The media repo must run behind a reverse proxy in order to support SSL/TLS - it does not have configuration options for enabling this on its own.
The reverse proxy must pass through the
Host header to the media repo such that it matches
a domain specified in the config. For example, if your homeserver's name is
the media repo must receive
Host: example.org regardless of how the request got to the reverse
An example scenario where the
Host header can change is in server delegation (common in hosting
Host the reverse proxy is approached with might not match the server name and
thus will need to manually rewrite the
Host header being proxied to the media repo.
Other proxy headers, like
X-Forwarded-For, are recommended to be sent to the media repo for
identification in the logs. In the specific case of
X-Forwarded-For, for any requests the media
repo needs to make to the homeserver it will do so with the
X-Forwarded-For header applied to
ensure that the user's IP history doesn't reveal the media repo's IP address.
Cache headers and other response headers should be left managed by the media repo and not
intercepted or changed by the reverse proxy (except
Server, that can be safely overwritten).