From fee454fc3347ee7252e5ef443713e8038ce871c3 Mon Sep 17 00:00:00 2001 From: Kyle Pope Date: Mon, 2 Mar 2026 17:17:39 +0800 Subject: [PATCH] Fix 503s behind reverse proxy: add uvicorn --proxy-headers FastAPI trailing-slash redirects (307) were using http:// instead of https:// because uvicorn wasn't reading X-Forwarded-Proto from the reverse proxy. When Pangolin (TLS-terminating proxy) received the http:// redirect it returned 503, breaking all list endpoints (/events, /calendars, /settings, /projects, /people, /locations). Adding --proxy-headers makes uvicorn honour X-Forwarded-Proto so redirects use the correct scheme. --forwarded-allow-ips '*' trusts headers from any IP since nginx sits on the Docker bridge network. Co-Authored-By: Claude Opus 4.6 --- backend/Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index a278604..60f2692 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -22,5 +22,8 @@ USER appuser # Expose port EXPOSE 8000 -# Run migrations and start server (--no-server-header suppresses uvicorn version disclosure) -CMD ["sh", "-c", "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000 --no-server-header"] +# Run migrations and start server +# --no-server-header: suppresses uvicorn version disclosure +# --proxy-headers: reads X-Forwarded-Proto/For from reverse proxy so redirects use correct scheme +# --forwarded-allow-ips '*': trusts proxy headers from any IP (nginx is on Docker bridge network) +CMD ["sh", "-c", "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000 --no-server-header --proxy-headers --forwarded-allow-ips '*'"]