Support X-Forwarded-Proto from upstream reverse proxy

Add nginx map directive to prefer X-Forwarded-Proto header from
Traefik/Pangolin when present, falling back to $scheme for direct
internal HTTP access. Applied to both nginx.conf and proxy-params.conf.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/nginx.conf

@@ -1,6 +1,13 @@
 # Rate limiting zones (before server block)
 limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m;
 
+# Use X-Forwarded-Proto from upstream proxy when present, fall back to $scheme for direct access
+map $http_x_forwarded_proto $forwarded_proto {
+    default $scheme;
+    https   https;
+    http    http;
+}
+
 server {
     listen 8080;
     server_name localhost;
@@ -62,7 +69,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
         proxy_cache_bypass $http_upgrade;
     }
 

frontend/proxy-params.conf

@@ -3,4 +3,4 @@ proxy_http_version 1.1;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Proto $forwarded_proto;