TL;DR

  • keep the portal hostname separate from the main app hostname
  • preserve Host and forwarded protocol headers across the proxy chain
  • make the application aware of both the main site URL and the portal URL
  • if redirects get strange, check proxy headers before blaming the app