packages/ak-axum/extract/scheme: init (#21322)

Squashed commit of the following:

commit adac0e4
Merge: f2dea0e 2e5cfb2
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:47:53 2026 +0200

    Merge branch 'rust-axum-extract-client-ip' into rust-axum-extract-scheme

commit 2e5cfb2
Merge: d51d860 a6d543b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:47:43 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

commit a6d543b
Merge: da38234 a522b8b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:47:33 2026 +0200

    Merge branch 'rust-axum-acceptor-proxy' into rust-axum-extract-trusted-proxy

commit a522b8b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:46:57 2026 +0200

    fmt

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit f2dea0e
Merge: 6b7d139 d51d860
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:16:56 2026 +0200

    Merge branch 'rust-axum-extract-client-ip' into rust-axum-extract-scheme

commit d51d860
Merge: f74e533 da38234
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:16:50 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit da38234
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:16:30 2026 +0200

    add doc

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 6b7d139
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:15:25 2026 +0200

    wip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 19c6cf0
Merge: 1173406 f74e533
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:13:12 2026 +0200

    Merge branch 'rust-axum-extract-client-ip' into rust-axum-extract-scheme

commit f74e533
Merge: 4c84c53 703d5af
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:13:03 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

commit 703d5af
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:12:58 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 1173406
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:12:24 2026 +0200

    wip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 4c84c53
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:10:10 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 356c487
Merge: c2bd441 81f314c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:09:58 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

commit 81f314c
Merge: 544f662 5b13d5b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:09:51 2026 +0200

    Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy

commit 5b13d5b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:09:43 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit c2bd441
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:09:25 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit d350e94
Merge: b42fb09 544f662
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:09:10 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

commit 544f662
Merge: 267336f 5e03610
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:08:55 2026 +0200

    Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy

commit 5e03610
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:08:20 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit b42fb09
Merge: a30b345 267336f
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:06:28 2026 +0200

    Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 267336f
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:05:50 2026 +0200

    fix layer order

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit a30b345
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:05:32 2026 +0200

    wip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit e2ab302
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 19:00:34 2026 +0200

    add docs

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 89fbf0d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:56:17 2026 +0200

    packages/ak-axum/extract/trusted_proxy: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 279610b
Merge: 2917970 5c937d7
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:54:49 2026 +0200

    Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 2917970
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:40:31 2026 +0200

    packages/ak-axum/accept/proxy_protocol: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit d999d80
Merge: 65f33d6 365de9d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:38:50 2026 +0200

    Merge branch 'rust-lib-proxy-protocol' into rust-axum-acceptor-proxy

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 65f33d6
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:35:12 2026 +0200

    packages/ak-axum/accept/tls: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 116e601
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 18:28:43 2026 +0200

    packages/ak-axum/server: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 5c937d7
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:40:46 2026 +0200

    packages/ak-axum/tracing: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 67ed0dc
Merge: b4f06d6 095d38c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:17:40 2026 +0200

    Merge branch 'rust-config' into rust-axum

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 365de9d
Merge: ab239bf 0079984
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:15:04 2026 +0200

    Merge branch 'rust-lib-rename' into rust-lib-proxy-protocol

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 095d38c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:11:52 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 7eb07d5
Merge: cb1f86b 507eb2f
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:11:08 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 507eb2f
Merge: 6968d59 0079984
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:10:37 2026 +0200

    Merge branch 'rust-lib-rename' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 0079984
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:08:07 2026 +0200

    packages/ak-common: rename from ak-lib

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit b4f06d6
Merge: c08e2a3 cb1f86b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:05:36 2026 +0200

    wip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit c08e2a3
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:05:01 2026 +0200

    wip

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 75622e9
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:57:45 2026 +0200

    packages/ak-axum: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit cb1f86b
Merge: c8fa1b8 a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:53:19 2026 +0200

    Merge branch 'fix-rustfmt-config' into rust-config

commit 6968d59
Merge: 341c9cc a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:52:55 2026 +0200

    Merge branch 'fix-rustfmt-config' into rust-arbiter

commit ab239bf
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:39:44 2026 +0200

    fix import

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:32:16 2026 +0200

    root: fix rustfmt config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 3ef0080
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:29:35 2026 +0200

    packages/ak-lib/tokio/proxy_procotol: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit c8fa1b8
Merge: 48c833c 341c9cc
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Tue Mar 31 13:56:39 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 341c9cc
Merge: a1cf0a7 55e555c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Tue Mar 31 13:55:28 2026 +0200

