handling HTTPS for them.

But by default, none of the intermediate parts (Nginx, Traefik, Uvicorn) receive and accept those HTTPS headers from outside, as that would be a security risk. But if you know that the specific part (e.g. Uvicorn) is behind a TLS Proxy, you can normally configure/override it to receive those HTTP headers about the HTTPS connection.

In Uvicorn, the command parameter is --proxy-headers.

Note that the latest version of uvicorn now matches gunicorn behaviour - by default it will accept any X-Forwarded-For and X-Forwarded-Scheme headers if the client IP is in --forwarded_allow_ips (Defaults to the $FORWARDED_ALLOW_IPS environment variable, or else "127.0.0.1")