Issuing...

curl -v -O "https://depot.haiku-os.org/__pkgicon/all.tar.gz"

...yields a redirect which is fine, but the redirect is to an http URL rather than a secure https URL. Because it redirects to http, the reverse-proxy is then redirecting again to https. If it redirected directly to https then it would avoid the HaikuDepot application making another request back into the server for each download during startup which may be a (possibly minor) performance improvement.

i think you would need to see

and add a check there if original request used https

The Haiku server system is using NGINX to reverse proxy. HDS runs in the Jetty application-server and I suspect it is fed by NGINX although I am unsure where the nginx.conf file really lives for this; probably not in the infrastructure project? In any case I need to verify that the correct protocol / scheme header is being relayed from the reverse-proxy back into the HDS application server. Here is the NGINX config for that;

proxy_set_header X-Forwarded-Proto $scheme;

Actually the Haiku server uses traefik, and it should by default add this header. Are you sure you are not getting it?

Thanks; I had assumed it wasn't coming in because it was not configured in the NGINX cfg but if it's another reverse proxy then I'll take a closer look at the application server end.