Yep, that all works for front-end of the site. But when I go to the admin, it’s ignored.

for some reason the is_https in Director fails for CMS admin to detect

Unfortunately I have not had a whole lot of SS4 experience myself, so am a bit unsure on that one as well. But you shouldn't have to set alternate_base_tag or base_url or anything like that for SS4 to work with a proxy.

hmm, without alternate_base_tag forcing https the admin controller doesn’t understand the proxy headers for some reason

ok, removing explicitly mentioned protocol from ss_base_url does the trick to prepend https correctly to protocol agnostic base url

seems like adding the trusted proxy ip via .env did the trick without any further changes