diff --git a/services/web-ui/nginx.conf b/services/web-ui/nginx.conf
index e3b2e91..621112e 100644
--- a/services/web-ui/nginx.conf
+++ b/services/web-ui/nginx.conf
@@ -1,16 +1,25 @@
 # Map for proper WebSocket upgrade handling on the proxied locations below.
-# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
-# into tunnel-mode for every request — which silently drops response headers
-# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
-# mam-api was issuing the cookie, web-ui's proxy was eating it before it
-# reached the browser. With this map, Connection is only set to "upgrade"
-# when the client actually requested an Upgrade (real WebSocket); otherwise
-# it's "close" and the response flows through normally.
+# Hardcoding `proxy_set_header Connection "upgrade"` puts nginx into tunnel-
+# mode for every request, which has caused subtle bugs in the past. This
+# variant only sets Connection: upgrade when the client actually requested
+# an Upgrade (real WebSocket); otherwise it's "close".
 map $http_upgrade $connection_upgrade {
     default upgrade;
     ''      close;
 }
 
+# Forward the outer X-Forwarded-Proto when present; fall back to $scheme.
+# THIS IS WHY LOGIN WAS LOOPING: web-ui listens on port 80 inside the
+# container, so $scheme is always "http". With `proxy_set_header
+# X-Forwarded-Proto $scheme;`, mam-api saw http, decided req.secure=false,
+# and (because cookie.secure=true in production) silently refused to emit
+# the Set-Cookie at all. NPM correctly sends X-Forwarded-Proto: https on
+# the outer request — we just have to pass it through to mam-api.
+map $http_x_forwarded_proto $proxied_x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    ''      $scheme;
+}
+
 server {
     listen 80;
     server_name _;
@@ -71,7 +80,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $proxied_x_forwarded_proto;
         # Preserve Content-Type so multer receives the full multipart boundary (#74)
         proxy_set_header Content-Type $content_type;
         proxy_buffering off;
@@ -91,7 +100,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $proxied_x_forwarded_proto;
         proxy_buffering off;
         proxy_request_buffering off;
     }