Seq OIDC redirect_uri stays http when deployed behind reverse proxy

[pengqian089]

I’m running Seq 2024.3 in Docker with the following command:

sudo docker run \
  --name seq \
  -d \
  --restart unless-stopped \
  -e ACCEPT_EULA=Y \
  -e SEQ_BASEURI=https://logs.example.com \
  -e SEQ_TRUSTEDPROXIES=0.0.0.0/0 \
  -v /home/ubuntu/seq/data:/data \
  -p 2370:80 \
  -p 5341:5341 \
 datalust/seq

Seq sits behind a Caddy reverse proxy that terminates TLS:

logs.example.com {
    reverse_proxy localhost:2370
}

OpenID Connect is provided by https://auth.example.com. The client registration at the auth server uses the redirect URI https://logs.example.com/oidc/callback.

Despite setting SEQ_BASEURI, Seq still generates authorization requests with an http:// redirect URI:

https://auth.example.com/connect/authorize?client_id=seq&redirect_uri=http%3A%2F%2Flogs.example.com%2Foidc%2Fcallback&...

As a result, the authorization server rejects the request because only the HTTPS redirect URI is registered.
What I have verified so far:

• Removed the old container, recreated it with the environment variables above.
• docker exec seq printenv | grep SEQ_ shows both SEQ_BASEURI=https://logs.example.com and SEQ_TRUSTEDPROXIES=0.0.0.0/0.
• Seq’s startup log still reports it is listening on ["http://localhost/", "https://localhost/", "http://localhost:5341/", "https://localhost:45341/"].
• During the authorization-code exchange, Seq flashes:

invalid_grant / The specified 'redirect_uri' parameter doesn't match the client redirection URI the authorization code was initially sent to.

• I haven’t yet confirmed whether Caddy is really sending the X-Forwarded-Proto and X-Forwarded-Host headers; I’m not sure of the best way to check this.

Is there any way to force Seq to honour the HTTPS base URI (or explicitly set the OIDC callback), or guidance on verifying that Caddy is forwarding the required headers so Seq will treat the external scheme as HTTPS? Any help would be appreciated.

[liammclennan]

Have a look at the Seq OIDC docs. Try setting SEQ_API_CANONICALURI.

[wasabii]

Does Seq not handle proxy headers?

[KodrAus]

@wasabii It doesn't currently, no. It seems like something we could allow you to opt-in to respecting though as an alternative to setting a canonical URI.