From ee6eaaeba8251251bd64b3c950eb79d346ff1d81 Mon Sep 17 00:00:00 2001
From: Jeff Smith <jeff@unbiasedgeek.com>
Date: Sun, 19 Apr 2026 18:15:30 -0600
Subject: [PATCH] fix(docker): enable uvicorn proxy-headers so url_for works
 behind Traefik
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without --proxy-headers + --forwarded-allow-ips, uvicorn ignores the
X-Forwarded-Proto header Traefik sets, so Starlette's url_for() picks
up the internal scheme (http) and host (the container's bind address).
That makes every <link>/<img> href in templates point at an internal
URL with the wrong scheme — the browser refuses CSS/images as mixed
content and the public page renders unstyled.

With both flags the template output becomes
https://quartermaster.unbiasedgeek.com/static/… as expected.

The wildcard in --forwarded-allow-ips='*' is safe here because the
compose file publishes no host ports — only containers on proxy-net
(i.e. Traefik) can reach port 8000.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docker/entrypoint.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index a5f6510..313c268 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -8,4 +8,6 @@ alembic upgrade head
 exec uvicorn quartermaster.main:app \
     --host 0.0.0.0 \
     --port 8000 \
+    --proxy-headers \
+    --forwarded-allow-ips='*' \
     --log-config src/quartermaster/logconfig.json
-- 
2.45.2