From 49fda95f1544ff81ea871468214576bd5dc4b275 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:25:18 +0200
Subject: [PATCH] fix: use localhost for ADMIN_ENDPOINT, rely on
 TRUST_PROXY_HEADER

ADMIN_ENDPOINT=http://localhost:3002 for Logto self-calls.
TRUST_PROXY_HEADER makes Logto use X-Forwarded-Proto from Traefik
to generate HTTPS URLs for browser-facing OIDC flows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f3ae821..57df218 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -67,7 +67,7 @@ services:
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
       ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
-      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
+      ADMIN_ENDPOINT: http://localhost:3002
       TRUST_PROXY_HEADER: 1
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
@@ -88,9 +88,7 @@ services:
       - traefik.http.routers.logto-console.service=logto-console
       - traefik.http.services.logto-console.loadbalancer.server.port=3002
     networks:
-      cameleer:
-        aliases:
-          - ${PUBLIC_HOST:-localhost}
+      - cameleer
 
   logto-bootstrap:
     image: postgres:16-alpine