Mixed Content Issue in OnlyOffice when accessed through a Tunnel

[kerbymart]

I'm running a local OnlyOffice Workspace installation and making it publicly accessible through a tunnel (via pangolin). While the main site is reachable over HTTPS, the editor fails to load because the OnlyOffice SDK seems to be requesting a non-HTTPS (HTTP) endpoint, leading to a Mixed Content error.

I’m trying to figure out what might be causing these HTTP requests. Is there a configuration option—either in OnlyOffice or on the server side—that can force HTTPS usage for all requests? If anyone has encountered a similar issue or knows how to configure OnlyOffice to strictly use HTTPS.

sdk-all-min.js:543 Mixed Content: The page at 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>/Products/Files/DocEditor.aspx?fileid=4' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://<SUBDOMAIN>.<TUNNEL_DOMAIN>/ds-vpath/cache/files/data/Vhk5wuA…&shardkey=VhkSwuAgFPO8Emav1hDKsEsPOdykuUA123Rzvc1xGU8_&filename=Editor.bin'. This request has been blocked; the content must be served over HTTPS.
Ya @ sdk-all-min.js:543

Additional issues encountered: |

Access to manifest at 'https://proxy.<TUNNEL_DOMAIN>/auth/resource/1?redirect=https%3A%2F%2Fonlyoffice-workspace.portpunch.lol%2Fmanifest.json' (redirected from 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>/manifest.json') from origin 'https://onlyoffice-workspace.<TUNNEL_DOMAIN>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.