From 9e058144ecc80f5255915f6d907d8c7dc777896d Mon Sep 17 00:00:00 2001 From: Giorgio Gilestro Date: Fri, 22 May 2026 21:47:48 +0100 Subject: [PATCH] deploy: uvicorn --proxy-headers so https stays https behind NPM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The app sits behind Nginx Proxy Manager which terminates TLS and forwards plain HTTP. Without --proxy-headers, Starlette's request.url keeps the inbound \`http\` scheme, so url_for() renders the static-CSS \`\` as http://… and the browser blocks it as mixed content under the public https origin. Adds --proxy-headers + --forwarded-allow-ips=* to the prod uvicorn command. The wildcard is fine because the container has no host port — only the intranet bridge (where NPM lives) can reach it. Co-Authored-By: Claude Opus 4.7 (1M context) --- docker-compose.prod.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 1045c67..0a18178 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -13,7 +13,13 @@ services: app: - command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80", "--workers", "1"] + # --proxy-headers makes Starlette honour X-Forwarded-Proto / -For from + # NPM, so request.url_for() generates https:// URLs (otherwise static + # asset links render as http://… and browsers block as mixed content). + # --forwarded-allow-ips=* is safe here: the container has no host port, + # only the intranet bridge reaches it. + command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80", + "--workers", "1", "--proxy-headers", "--forwarded-allow-ips=*"] expose: - "80" networks: