deploy: uvicorn --proxy-headers so https stays https behind NPM

The app sits behind Nginx Proxy Manager which terminates TLS and forwards plain HTTP. Without --proxy-headers, Starlette's request.url keeps the inbound \`http\` scheme, so url_for() renders the static-CSS \`<link>\` as http://… and the browser blocks it as mixed content under the public https origin. Adds --proxy-headers + --forwarded-allow-ips=* to the prod uvicorn command. The wildcard is fine because the container has no host port — only the intranet bridge (where NPM lives) can reach it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 21:47:48 +01:00 · 2026-05-22 21:47:48 +01:00 · 9e058144ec
commit 9e058144ec
parent 3932ef4048
1 changed files with 7 additions and 1 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@ -13,7 +13,13 @@

 services:
  app:
-    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80", "--workers", "1"]
+    # --proxy-headers makes Starlette honour X-Forwarded-Proto / -For from
+    # NPM, so request.url_for() generates https:// URLs (otherwise static
+    # asset links render as http://… and browsers block as mixed content).
+    # --forwarded-allow-ips=* is safe here: the container has no host port,
+    # only the intranet bridge reaches it.
+    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80",
+              "--workers", "1", "--proxy-headers", "--forwarded-allow-ips=*"]
    expose:
      - "80"
    networks: