trinodb · ebyhr · Aug 4, 2025 · Jul 21, 2025
diff --git a/docs/installation.md b/docs/installation.md
@@ -362,6 +362,23 @@ that are marked as active.
 See [TrinoStatus](routing-rules.md#trinostatus) for more details on 
 what each Trino status means.
 
+Username and password for the health check can be configured by adding 
+`backendState` to your configuration. The username and password must be valid
+across all backends.
+
+SSL and xForwardProtoHeader can be configured based on whether the 
+connection between the Trino Gateway and the backend is secure. 
+By default, both are set to false.
+Find more information in [the related Trino documentation](https://trino.io/docs/current/security/tls.html#use-a-load-balancer-to-terminate-tls-https).
+
+```yaml
+backendState:
+  username: "user"
+  password: "password"
+  ssl: <false/true>
+  xForwardedProtoHeader: <false/true>  
+```
+
 The type of health check is configured by setting
 
 ```yaml
@@ -442,15 +459,7 @@ monitor:
 This uses a JDBC connection to query `system.runtime` tables for cluster 
 information. It is required for the query count based routing strategy. This is
 recommended over `UI_API` since it does not restrict the Web UI authentication
-method of backend clusters. Configure a username and password by adding
-`backendState` to your configuration. The username and password must be valid 
-across all backends.
-
-```yaml
-backendState:
-  username: "user"
-  password: "password"
-```
+method of backend clusters. 
 
 Trino Gateway uses `explicitPrepare=false` by default. This property was introduced
 in Trino 431, and uses a single query for prepared statements, instead of a 

diff --git a/docs/routers.md b/docs/routers.md
@@ -67,6 +67,7 @@ backendState:
   username: <usernme>
   password: <password>
   ssl: <false/true>
+  xForwardedProtoHeader: <false/true>
 
 clusterStatsConfiguration:
   monitorType: UI_API

diff --git a/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsHttpMonitor.java b/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsHttpMonitor.java
@@ -33,6 +33,7 @@
 import java.util.Map;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static com.google.common.net.HttpHeaders.X_FORWARDED_PROTO;
 import static io.airlift.http.client.HttpStatus.fromStatusCode;
 import static io.trino.gateway.ha.handler.HttpUtils.UI_API_QUEUED_LIST_PATH;
 import static io.trino.gateway.ha.handler.HttpUtils.UI_API_STATS_PATH;
@@ -48,11 +49,13 @@ public class ClusterStatsHttpMonitor
 
     private final String username;
     private final String password;
+    private final boolean xForwardedProtoHeader;
 
     public ClusterStatsHttpMonitor(BackendStateConfiguration backendStateConfiguration)
     {
         username = backendStateConfiguration.getUsername();
         password = backendStateConfiguration.getPassword();
+        xForwardedProtoHeader = backendStateConfiguration.getXForwardedProtoHeader();
     }
 
     @Override
@@ -137,10 +140,13 @@ private String queryCluster(ProxyBackendConfiguration backend, String path)
         }
 
         String targetUrl = backend.getProxyTo() + path;
-        Request request = new Request.Builder()
+        Request.Builder requestBuilder = new Request.Builder()
                 .url(HttpUrl.parse(targetUrl))
-                .get()
-                .build();
+                .get();
+        if (xForwardedProtoHeader) {
+            requestBuilder.addHeader(X_FORWARDED_PROTO, "https");
+        }
+        Request request = requestBuilder.build();
 
         Call call = client.newCall(request);
 

diff --git a/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsJmxMonitor.java b/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsJmxMonitor.java
@@ -29,6 +29,7 @@
 import java.util.Optional;
 import java.util.stream.Collectors;
 
+import static com.google.common.net.HttpHeaders.X_FORWARDED_PROTO;
 import static io.airlift.http.client.HttpUriBuilder.uriBuilderFrom;
 import static io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler;
 import static io.airlift.http.client.Request.Builder.prepareGet;
@@ -45,12 +46,14 @@ public class ClusterStatsJmxMonitor
     private final HttpClient client;
     private final String username;
     private final String password;
+    private final boolean xForwardedProtoHeader;
 
     public ClusterStatsJmxMonitor(HttpClient client, BackendStateConfiguration backendStateConfiguration)
     {
