From 522340507a50ba02abf777b6f3c43e7d23e9502b Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Sat, 21 Feb 2026 18:34:48 -0700
Subject: [PATCH] =?UTF-8?q?Fix=20CSRF=20403=20behind=20Cloudflare=20tunnel?=
 =?UTF-8?q?=20=E2=80=94=20add=20X-Forwarded-Proto=20header=20via=20Traefik?=
 =?UTF-8?q?=20middleware?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.prod.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index e8b2e76..4cd6ee1 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -76,6 +76,9 @@ services:
       # Main router (via Cloudflare tunnel → port 80)
       - "traefik.http.routers.rfiles.rule=Host(`rfiles.online`) || Host(`www.rfiles.online`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rfiles.online`)"
       - "traefik.http.routers.rfiles.entrypoints=web"
+      # Pass X-Forwarded-Proto so Django CSRF works behind Cloudflare tunnel
+      - "traefik.http.middlewares.rfiles-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.rfiles.middlewares=rfiles-headers"
       # Direct upload router (bypasses Cloudflare, TLS via Let's Encrypt)
       - "traefik.http.routers.rfiles-direct.rule=Host(`direct.rfiles.online`)"
       - "traefik.http.routers.rfiles-direct.entrypoints=websecure"