From b9ed19f337a61fe3d767fa338270187929f2a978 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sat, 17 Aug 2024 23:55:13 -0700
Subject: [PATCH 01/16] Add -base-path flag

This allows self-hosting GoatCounter and reverse proxying it into a
subdirectory instead of hosting it on its own subdomain.

Fixes #707, #750
---
 cmd/goatcounter/serve.go               | 20 +++++++-
 context.go                             |  1 +
 handlers/bosmang.go                    |  4 +-
 handlers/dashboard.go                  |  5 +-
 handlers/handlers.go                   |  2 +
 handlers/i18n.go                       |  8 +--
 handlers/mw.go                         | 11 +++--
 handlers/redirect.go                   | 27 ++++++++++
 handlers/settings.go                   | 38 +++++++-------
 handlers/settings_user.go              |  8 +--
 handlers/user.go                       | 68 +++++++++++++-------------
 handlers/website.go                    | 28 +++++------
 public/backend.js                      | 11 +++--
 public/dashboard.js                    | 20 ++++----
 public/help.js                         |  6 ++-
 settings.go                            |  2 +-
 site.go                                | 21 +++++---
 tpl/_backend_bottom.gohtml             |  1 +
 tpl/_backend_signin.gohtml             |  4 +-
 tpl/_backend_top.gohtml                | 22 ++++-----
 tpl/_bottom_links.gohtml               |  6 +--
 tpl/_contact.gohtml                    |  2 +-
 tpl/_dashboard_configure_widget.gohtml |  2 +-
 tpl/_dashboard_hchart.gohtml           |  2 +-
 tpl/_dashboard_warn_collect.gohtml     |  2 +-
 tpl/_settings_nav.gohtml               | 14 +++---
 tpl/_top.gohtml                        |  4 +-
 tpl/_user_nav.gohtml                   |  8 +--
 tpl/bosmang_bgrun.gohtml               |  2 +-
 tpl/contact.gohtml                     |  2 +-
 tpl/dashboard.gohtml                   |  8 +--
 tpl/error.gohtml                       |  1 +
 tpl/help.gohtml                        |  4 +-
 tpl/home.gohtml                        | 16 +++---
 tpl/i18n_list.gohtml                   |  6 +--
 tpl/i18n_show.gohtml                   |  4 +-
 tpl/serve_newsite.gohtml               |  2 +-
 tpl/settings_delete.gohtml             |  2 +-
 tpl/settings_export.gohtml             |  8 +--
 tpl/settings_main.gohtml               |  6 +--
 tpl/settings_purge.gohtml              |  6 +--
 tpl/settings_server.gohtml             | 12 ++---
 tpl/settings_sites.gohtml              |  6 +--
 tpl/settings_users.gohtml              |  6 +--
 tpl/signup.gohtml                      |  2 +-
 tpl/totp.gohtml                        |  2 +-
 tpl/user_api.gohtml                    | 10 ++--
 tpl/user_auth.gohtml                   |  6 +--
 tpl/user_dashboard.gohtml              |  2 +-
 tpl/user_forgot_code.gohtml            |  2 +-
 tpl/user_forgot_pw.gohtml              |  2 +-
 tpl/user_pref.gohtml                   |  4 +-
 tpl/user_reset.gohtml                  |  2 +-
 widgets/browsers.go                    |  3 +-
 widgets/campaigns.go                   |  3 +-
 widgets/languages.go                   |  3 +-
 widgets/locations.go                   |  3 +-
 widgets/sizes.go                       |  3 +-
 widgets/systems.go                     |  3 +-
 59 files changed, 272 insertions(+), 216 deletions(-)
 create mode 100644 handlers/redirect.go

diff --git a/cmd/goatcounter/serve.go b/cmd/goatcounter/serve.go
index eaa2dd1ee..e828ed558 100644
--- a/cmd/goatcounter/serve.go
+++ b/cmd/goatcounter/serve.go
@@ -81,6 +81,11 @@ Flags:
   -public-port Port your site is publicly accessible on. Only needed if it's
                not 80 or 443.
 
+  -base-path   Base path to use in URLs sent back to the client. Default: "/".
+               You need this if you are reverse proxying GoatCounter into a
+               subdirectory of your website. This does not affect routing, since
+               it is assumed the reverse proxy will strip off the base path.
+
   -automigrate Automatically run all pending migrations on startup.
 
   -smtp        SMTP relay server, as URL (e.g. "smtp://user:pass@server").
@@ -164,6 +169,7 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 	var (
 		// TODO(depr): -port is for compat with <2.0
 		port         = f.Int(0, "public-port", "port").Pointer()
+		basePath     = f.String("/", "base-path").Pointer()
 		domainStatic = f.String("", "static").Pointer()
 	)
 	dbConnect, dbConn, dev, automigrate, listen, flagTLS, from, websocket, apiMax, err := flagsServe(f, &v)
@@ -171,11 +177,18 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 		return err
 	}
 
-	return func(port int, domainStatic string) error {
+	return func(port int, basePath, domainStatic string) error {
 		if flagTLS == "" {
 			flagTLS = map[bool]string{true: "http", false: "acme,rdr"}[dev]
 		}
 