         this.client = requireNonNull(client, "client is null");
         this.username = backendStateConfiguration.getUsername();
         this.password = backendStateConfiguration.getPassword();
+        this.xForwardedProtoHeader = backendStateConfiguration.getXForwardedProtoHeader();
     }
 
     private static void updateClusterStatsFromDiscoveryNodeManagerResponse(JmxResponse response, ClusterStats.Builder clusterStats)
@@ -125,13 +128,16 @@ private Optional<JmxResponse> queryJmx(ProxyBackendConfiguration backend, String
         requireNonNull(mbeanName, "mbeanName is null");
 
         String jmxUrl = backend.getProxyTo();
-        Request preparedRequest = prepareGet()
+        Request.Builder requestBuilder = prepareGet()
                 .setUri(uriBuilderFrom(URI.create(jmxUrl))
                         .appendPath(JMX_PATH)
                         .appendPath(mbeanName)
                         .build())
-                .addHeader("X-Trino-User", username)
-                .build();
+                .addHeader("X-Trino-User", username);
+        if (xForwardedProtoHeader) {
+            requestBuilder.addHeader(X_FORWARDED_PROTO, "https");
+        }
+        Request preparedRequest = requestBuilder.build();
 
         boolean isHttps = preparedRequest.getUri().getScheme().equalsIgnoreCase("https");
 

diff --git a/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsMetricsMonitor.java b/gateway-ha/src/main/java/io/trino/gateway/ha/clustermonitor/ClusterStatsMetricsMonitor.java
@@ -35,6 +35,7 @@
 
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static com.google.common.collect.ImmutableMap.toImmutableMap;
+import static com.google.common.net.HttpHeaders.X_FORWARDED_PROTO;
 import static io.airlift.http.client.HttpUriBuilder.uriBuilderFrom;
 import static io.airlift.http.client.Request.Builder.prepareGet;
 import static io.airlift.http.client.ResponseHandlerUtils.propagate;
@@ -58,6 +59,7 @@ public class ClusterStatsMetricsMonitor
     private final ImmutableSet<String> metricNames;
     private final Map<String, Float> metricMinimumValues;
     private final Map<String, Float> metricMaximumValues;
+    private final boolean xForwardedProtoHeader;
 
     public ClusterStatsMetricsMonitor(HttpClient httpClient, BackendStateConfiguration backendStateConfiguration, MonitorConfiguration monitorConfiguration)
     {
@@ -81,6 +83,7 @@ public ClusterStatsMetricsMonitor(HttpClient httpClient, BackendStateConfigurati
                 .addAll(metricMaximumValues.keySet())
                 .build();
         metricsResponseHandler = new MetricsResponseHandler(metricNames);
+        xForwardedProtoHeader = backendStateConfiguration.getXForwardedProtoHeader();
     }
 
     private static ClusterStats getUnhealthyStats(ProxyBackendConfiguration backend)
@@ -134,11 +137,15 @@ private Map<String, String> getMetrics(String baseUrl, int retriesRemaining)
             uri.addParameter("name[]", metric);
         }
 
-        Request request = prepareGet()
+        Request.Builder requestBuilder = prepareGet()
                 .setUri(uri.build())
                 .addHeader(identityHeader.name, identityHeader.value)
-                .addHeader("Content-Type", "application/openmetrics-text; version=1.0.0; charset=utf-8")
-                .build();
+                .addHeader("Content-Type", "application/openmetrics-text; version=1.0.0; charset=utf-8");
+        if (xForwardedProtoHeader) {
+            requestBuilder.addHeader(X_FORWARDED_PROTO, "https");
+        }
+        Request request = requestBuilder.build();
+
         try {
             return httpClient.execute(request, metricsResponseHandler);
         }

diff --git a/gateway-ha/src/main/java/io/trino/gateway/ha/config/BackendStateConfiguration.java b/gateway-ha/src/main/java/io/trino/gateway/ha/config/BackendStateConfiguration.java
@@ -18,6 +18,7 @@ public class BackendStateConfiguration
     private String username;
     private String password = "";
     private Boolean ssl = false;
+    private boolean xForwardedProtoHeader;
 
     public BackendStateConfiguration() {}
 
@@ -50,4 +51,14 @@ public void setSsl(Boolean ssl)
     {
         this.ssl = ssl;
     }
+
+    public boolean getXForwardedProtoHeader()
+    {
+        return xForwardedProtoHeader;
+    }
+
+    public void setXForwardedProtoHeader(boolean xForwardedProtoHeader)
+    {
+        this.xForwardedProtoHeader = xForwardedProtoHeader;
+    }
 }