Thanks for the details on your setup @Ray, very helpful! The GRIST_PROXY_AUTH_HEADER setting was contributed in Reverse proxy auth support by MHOOO · Pull Request #165 · gristlabs/grist-core · GitHub by Thomas Karolski and doesn’t cover signout (discussion here). I think support could be added by changing this function in MinimalLogin.ts:
to be more like the corresponding function in ForwardAuthLogin.ts:
I’d have expected that a ForwardAuthLogin setup like described in A template for self-hosting Grist with traefik and docker compose could have worked for you - but I see a note in its implementation that Redirection logic currently assumes a single-site installation and you have an o/orgname in your signed-out url that looks like you have a multi-site installation (GRIST_SINGLE_ORG not set). If that is the case, and you were willing to set GRIST_SINGLE_ORG, then you could perhaps use GRIST_FORWARD_AUTH_HEADER and GRIST_FORWARD_AUTH_LOGOUT_PATH to get this working without code changes.