The reverse proxy force-HTTPS conflicts with upstream TLS termination and loops. A config flag resolves it without touching the routing.
The site answers ERR_TOO_MANY_REDIRECTS. The browser loops between http and https and never settles. Nothing in the application code redirects. The culprit is lower down.
Two layers both forcing HTTPS
TLS is terminated upstream, by the tunnel or the CDN. To the reverse proxy, traffic arrives in clear over HTTP. The proxy has force-HTTPS enabled. It sees HTTP, believes the connection is insecure, and redirects to HTTPS.
The client goes back to the upstream in HTTPS, which terminates TLS and forwards HTTP to the proxy. The proxy redirects again. The loop is closed. The proxy does not know TLS already happened one hop up.
Disable redirection at the proxy layer
The fix is a config flag: turn off the reverse proxy force-HTTPS, or make it honour the X-Forwarded-Proto header sent by the upstream. TLS termination stays where it belongs, at the edge.
Routing by port helps keep roles clean. One port takes already-decrypted edge traffic, another serves direct internal use. Each entry point has an explicit TLS policy.
The principle: one layer terminates TLS, one layer redirects. When two layers both force HTTPS, they bounce the request back and forth forever.