diff --git a/app/oauth/callback/route.ts b/app/oauth/callback/route.ts
index 2fcdd0a..bb35ac7 100644
--- a/app/oauth/callback/route.ts
+++ b/app/oauth/callback/route.ts
@@ -164,7 +164,7 @@ export async function GET(request: NextRequest) {
     });
 
     // Redirect to the return URL
-    return NextResponse.redirect(new URL(returnUrl, request.url));
+    return NextResponse.redirect(new URL(returnUrl, baseUrl));
   } catch (err) {
     logger.error("OAuth callback error", err as Error, {
       code: code ? "[present]" : "[missing]",
diff --git a/proxy.ts b/proxy.ts
index 8d9bafc..a2826d8 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -33,7 +33,9 @@ export function proxy(request: NextRequest) {
   const token = request.cookies.get("token")?.value;
 
   if (!token) {
-    const loginUrl = new URL("/login", request.url);
+    // Use configured base URL when behind a reverse proxy, falling back to request origin for local dev.
+    const baseUrl = process.env.APP_BASE_URL ?? request.nextUrl.origin;
+    const loginUrl = new URL("/login", baseUrl);
     // Preserve the original URL for redirect after login (except for home page)
     if (pathname !== "/") {
       loginUrl.searchParams.set("redirect", encodeURIComponent(pathname));