    Merge branch 'main' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 48c833c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:31:04 2026 +0200

    lint

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 681117d
Merge: 4c54511 a1cf0a7
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:03:49 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit a1cf0a7
Merge: 1ee6f11 524b788
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:03:01 2026 +0200

    Merge branch 'rust-lib' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 524b788
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:57:51 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit dc65ab1
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:33:49 2026 +0200

    packages/ak-lib: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 4c54511
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:52:55 2026 +0200

    move into lib crate

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit d7141df
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:48:34 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 2bab7ed
Merge: 2bc79f1 1ee6f11
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:43:24 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 1ee6f11
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:43:21 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 2bc79f1
Merge: e7d3704 27ff039
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:42:58 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 27ff039
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:40:37 2026 +0200

    rename to ak-lib

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit e7d3704
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:32:59 2026 +0200

    packages/ak-config: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 1e5cb4b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:32:18 2026 +0200

    sort out package versions

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 64b9391
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 17:49:16 2026 +0200

    lint

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 57edeec
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 17:48:51 2026 +0200

    add tests

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 5294f8a
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:38:11 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit f1257d2
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:33:49 2026 +0200

    packages/ak-arbiter: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

Author: rissson

Cargo.lock

@@ -34,6 +34,7 @@ console-subscriber = "= 0.5.0"
 dotenvy = "= 0.15.7"
 durstr = "= 0.5.1"
 eyre = "= 0.6.12"
+forwarded-header-value = "= 0.1.1"
 futures = "= 0.3.32"
 glob = "= 0.3.3"
 ipnet = { version = "= 2.12.0", features = ["serde"] }

Cargo.toml

@@ -16,6 +16,7 @@ axum.workspace = true
 client-ip.workspace = true
 durstr.workspace = true
 eyre.workspace = true
+forwarded-header-value.workspace = true
 futures.workspace = true
 tokio-rustls.workspace = true
 tokio.workspace = true

packages/ak-axum/Cargo.toml

@@ -1,4 +1,5 @@
 //! axum extractors to get information about a request.
 
 pub mod client_ip;
+pub mod scheme;
 pub mod trusted_proxy;

