fix: detect HTTPS via CloudFront-injected header instead of ProxyFix

[dosaki]

Why

PR #6's ProxyFix-based fix was based on a wrong assumption about ALB behaviour and didn't actually flip the scheme. The OIDC redirect_uri the app generates is still `http://librarian.services.keyholding.com/auth/callback\` (the path part is fixed, the scheme isn't), and Keycloak rejects it with `Invalid parameter: redirect_uri`.

What was wrong

I assumed ALB would append to `X-Forwarded-Proto` like it does to `X-Forwarded-For`, producing `https,http` at the app, with `ProxyFix(x_proto=2)` picking the leftmost (`https`) value.

Actually: ALB with an HTTP listener replaces `X-Forwarded-Proto` with `http`, clobbering whatever CloudFront sent. The header at the app is just `http` (single value). `_get_real_value` returns `None` when `len(values) < trusted`, so ProxyFix did nothing — the WSGI scheme stayed `http`. Silent no-op, which is why the previous deploy looked like it worked but didn't.

Fix

Two parts that must both ship:

1. CloudFront — add an immutable origin custom header `X-Forwarded-Scheme: https` (modules/cloudfront/main.tf). Custom name (not `X-Forwarded-Proto`) sidesteps the ALB rewrite — ALB has no special handling for it, passes it through verbatim. Hard-coding `https` is safe because `viewer_protocol_policy = "redirect-to-https"` guarantees every request reaching origin came from an HTTPS viewer.
2. App — replace ProxyFix with a small WSGI middleware (app/init.py) that flips `wsgi.url_scheme` to `https` when the header is present. Local dev (no CloudFront, no header) is unaffected.

Why a custom header instead of fixing ProxyFix

There's no value of `x_proto` that makes ProxyFix work in this stack. ALB strips/replaces `X-Forwarded-Proto` regardless of upstream value, so the app never sees CloudFront's `https`. Reading from a non-standard header CloudFront injects directly is the deterministic fix; tuning ProxyFix can't get there.

Deploy sequence

```bash

1. Apply the CloudFront change so the header gets injected

cd terraform/main/envs/services
terraform apply

CloudFront edge propagation: 5–15 min

2. Force ECS to roll new tasks with the updated image

aws ecs update-service \
--region eu-west-1 \
--cluster librarian-services \
--service librarian-services-api \
--force-new-deployment
```

Either order is non-breaking; both must land before login goes green.

Test plan

• After deploy, hit `https://librarian.services.keyholding.com/\` → bounced to Keycloak with `redirect_uri=https%3A%2F%2F...%2Fauth%2Fcallback` (correct scheme and path).
• Sign in successfully and land on the library index.
• Quick diagnostic: `curl -sv https://librarian.services.keyholding.com/auth/login -o /dev/null 2>&1 | grep -i "^< location:"` — decode the `redirect_uri` query param to confirm the scheme.
• Local dev (no CloudFront): `docker compose up`, login still works against local Keycloak with http URLs.

🤖 Generated with Claude Code

[github-actions]

