From 83e96ed5f15e4b477ed30b1eadafa5ebdd7e5de4 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Wed, 29 Oct 2025 17:28:52 -0700
Subject: [PATCH] Corrected Scheme Precedence Order

---
 weed/s3api/auth_signature_v4.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
index a196f7cda..0b1394a9a 100644
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -595,14 +595,18 @@ func extractHostHeader(r *http.Request) string {
 	forwardedPort := r.Header.Get("X-Forwarded-Port")
 	forwardedProto := r.Header.Get("X-Forwarded-Proto")
 
-	// Determine the effective scheme: check TLS, r.URL.Scheme, then X-Forwarded-Proto (highest priority)
+	// Determine the effective scheme with correct order of precedence:
+	// 1. X-Forwarded-Proto (most authoritative, reflects client's original protocol)
+	// 2. r.TLS (authoritative for direct connection to server)
+	// 3. r.URL.Scheme (fallback, may not always be set correctly)
+	// 4. Default to "http"
 	scheme := "http"
-	if r.TLS != nil {
-		scheme = "https"
-	}
 	if r.URL.Scheme != "" {
 		scheme = r.URL.Scheme
 	}
+	if r.TLS != nil {
+		scheme = "https"
+	}
 	if forwardedProto != "" {
 		scheme = forwardedProto
 	}