From b2ecedbc9455e5e9ad198aadadf18164908c5a34 Mon Sep 17 00:00:00 2001
From: Kyle Pope <kyle.a.pope@outlook.com>
Date: Thu, 26 Feb 2026 03:25:14 +0800
Subject: [PATCH] Support X-Forwarded-Proto from upstream reverse proxy

Add nginx map directive to prefer X-Forwarded-Proto header from
Traefik/Pangolin when present, falling back to $scheme for direct
internal HTTP access. Applied to both nginx.conf and proxy-params.conf.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 frontend/nginx.conf        | 9 ++++++++-
 frontend/proxy-params.conf | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 3de626d..3519178 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -1,6 +1,13 @@
 # Rate limiting zones (before server block)
 limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m;
 
+# Use X-Forwarded-Proto from upstream proxy when present, fall back to $scheme for direct access
+map $http_x_forwarded_proto $forwarded_proto {
+    default $scheme;
+    https   https;
+    http    http;
+}
+
 server {
     listen 8080;
     server_name localhost;
@@ -62,7 +69,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
         proxy_cache_bypass $http_upgrade;
     }
 
diff --git a/frontend/proxy-params.conf b/frontend/proxy-params.conf
index 8d88715..4b18310 100644
--- a/frontend/proxy-params.conf
+++ b/frontend/proxy-params.conf
@@ -3,4 +3,4 @@ proxy_http_version 1.1;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Proto $forwarded_proto;