diff --git a/app/main.py b/app/main.py
index a7abcd9..320bf53 100644
--- a/app/main.py
+++ b/app/main.py
@@ -296,8 +296,10 @@ async def auth_login_url(request: Request, redirect: str = "/"):
     """Keycloak-Login-URL für den Browser-Redirect."""
     if not _is_auth_enabled():
         return {"enabled": False, "url": ""}
-    # Construct absolute redirect URI
-    base = str(request.base_url).rstrip("/")
+    # Construct absolute redirect URI. Traefik terminiert TLS, deshalb
+    # sieht FastAPI http:// als base_url. Erzwinge https:// damit die
+    # redirect_uri zum Keycloak-Client-Config passt.
+    base = str(request.base_url).rstrip("/").replace("http://", "https://"  )
     url = keycloak_login_url(f"{base}{redirect}")
     return {"enabled": True, "url": url}