fix: configure nginx to handle Cloudflare Flexible SSL mode without redirect loop

- Support X-Forwarded-Proto header from Cloudflare
- HTTP server now serves traffic when X-Forwarded-Proto: https is set
- Prevents redirect loop when Cloudflare uses Flexible SSL mode
- Maintains HTTPS redirect for direct HTTP access

backend/nginx.conf

@@ -47,7 +47,7 @@ http {
         keepalive 32;
     }
 
-    # HTTP redirect to HTTPS
+    # HTTP server - handles both Let's Encrypt and Cloudflare Flexible SSL
     server {
         listen 80;
         server_name mtd.runfoo.run www.mtd.runfoo.run;
@@ -57,10 +57,64 @@ http {
             root /var/www/certbot;
         }
 
-        # Redirect all other traffic to HTTPS
+        # For Cloudflare Flexible SSL: if X-Forwarded-Proto is https, serve the app
+        # Otherwise redirect to HTTPS (for direct HTTP access)
         location / {
+            # Check if coming from Cloudflare with HTTPS
+            set $redirect_to_https 1;
+            if ($http_x_forwarded_proto = "https") {
+                set $redirect_to_https 0;
+            }
+
+            # Redirect direct HTTP to HTTPS
+            if ($redirect_to_https = 1) {
                 return 301 https://$server_name$request_uri;
             }
+
+            # Cloudflare Flexible SSL: serve through proxy
+            proxy_pass http://frontend:3000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_cache_bypass $http_upgrade;
+        }
+
+        # API endpoints for Cloudflare Flexible SSL
+        location /api/v1/ {
+            proxy_pass http://api;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Connection "";
+            proxy_redirect off;
+        }
+
+        location /docs {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /redoc {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /openapi.json {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+        }
     }
 
     # HTTPS API server