Add HTTP to HTTPS redirect in nginx gateway

[maor-rozenfeld]

When global.publicUrl uses HTTPS, nginx now returns a 301 redirect for requests arriving over plain HTTP. The redirect is detected via the X-Forwarded-Proto header set by TLS-terminating load balancers and ingress controllers.

The redirect block is conditionally rendered only when global.publicUrl starts with https://, so it has no effect on HTTP-only deployments.

Resolves CI-175

[linear]

CI-175 Add HTTP to HTTPS redirect in nginx gateway

[Copilot]

Pull request overview

This PR updates the Helm chart’s nginx gateway configuration to conditionally redirect requests to HTTPS when global.publicUrl is configured with an https:// URL, using X-Forwarded-Proto to detect the original scheme behind a TLS-terminating proxy.

Changes:

• Add a conditional nginx if block to return a permanent redirect to HTTPS when X-Forwarded-Proto indicates http.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

return 301 may cause some clients/browsers to change non-GET/HEAD requests into a GET when following the redirect (dropping the request body). For an HTTP→HTTPS upgrade redirect this can break POST/PUT API calls; consider using a 308 (or 307) redirect to preserve method and body semantics.

Suggested change

	return 301 https://$host$request_uri;
	return 308 https://$host$request_uri;

[Copilot]

The redirect target uses $host, which is derived from the client-supplied Host header and also strips any port. This can lead to (a) redirects to an attacker-controlled host if Host is spoofed, and (b) broken redirects when global.publicUrl uses a non-443 HTTPS port. Prefer redirecting to the configured canonical host/port derived from global.publicUrl (or a trusted variable like $server_name if it matches the external hostname) rather than $host.

Suggested change

	return 301 https://$host$request_uri;
	return 301 https://$server_name$request_uri;