How can Cerbos be made aware of it running behind a frontend proxy running tls/https offload? So cerbos is running on http, but the clients use https schema to access the api

Why do you need to make Cerbos aware that it's running behind a proxy? If you're thinking of audit logs, they record the

x-forwarded-for

header and you can configure Cerbos to record any other custom headers that identify the client as well. https://docs.cerbos.dev/cerbos/latest/configuration/audit.html

The links that are used in the /api playground are tied to the scheme that cerbos thinks it’s running on. So in our case these fields target http://cerbos.domain/api/bla.

Oh you mean the Swagger API docs? I am afraid there's no way to change the scheme on that. It's meant to be used as a local development aid so we haven't considered adding any options to make it accessible over proxies and such.

Having a full featured playground in there (with the policies in cerbos preloaded but changeable for testing) would be helpfull

Noted. That's a common request and we have it in our list of things to do.

Fyi I use Istio to do tls termination and cerbos runs on http inside my gke cluster. I also use istio to disable the swagger docs. Alternatively, you could also get istio to write a routing rule to redirect the user to the Cerbos public web page for api documentation i.e https://docs.cerbos.dev/cerbos/latest/api/index.html

Absolutely. We are keen to keep the Cerbos contact area small so any optional features will always ship disabled by default.