Thank you very much for this example. This works for me. By comparing the configs between this example and my configs, I suspect that the problem was in the tls_insecure settings. I got the TLS certificates for my domain, but I don’t quite understand how they are used. Setting all tls_insecure to true and deleting unnecessary configs seem to work.
Now I can screen some suspicious JavaScript keywords. But I cannot fully prevent xss attack because the code can be obfuscated. How to identify these codes is beyond my knowledge. If the online PDF viewer can be configured not to run any JavaScript codes, I think it would be very helpful.
Then the only mystery left for me is that login with my desktop client shows 403 code in the HTTP Proxy, but the web system looks fine… I described this issue in another thread: Desktop Client 403 Forbidden - Web and mobile are working - #9 by raphaelben55