✅ Terraform Plan

Show plan

module.app.module.secrets.random_password.rds: Refreshing state... [id=none]
module.app.module.secrets.random_password.flask_secret_key: Refreshing state... [id=none]
module.app.module.cloudfront.aws_acm_certificate.this: Refreshing state... [id=arn:aws:acm:us-east-1:287917017203:certificate/ec77dd32-85ea-4c4d-9c57-44276512b85e]
module.app.data.aws_region.current: Reading...
module.app.module.ecs.aws_cloudwatch_log_group.api: Refreshing state... [id=/ecs/librarian-services/api]
module.app.module.ecs.aws_iam_role.ecs_task: Refreshing state... [id=librarian-services-ecs-task]
module.app.module.vpc.data.aws_ec2_managed_prefix_list.cloudfront: Reading...
module.app.module.vpc.aws_vpc.this: Refreshing state... [id=vpc-02acfa95215273b1a]
module.app.module.ecs.aws_ecs_cluster.this: Refreshing state... [id=arn:aws:ecs:eu-west-1:287917017203:cluster/librarian-services]
module.app.module.secrets.aws_kms_key.secrets: Refreshing state... [id=5082d3c6-6e61-4214-953d-9eff08efbe26]
module.app.data.aws_region.current: Read complete after 0s [id=eu-west-1]
module.app.module.ecs.aws_iam_role.ecs_execution: Refreshing state... [id=librarian-services-ecs-execution]
module.app.data.aws_route53_zone.this: Reading...
module.app.module.s3_uploads.aws_s3_bucket.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.module.ecr.aws_ecr_repository.api: Refreshing state... [id=librarian-services-api]
module.app.module.rds.aws_kms_key.rds: Refreshing state... [id=f22fab6b-f703-4b2f-8954-35c4a29f8cca]
module.app.module.ecs.aws_iam_role_policy_attachment.ecs_execution: Refreshing state... [id=librarian-services-ecs-execution/arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy]
module.app.data.aws_route53_zone.this: Read complete after 0s [id=Z01465943T0FH4FSY39YX]
module.app.module.cloudfront.aws_route53_record.cert_validation["librarian.services.keyholding.com"]: Refreshing state... [id=Z01465943T0FH4FSY39YX__fc428249a28c1ad1ab6c0bd84b466f71.librarian.services.keyholding.com._CNAME]
module.app.module.cloudfront.aws_acm_certificate_validation.this: Refreshing state... [id=2026-05-01 07:16:18.356 +0000 UTC]
module.app.module.vpc.data.aws_ec2_managed_prefix_list.cloudfront: Read complete after 1s [id=pl-4fa04526]
module.app.module.ecr.aws_ecr_lifecycle_policy.api: Refreshing state... [id=librarian-services-api]
module.app.module.secrets.aws_secretsmanager_secret.rds: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/rds-master-1Pe4QF]
module.app.module.secrets.aws_secretsmanager_secret.oidc: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/oidc-dkSGf1]
module.app.module.secrets.aws_kms_alias.secrets: Refreshing state... [id=alias/librarian-services-secrets]
module.app.module.secrets.aws_secretsmanager_secret.flask: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/flask-hRr9DH]
module.app.module.rds.aws_kms_alias.rds: Refreshing state... [id=alias/librarian-services-rds]
module.app.module.secrets.aws_secretsmanager_secret_version.oidc: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/oidc-dkSGf1|terraform-20260508201754052000000002]
module.app.module.secrets.aws_secretsmanager_secret_version.flask: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/flask-hRr9DH|terraform-20260501071611668800000005]
module.app.module.secrets.aws_secretsmanager_secret_version.rds: Refreshing state... [id=arn:aws:secretsmanager:eu-west-1:287917017203:secret:librarian-services/rds-master-1Pe4QF|terraform-20260501071611658500000004]
module.app.module.ecs.aws_iam_role_policy.ecs_secrets: Refreshing state... [id=librarian-services-ecs-execution:librarian-services-ecs-secrets]
module.app.module.vpc.aws_internet_gateway.this: Refreshing state... [id=igw-0884aa16999920657]
module.app.module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-09de5647eae05a3df]
module.app.module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0e3605c6355bd18df]
module.app.module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-01ac333871ebe6e5a]
module.app.module.vpc.aws_route_table.public: Refreshing state... [id=rtb-07a1aa8f490842628]
module.app.module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-00169ab5413130ed8]
module.app.module.vpc.aws_security_group.alb: Refreshing state... [id=sg-0b1fa429b4f2f3e2e]
module.app.module.alb.aws_lb_target_group.api: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-1:287917017203:targetgroup/librarian-services-api/c101a5766af84f32]
module.app.module.vpc.aws_security_group.ecs: Refreshing state... [id=sg-0a0511e4b803ab1f5]
module.app.module.alb.aws_lb.this: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-1:287917017203:loadbalancer/app/librarian-services/0f38a5e21d340de7]
module.app.module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0ad19c3756bd97dfe]
module.app.module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-0fc8cdac0f4250a1d]
module.app.module.vpc.aws_route.public_internet: Refreshing state... [id=r-rtb-07a1aa8f4908426281080289494]
module.app.module.vpc.aws_security_group.rds: Refreshing state... [id=sg-0ae84cafda9660d19]
module.app.module.rds.aws_db_subnet_group.this: Refreshing state... [id=librarian-services]
module.app.module.s3_uploads.data.aws_iam_policy_document.public_read: Reading...
module.app.module.s3_uploads.aws_s3_bucket_public_access_block.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.module.s3_uploads.data.aws_iam_policy_document.put_object: Reading...
module.app.module.s3_uploads.aws_s3_bucket_server_side_encryption_configuration.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.module.s3_uploads.data.aws_iam_policy_document.public_read: Read complete after 0s [id=3797438981]
module.app.module.s3_uploads.data.aws_iam_policy_document.put_object: Read complete after 0s [id=732345744]
module.app.module.s3_uploads.aws_s3_bucket_cors_configuration.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.module.s3_uploads.aws_iam_policy.put_object: Refreshing state... [id=arn:aws:iam::287917017203:policy/librarian-services-s3-uploads-put]
module.app.module.s3_uploads.aws_s3_bucket_lifecycle_configuration.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.aws_iam_role_policy_attachment.ecs_task_s3_uploads: Refreshing state... [id=librarian-services-ecs-task/arn:aws:iam::287917017203:policy/librarian-services-s3-uploads-put]
module.app.module.s3_uploads.aws_s3_bucket_policy.this: Refreshing state... [id=tkc-librarian-uploads-services]
module.app.module.alb.aws_lb_listener.http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-1:287917017203:listener/app/librarian-services/0f38a5e21d340de7/e53d113a9ffbcdca]
module.app.module.cloudfront.aws_cloudfront_distribution.this: Refreshing state... [id=E112G77GVDUPHT]
module.app.module.rds.aws_db_instance.this: Refreshing state... [id=db-WDSBTCMQJ6DWQUDCPK3GM7EDIA]
module.app.module.ecs.aws_ecs_task_definition.api: Refreshing state... [id=librarian-services-api]
module.app.module.cloudfront.aws_route53_record.a: Refreshing state... [id=Z01465943T0FH4FSY39YX_librarian.services.keyholding.com_A]
module.app.module.cloudfront.aws_route53_record.aaaa: Refreshing state... [id=Z01465943T0FH4FSY39YX_librarian.services.keyholding.com_AAAA]
module.app.module.ecs.aws_ecs_service.api: Refreshing state... [id=arn:aws:ecs:eu-west-1:287917017203:service/librarian-services/librarian-services-api]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.app.module.cloudfront.aws_cloudfront_distribution.this will be updated in-place
  ~ resource "aws_cloudfront_distribution" "this" {
        id                              = "E112G77GVDUPHT"
        tags                            = {}
        # (24 unchanged attributes hidden)

