'Redirect to URL' action forces absolute URL, is there a relative URL option?

That sounds more like a setup issue with the Drupal site. The redirect action from core is generating the URL to which the user is being redirected, as you already correctly described. If that leads to a wrong domain, then you're likely to run into even more problems and your Drupal setup is not quite right.

In other words, if your destination is /test, Drupal route generator uses base:/test as the URI and turns that into an external URL. This is what happens all over Drupal core, not only in this redirect action plugin. And there's nothing that could do any better.

Thanks for your reply!
Interesting, we haven't come across many other cases where Drupal used the absolute URL. The only exceptions so far are for generating the <link rel="canonical" href=, and the above mentioned redirect.

Our question still stands; is there an alternative where we can use a relative URL for redirect? Our backend server is only reachable by whitelisted IP addresses, so only admins and the reverse proxy are allowed. If the backend generates absolute URLs, users of the frontend won't be able to retrieve those.

Our backend server is only reachable by whitelisted IP addresses, so only admins and the reverse proxy are allowed.

I don't understand the problem. You reach your site via https://123.456.111.222/some/path or https://www.example.com/some/path, i.e. via IP address or via domain? And the redirect action is using the same domain (or IP) when building the URL to redirect to? Or is it using a different one?

If it's the same, then there shouldn't be an issue with that. Unless I'm missing something. If it uses a different one, then I'd argue that the Drupal site is not configured correctly.

Our question still stands; is there an alternative where we can use a relative URL for redirect?

I don't think there can be any alternative solution. As I mentioned in #2, building a redirect URL with other means would do the same that the existing redirect action is doing. Unless I'm completely misunderstanding the problem, I want to believe that this can be solved by configuration, but I hope I can learn more about the details.

The situation is: we have Drupal running on our "backend server", let's say that's at "backend.com". The backend URL is all that Drupal knows, so any absolute URLs it constructs will always be https://backend.com/path. The backend server is only used for admin duties, it's only reachable if your IP is whitelisted.

Then there's a "frontend server", let's say that's at "frontend.net". This serves as a (limited) reverse proxy for the backend. Website visitors will only interact with the frontend server, which proxies the requests to the backend. Some visitor actions will trigger the ECA rules that redirect them to different parts of the website. But these redirects are of course generated on the backend (frontend only proxies them), and this means that visitors of the frontend will be redirected to a URL like https://backend.com/path. If the redirects were relative, they would just be directed to /path, and thus stay on the frontend.

If we configured Drupal on the backend to use the frontend URL, that would break functionality for the admin users.

We hope this explains the situation well enough; we're curious about your thoughts!

Another possible solution would be to configure the frontend proxy to find/replace any backend domains with frontend domains. But so far, the redirect action is the only place where we've seen absolute URLs used.

What I'm struggling with, why is an ECA model processed for a front end user which then redirects them to something in the backend?

If the ECA model runs on the frontend server, that redirect should go to the frontend domain. And on the frontend server, the action plugin should use the correct front end domain. If it doesn't, then the frontend server is not configured correctly.

If the ECA model runs on the backend server, then it will use the correct backend domain.

What you're describing sounds like the redirect action is executed on the backend server and should redirect to something on the frontend. Well, that combination should never be possible. How can that happen?

Sorry if the previous post was unclear about this; Drupal only runs on the backend server. The frontend server is a reverse proxy (using NGINX proxy_pass directive), and does some caching. Drupal doesn't even need to know about the frontend server.

Well, if the frontend server runs on a different domain than the backend server, then the Drupal server needs to be configured such that it always knows about the current domain, then it would use that correctly when building URLs.