packages/ak-axum/src/extract/mod.rs

@@ -0,0 +1,252 @@
+//! axum extractor and middleware to get the request scheme.
+
+use axum::{
+    Extension, RequestPartsExt as _,
+    extract::{FromRequestParts, Request},
+    http::{self, header::FORWARDED, request::Parts},
+    middleware::Next,
+    response::Response,
+};
+use forwarded_header_value::{ForwardedHeaderValue, Protocol};
+use tracing::{Span, instrument};
+
+use crate::{
+    accept::{proxy_protocol::ProxyProtocolState, tls::TlsState},
+    extract::trusted_proxy::TrustedProxy,
+};
+
+const X_FORWARDED_PROTO: &str = "X-Forwarded-Proto";
+const X_FORWARDED_SCHEME: &str = "X-Forwarded-Scheme";
+
+/// Request scheme.
+///
+/// The [`scheme_middleware`] must be added to the router before using this extractor,
+/// otherwise this will result in requests erroring.
+#[derive(Clone, Debug)]
+pub struct Scheme(pub http::uri::Scheme);
+
+impl<S> FromRequestParts<S> for Scheme
+where
+    S: Send + Sync,
+{
+    type Rejection = <Extension<Self> as FromRequestParts<S>>::Rejection;
+
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        Extension::<Self>::from_request_parts(parts, state)
+            .await
+            .map(|Extension(scheme)| scheme)
+    }
+}
+
+/// Get the scheme from the request.
+#[instrument(skip_all)]
+async fn extract_scheme(parts: &mut Parts) -> http::uri::Scheme {
+    let is_trusted = parts
+        .extract::<TrustedProxy>()
+        .await
+        .unwrap_or(TrustedProxy(false))
+        .0;
+
+    if is_trusted {
+        if let Some(proto) = parts.headers.get(X_FORWARDED_PROTO)
+            && let Ok(proto) = proto.to_str()
+            && let Ok(scheme) = proto.to_lowercase().as_str().try_into()
+        {
+            return scheme;
+        }
+
+        if let Some(proto) = parts.headers.get(X_FORWARDED_SCHEME)
+            && let Ok(proto) = proto.to_str()
+            && let Ok(scheme) = proto.to_lowercase().as_str().try_into()
+        {
+            return scheme;
+        }
+
+        if let Some(forwarded) = parts.headers.get(FORWARDED)
+            && let Ok(forwarded) = forwarded.to_str()
+            && let Ok(forwarded) = ForwardedHeaderValue::from_forwarded(forwarded)
+        {
+            for stanza in forwarded.iter() {
+                if let Some(forwarded_proto) = &stanza.forwarded_proto {
+                    let scheme = match forwarded_proto {
+                        Protocol::Http => http::uri::Scheme::HTTP,
+                        Protocol::Https => http::uri::Scheme::HTTPS,
+                    };
+                    return scheme;
+                }
+            }
+        }
+
+        if let Ok(Extension(proxy_protocol_state)) =
+            parts.extract::<Extension<ProxyProtocolState>>().await
+            && let Some(header) = &proxy_protocol_state.header
+            && header.ssl().is_some()
+        {
+            return http::uri::Scheme::HTTPS;
+        }
+    }
+
+    if parts.extract::<Extension<TlsState>>().await.is_ok() {
+        http::uri::Scheme::HTTPS
+    } else {
+        http::uri::Scheme::HTTP
+    }
+}
+
+/// Middleware required by the [`Scheme`] extractor.
+///
+/// Use with [`axum::middleware::from_fn`].
+pub async fn scheme_middleware(request: Request, next: Next) -> Response {
+    let (mut parts, body) = request.into_parts();
+
+    let scheme = extract_scheme(&mut parts).await;
+    Span::current().record("scheme", scheme.to_string());
+    parts.extensions.insert::<Scheme>(Scheme(scheme));
+
+    let request = Request::from_parts(parts, body);
+
+    next.run(request).await
+}
+
+#[cfg(test)]
+mod tests {
+    use axum::{body::Body, http::Request};
+
+    use super::*;
+
+    #[tokio::test]
+    async fn x_forwarded_proto_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-proto", "https")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTPS,);
+    }
+
+    #[tokio::test]
+    async fn x_forwarded_scheme_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-scheme", "https")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTPS,);
+    }
+
+    #[tokio::test]
+    async fn forwarded_header_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("forwarded", "proto=https")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTPS,);
+    }
+
+    #[tokio::test]
+    async fn x_forwarded_proto_untrusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-proto", "https")
+            .extension(TrustedProxy(false))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTP,);
+    }
+
+    #[tokio::test]
+    async fn scheme_from_tls_state() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .extension(TlsState {
+                peer_certificates: None,
+            })
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTPS,);
+    }
+
+    #[tokio::test]
+    async fn scheme_defaults_to_http() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTP,);
+    }
+
+    #[tokio::test]
+    async fn priority_order() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-proto", "http")
+            .header("x-forwarded-scheme", "https")
+            .header("forwarded", "proto=https")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTP,);
+    }
+
+    #[tokio::test]
+    async fn multiple_forwarded_stanzas() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("forwarded", "proto=http, proto=https")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTP,);
+    }
+
+    #[tokio::test]
+    async fn test_scheme_case_insensitive() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-proto", "HTTPS")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let scheme = extract_scheme(&mut parts).await;
+
+        assert_eq!(scheme, http::uri::Scheme::HTTPS,);
+    }
+}

packages/ak-axum/src/extract/scheme.rs

@@ -6,7 +6,10 @@ use tower::ServiceBuilder;
 use tower_http::timeout::TimeoutLayer;
 
 use crate::{
-    extract::{client_ip::client_ip_middleware, trusted_proxy::trusted_proxy_middleware},
+    extract::{
+        client_ip::client_ip_middleware, scheme::scheme_middleware,
+        trusted_proxy::trusted_proxy_middleware,
+    },
     tracing::{span_middleware, tracing_middleware},
 };
 
@@ -28,7 +31,8 @@ pub fn wrap_router(router: Router, with_tracing: bool) -> Router {
         ))
         .layer(from_fn(span_middleware))
         .layer(from_fn(trusted_proxy_middleware))
-        .layer(from_fn(client_ip_middleware));
+        .layer(from_fn(client_ip_middleware))
+        .layer(from_fn(scheme_middleware));
     if with_tracing {
         router.layer(service_builder.layer(from_fn(tracing_middleware)))
     } else {

packages/ak-axum/src/router.rs

@@ -28,6 +28,7 @@ pub(crate) async fn span_middleware(request: Request, next: Next) -> Response {
         path = %request.uri(),
         method = %request.method(),
         remote = field::Empty,
+        scheme = field::Empty,
         http_headers = ?http_headers,
     );
     next.run(request).instrument(span).await