Fix 503s behind reverse proxy: add uvicorn --proxy-headers

FastAPI trailing-slash redirects (307) were using http:// instead of https:// because uvicorn wasn't reading X-Forwarded-Proto from the reverse proxy. When Pangolin (TLS-terminating proxy) received the http:// redirect it returned 503, breaking all list endpoints (/events, /calendars, /settings, /projects, /people, /locations). Adding --proxy-headers makes uvicorn honour X-Forwarded-Proto so redirects use the correct scheme. --forwarded-allow-ips '*' trusts headers from any IP since nginx sits on the Docker bridge network. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 17:17:39 +08:00 · 2026-03-02 17:17:39 +08:00 · fee454fc33
commit fee454fc33
parent 0c7d057654
1 changed files with 5 additions and 2 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -22,5 +22,8 @@ USER appuser
 # Expose port
 EXPOSE 8000

-# Run migrations and start server (--no-server-header suppresses uvicorn version disclosure)
-CMD ["sh", "-c", "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000 --no-server-header"]
+# Run migrations and start server
+# --no-server-header: suppresses uvicorn version disclosure
+# --proxy-headers: reads X-Forwarded-Proto/For from reverse proxy so redirects use correct scheme
+# --forwarded-allow-ips '*': trusts proxy headers from any IP (nginx is on Docker bridge network)
+CMD ["sh", "-c", "alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port 8000 --no-server-header --proxy-headers --forwarded-allow-ips '*'"]