deer-flow/docker
ajayr 71c5c4a072
fix(nginx): preserve upstream X-Forwarded-Proto when behind another TLS proxy (#3793)
When DeerFlow's nginx runs behind another TLS-terminating reverse proxy
(Pangolin/Traefik, Cloudflare, Caddy), every location block overwrote the
already-correct X-Forwarded-Proto with $scheme (= http on the private hop).
The Gateway then treated HTTPS browser traffic as HTTP: the auth-origin check
rejected the login POST with 403 "Cross-site auth request denied", and session
cookies lost the Secure flag and max-age.

Preserve an upstream X-Forwarded-Proto via a map that falls back to $scheme when
nginx is itself the TLS edge, so standalone `make dev` / Docker is unchanged.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 11:32:48 +08:00
..
nginx fix(nginx): preserve upstream X-Forwarded-Proto when behind another TLS proxy (#3793) 2026-06-26 11:32:48 +08:00
provisioner docs: document custom AIO sandbox images (#3548) 2026-06-13 22:50:51 +08:00
dev-entrypoint.sh fix(dev): create backend/sandbox before uvicorn reload-exclude (#3459) (#3460) 2026-06-09 15:29:40 +08:00
docker-compose-dev.yaml fix(doc):update the document for the docker configuration 2026-06-14 11:35:01 +08:00
docker-compose.cli-auth.yaml fix(security): do not bind-mount host CLI auth dirs by default (#3521) 2026-06-14 10:50:05 +08:00
docker-compose.dood.yaml fix(doc):update the document for the docker configuration 2026-06-14 11:35:01 +08:00
docker-compose.yaml fix(doc):update the document for the docker configuration 2026-06-14 11:35:01 +08:00