docs: improve reverse proxy HTTPS detection and Swarm troubleshooting

- Add detailed HTTPS detection troubleshooting to REVERSE_PROXY.md - Explain X-Forwarded-Proto header requirement for nginx/Caddy/Apache - Add Docker Swarm troubleshooting section to UNIFIED_AGENT.md - Document how to force Docker runtime if auto-detection fails Based on customer feedback.
2026-02-18 00:17:39 +01:00 · 2026-01-07 18:23:48 +00:00
parent e4c17777d0
commit 8c4bef27f0
2 changed files with 63 additions and 1 deletions
--- a/docs/REVERSE_PROXY.md
+++ b/docs/REVERSE_PROXY.md
@@ -51,8 +51,37 @@ ProxyPassReverse / http://localhost:7655/

 ## ⚠️ Common Issues

+### "HTTPS: HTTP only" in Security Posture
+
+If your reverse proxy terminates SSL but Pulse shows "HTTPS: HTTP only" in Settings → Security:
+
+**Cause**: Pulse detects HTTPS in two ways:
+1. Direct TLS connection (`req.TLS != nil`)
+2. The `X-Forwarded-Proto: https` header
+
+If your proxy terminates SSL but doesn't forward this header, Pulse sees plain HTTP.
+
+**Fix**: Add the `X-Forwarded-Proto` header in your proxy config:
+
+```nginx
+# Nginx
+proxy_set_header X-Forwarded-Proto $scheme;
+```
+
+```caddy
+# Caddy (automatic, but explicit override if needed)
+header_up X-Forwarded-Proto {scheme}
+```
+
+```apache
+# Apache
+RequestHeader set X-Forwarded-Proto "https"
+```
+
+### Other Issues
+
 - **"Connection Lost"**: WebSocket upgrade failed. Check `Upgrade` and `Connection` headers.
 - **502 Bad Gateway**: Pulse is not running on port 7655.
 - **CORS Errors**: Do not add CORS headers in the proxy; Pulse handles them. Set **Settings → System → Network → Allowed Origins** or use `ALLOWED_ORIGINS` if needed.
- **OIDC redirects or HTTPS detection issues**: Ensure `X-Forwarded-Proto` is set to `https`.
+- **OIDC redirects fail**: Ensure `X-Forwarded-Proto` is set (see above).
 - **Wrong client IPs**: Set `PULSE_TRUSTED_PROXY_CIDRS` to your proxy IP/CIDR so `X-Forwarded-For` is trusted.
--- a/docs/UNIFIED_AGENT.md
+++ b/docs/UNIFIED_AGENT.md
@@ -287,3 +287,36 @@ systemctl status pulse-agent
 # macOS
 launchctl list | grep pulse
 ```
+
+### Docker Swarm Not Detected
+
+If your Docker Swarm cluster isn't being detected:
+
+1. **Check runtime detection**: Pulse disables Swarm for Podman. Look for "Podman runtime detected" in logs:
+   ```bash
+   journalctl -u pulse-agent | grep -i podman
+   ```
+
+2. **Force Docker runtime**: If auto-detection is incorrect:
+   ```bash
+   --docker-runtime docker
+   # Or set environment variable
+   PULSE_DOCKER_RUNTIME=docker
+   ```
+
+3. **Check Docker info**: Verify Swarm is active on the host:
+   ```bash
+   docker info | grep -i swarm
+   # Should show "Swarm: active"
+   ```
+
+4. **Check socket permissions**: The agent needs access to the Docker socket:
+   ```bash
+   ls -la /var/run/docker.sock
+   ```
+
+5. **Enable debug logging**: For more detail:
+   ```bash
+   LOG_LEVEL=debug journalctl -u pulse-agent -f
+   ```
+