Google rejects the OAuth flow because Django generates redirect_uri=http://internal.flagsmith.com/.... Root cause: Django's SECURE_PROXY_SSL_HEADER_NAME is set to HTTP_CLOUDFRONT_FORWARDED_PROTO, but internal.flagsmith.com goes ALB → ECS with no CloudFront in the path, so the header isn't present and Django falls back to http.
Fix is to trust the standard X-Forwarded-Proto header, which both ALBs set. This requires the public ALB's listener to be HTTPS so CloudFront→ALB doesn't stamp http, overriding CloudFront's value.
Changes
Google rejects the OAuth flow because Django generates
redirect_uri=http://internal.flagsmith.com/.... Root cause: Django'sSECURE_PROXY_SSL_HEADER_NAMEis set toHTTP_CLOUDFRONT_FORWARDED_PROTO, but internal.flagsmith.com goesALB → ECSwith no CloudFront in the path, so the header isn't present and Django falls back tohttp.Fix is to trust the standard
X-Forwarded-Protoheader, which both ALBs set. This requires the public ALB's listener to be HTTPS so CloudFront→ALB doesn't stamphttp, overriding CloudFront's value.Changes
SECURE_PROXY_SSL_HEADER_NAMEtoHTTP_X_FORWARDED_PROTOin admin-api task def