      - origin {
          - connection_attempts         = 3 -> null
          - connection_timeout          = 10 -> null
          - domain_name                 = "librarian-services-16258188.eu-west-1.elb.amazonaws.com" -> null
          - origin_id                   = "librarian-services-alb-origin" -> null
          - response_completion_timeout = 0 -> null
            # (2 unchanged attributes hidden)

          - custom_origin_config {
              - http_port                = 80 -> null
              - https_port               = 443 -> null
              - origin_keepalive_timeout = 5 -> null
              - origin_protocol_policy   = "http-only" -> null
              - origin_read_timeout      = 30 -> null
              - origin_ssl_protocols     = [
                  - "TLSv1.2",
                ] -> null
                # (1 unchanged attribute hidden)
            }
        }
      + origin {
          + connection_attempts         = 3
          + connection_timeout          = 10
          + domain_name                 = "librarian-services-16258188.eu-west-1.elb.amazonaws.com"
          + origin_id                   = "librarian-services-alb-origin"
          + response_completion_timeout = (known after apply)
            # (2 unchanged attributes hidden)

          + custom_header {
              + name  = "X-Forwarded-Scheme"
              + value = "https"
            }

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "http-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1.2",
                ]
                # (1 unchanged attribute hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Releasing state lock. This may take a few moments...

[Copilot]

Pull request overview

Updates the production deployment to reliably generate https:// external URLs (notably OIDC redirect_uri) when running behind CloudFront → ALB(HTTP) → ECS, by using a CloudFront-injected header rather than relying on ProxyFix and X-Forwarded-Proto.

Changes:

• Add a CloudFront origin custom header X-Forwarded-Scheme: https to preserve viewer scheme past the ALB.
• Replace ProxyFix with a small WSGI middleware that flips wsgi.url_scheme to https when the CloudFront header is present.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
terraform/main/modules/cloudfront/main.tf	Injects X-Forwarded-Scheme: https as an origin custom header so the app can detect HTTPS deterministically.
app/init.py	Swaps ProxyFix for a targeted middleware that sets wsgi.url_scheme based on the CloudFront header.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.