Preserve front-end URL when UserFrosting is behind reverse proxy?

i’ve installed userFrosting behind a front-end nginx v1.19.2 proxy

the config’s straightforward

@ front-end proxy

server {

	listen xx.xx.xx.xx:443 ssl http2;
	server_name example.com;

	location /admin/users {

		proxy_ssl_verify on;
		proxy_ssl_verify_depth 2;
		proxy_ssl_certificate         "/srv/ssl/userfrosting.client.EC.crt";
		proxy_ssl_certificate_key     "/srv/ssl/userfrosting.client.EC.key";
		proxy_ssl_trusted_certificate "/srv/ssl/myCA_chain.crt";

		proxy_pass https://userfrosting.example.com/;
		proxy_ssl_server_name on;
		proxy_ssl_name userfrosting.example.com;

	}

@ UserFrosting backend

server {

	listen 10.0.0.1:443 ssl http2;
	server_name userfrosting.example.com;

	root /srv/UserFrosting/public/;
	index index.php;

	ssl_verify_client on;
	ssl_verify_depth 2;
	ssl_client_certificate "/srv/ssl/myCA_chain.crt";
	ssl_certificate        "/srv/ssl/userfrosting.server.EC.crt";
	ssl_certificate_key    "/srv/ssl/userfrosting.server.EC.key";

	location ~ /\. {
		deny all;
		access_log off;
		log_not_found off;
	}
	location ~ \.(php)$ {
		location ~ \..*/.*\.php$ {
			return 404;
		}
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_keep_conn on;
		fastcgi_pass phpfpm;
		fastcgi_index  index.php;
		fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi.conf;
	}
	location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ {
		include mime.types;
		expires max;
		index index.php;
		try_files $uri $uri/ /index.php?$query_string;
	}
	location / {
		include mime.types;
		index index.php;
		try_files $uri $uri/ /index.php?$query_string;
	}
}

both direct nav to the backend, from internal lan,

https://userfrosting.example.com

and to the proxy, via public IP,

https://example.com/admin/users

work as expected, presenting 1st UF login, then on-success access to the auth’d portal

when accessing via the front-end proxy, nav to

https://example.com/admin/users

brings up the “Welcome to UserFrosting!” generic page. The displayed URL remains

https://example.com/admin/users

All the links on the page refer instead to the backend server name,

https://userfrosting.example.com/account/sign-in

e.g., click on Sign-In redirects to

https://userfrosting.example.com/account/sign-in

and all subsequent page navs are at the same, backend path – exposing it to the ‘external’ visitor.

I suspect some change to proxy_pass et al is needed.

Above, the

	proxy_pass https://userfrosting.example.com/;
	proxy_ssl_server_name on;
	proxy_ssl_name userfrosting.example.com;

config is currently what I needed to keep the cert verification operational …

What config’s required to get the UF backend to use the proxy’s URL/paths AND preserve cert checking/verification ?