deer-flow/docker/nginx
ajayr 71c5c4a072
fix(nginx): preserve upstream X-Forwarded-Proto when behind another TLS proxy (#3793)
When DeerFlow's nginx runs behind another TLS-terminating reverse proxy
(Pangolin/Traefik, Cloudflare, Caddy), every location block overwrote the
already-correct X-Forwarded-Proto with $scheme (= http on the private hop).
The Gateway then treated HTTPS browser traffic as HTTP: the auth-origin check
rejected the login POST with 403 "Cross-site auth request denied", and session
cookies lost the Secure flag and max-age.

Preserve an upstream X-Forwarded-Proto via a map that falls back to $scheme when
nginx is itself the TLS edge, so standalone `make dev` / Docker is unchanged.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 11:32:48 +08:00
..
nginx.conf fix(nginx): preserve upstream X-Forwarded-Proto when behind another TLS proxy (#3793) 2026-06-26 11:32:48 +08:00
nginx.local.conf fix: make local-dev (make dev) work on non-root / NFS hosts (#3590) 2026-06-19 23:20:55 +08:00