fix(docker): preserve forwarded proto/host in container nginx

When the official docker image is fronted by another reverse proxy that
terminates TLS, the container's inner nginx overwrote X-Forwarded-Proto
with its own $scheme (= http, because it listens on plain 80), breaking
CheckWebSocketOrigin's same-origin check on https deployments behind
e.g. Cloudflare or a host nginx.
Trust the inbound X-Forwarded-Proto/Host when present; fall back to
$scheme/$http_host only on direct connections.

resources/docker/nginx-ui.conf

@@ -3,17 +3,32 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
+# Preserve X-Forwarded-Proto from an outer reverse proxy (e.g. host nginx
+# terminating TLS in front of this container). Only fall back to $scheme
+# when the inbound request did not carry the header.
+map $http_x_forwarded_proto $forwarded_proto {
+    default $http_x_forwarded_proto;
+    ''      $scheme;
+}
+
+# Same for X-Forwarded-Host: keep what the outer proxy stamped, otherwise
+# use the inbound Host header.
+map $http_x_forwarded_host $forwarded_host {
+    default $http_x_forwarded_host;
+    ''      $http_host;
+}
+
 server {
     listen       80;
     server_name  localhost;  # your domain here
     client_max_body_size 128M;  # maximum upload size
 
     location / {
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header   X-Real-IP            $remote_addr;
         proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
-        proxy_set_header   X-Forwarded-Proto    $scheme;
-        proxy_set_header   X-Forwarded-Host     $http_host;
+        proxy_set_header   X-Forwarded-Proto    $forwarded_proto;
+        proxy_set_header   X-Forwarded-Host     $forwarded_host;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;