diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf
index a2ecb166d..1b6d32dac 100644
--- a/backend/templates/_location.conf
+++ b/backend/templates/_location.conf
@@ -2,8 +2,8 @@
     {{ advanced_config }}
 
     proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-Scheme $scheme;
-    proxy_set_header X-Forwarded-Proto  $scheme;
+    proxy_set_header X-Forwarded-Scheme $resolved_proto;
+    proxy_set_header X-Forwarded-Proto  $resolved_proto;
     proxy_set_header X-Forwarded-For    $remote_addr;
     proxy_set_header X-Real-IP		$remote_addr;
 
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
index d23ca46fa..f57db26e6 100644
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -4,6 +4,8 @@
 
 {% include "_hsts_map.conf" %}
 
+include conf.d/include/resolved_proto_map.conf;
+
 server {
   set $forward_scheme {{ forward_scheme }};
   set $server         "{{ forward_host }}";
diff --git a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
index d346c4ef3..2cf0f657b 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/proxy.conf
@@ -1,8 +1,7 @@
 add_header       X-Served-By $host;
 proxy_set_header Host $host;
-proxy_set_header X-Forwarded-Scheme $scheme;
-proxy_set_header X-Forwarded-Proto  $scheme;
+proxy_set_header X-Forwarded-Scheme $resolved_proto;
+proxy_set_header X-Forwarded-Proto  $resolved_proto;
 proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP          $remote_addr;
 proxy_pass       $forward_scheme://$server:$port$request_uri;
-
diff --git a/docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf b/docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf
new file mode 100644
index 000000000..82d5708fd
--- /dev/null
+++ b/docker/rootfs/etc/nginx/conf.d/include/resolved_proto_map.conf
@@ -0,0 +1,7 @@
+# Resolve the effective protocol: use X-Forwarded-Proto if set
+# (e.g., from proxies like Cloudflare or AWS)
+# otherwise fall back to the current scheme.
+map $http_x_forwarded_proto $resolved_proto {
+    default $scheme;
+    ~.+ $http_x_forwarded_proto;
+}