I'm running 0.3.2 with apache in front of it to provide TLS. I set these headers on the request to make clear to kallithea that it is being accessed securely:
RequestHeader set X-FORWARDED-PROTOCOL https RequestHeader set X-FORWARDED-SSL on RequestHeader set X-URL-SCHEME https
And I even tried the advised (even though I don't understand how setting something in the apache env can have consequences on a backend that is only communicated with through http):
SetEnvIf X-Url-Scheme https HTTPS=1
But the kallithea-cookie doesn't have the secure flag set (just the httponly flag):
Set-Cookie:kallithea=bf7e93[...cut...]db8ce7d9; httponly; Path=/
Is there something in the kallithea config that I should set?