+		if !strings.HasPrefix(basePath, "/") {
+			return fmt.Errorf("invalid -base-path flag: %q: must start with a slash", basePath)
+		}
+		if i := len(basePath) - 1; basePath[i] == '/' {
+			basePath = basePath[:i]
+		}
+
 		var domainCount, urlStatic string
 		if domainStatic != "" {
 			if p := strings.Index(domainStatic, ":"); p > -1 {
@@ -185,6 +198,8 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 			}
 			urlStatic = "//" + domainStatic
 			domainCount = domainStatic
+		} else {
+			urlStatic = basePath
 		}
 
 		//from := flagFrom(from, "cfg.Domain", &v)
@@ -206,6 +221,7 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 		c.DomainStatic = domainStatic
 		c.Dev = dev
 		c.URLStatic = urlStatic
+		c.BasePath = basePath
 		c.DomainCount = domainCount
 		c.Websocket = websocket
 
@@ -238,7 +254,7 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 			}
 			ready <- struct{}{}
 		})
-	}(*port, *domainStatic)
+	}(*port, *basePath, *domainStatic)
 }
 
 func doServe(ctx context.Context, db zdb.DB,
diff --git a/context.go b/context.go
index ec99117c9..6302f299e 100644
--- a/context.go
+++ b/context.go
@@ -42,6 +42,7 @@ type GlobalConfig struct {
 	Domain         string
 	DomainStatic   string
 	DomainCount    string
+	BasePath       string
 	URLStatic      string
 	Dev            bool
 	GoatcounterCom bool
diff --git a/handlers/bosmang.go b/handlers/bosmang.go
index 36930f0e0..8263f7928 100644
--- a/handlers/bosmang.go
+++ b/handlers/bosmang.go
@@ -32,7 +32,7 @@ func (h bosmang) mount(r chi.Router, db zdb.DB) {
 	a := r.With(mware.RequestLog(nil), requireAccess(goatcounter.AccessSuperuser))
 
 	r.Get("/bosmang", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/settings/server")
+		return MovedPermanently(w, r, "/settings/server")
 	}))
 
 	a.Get("/bosmang/cache", zhttp.Wrap(h.cache))
@@ -98,7 +98,7 @@ func (h bosmang) runTask(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, "Task %q started", id)
-	return zhttp.SeeOther(w, "/bosmang/bgrun")
+	return SeeOther(w, r, "/bosmang/bgrun")
 }
 
 func (h bosmang) metrics(w http.ResponseWriter, r *http.Request) error {
diff --git a/handlers/dashboard.go b/handlers/dashboard.go
index 956c0f5ec..950e3ad11 100644
--- a/handlers/dashboard.go
+++ b/handlers/dashboard.go
@@ -110,10 +110,7 @@ func (h backend) dashboard(w http.ResponseWriter, r *http.Request) error {
 
 	cd := goatcounter.Config(r.Context()).DomainCount
 	if cd == "" {
-		cd = Site(r.Context()).Domain(r.Context())
-		if goatcounter.Config(r.Context()).Port != "" {
-			cd += ":" + goatcounter.Config(r.Context()).Port
-		}
+		cd = Site(r.Context()).SchemelessURL(r.Context())
 	}
 
 	args := widgets.Args{
diff --git a/handlers/handlers.go b/handlers/handlers.go
index fb9ee4ac0..4756e1677 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -60,6 +60,7 @@ type Globals struct {
 	User           *goatcounter.User
 	Site           *goatcounter.Site
 	Path           string
+	Base           string
 	Flash          *zhttp.FlashMessage
 	Static         string
 	StaticDomain   string
@@ -84,6 +85,7 @@ func newGlobals(w http.ResponseWriter, r *http.Request) Globals {
 		User:           goatcounter.GetUser(ctx),
 		Site:           goatcounter.GetSite(ctx),
 		Path:           r.URL.Path,
+		Base:           goatcounter.Config(ctx).BasePath,
 		Flash:          zhttp.ReadFlash(w, r),
 		Static:         goatcounter.Config(ctx).URLStatic,
 		Domain:         goatcounter.Config(ctx).Domain,
diff --git a/handlers/i18n.go b/handlers/i18n.go
index 5cd48d1ef..3c097f89b 100644
--- a/handlers/i18n.go
+++ b/handlers/i18n.go
@@ -140,7 +140,7 @@ func (h i18n) show(w http.ResponseWriter, r *http.Request) error {
 
 	return zhttp.Template(w, "i18n_show.gohtml", struct {
 		Globals
-		Base       msgfile.File
+		BaseFile   msgfile.File
 		File       msgfile.File
 		TOMLFile   string
 		FormatLink func(string) string
@@ -187,7 +187,7 @@ func (h i18n) new(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "%q added", args.Language)
-	return zhttp.SeeOther(w, "/i18n")
+	return SeeOther(w, r, "/i18n")
 }
 
 func (h i18n) save(w http.ResponseWriter, r *http.Request) error {
@@ -266,7 +266,7 @@ func (h i18n) set(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "language set to %q", lang)
-	return zhttp.SeeOther(w, "/i18n")
+	return SeeOther(w, r, "/i18n")
 }
 
 func (h i18n) submit(w http.ResponseWriter, r *http.Request) error {
@@ -294,5 +294,5 @@ func (h i18n) submit(w http.ResponseWriter, r *http.Request) error {
 	}()
 
 	zhttp.Flash(w, "email sent to support@goatcounter.com; I'll take a look as soon as possible.")
-	return zhttp.SeeOther(w, "/i18n/"+file)
+	return SeeOther(w, r, "/i18n/"+file)
 }
diff --git a/handlers/mw.go b/handlers/mw.go
index e8d4e822a..a855f7022 100644
--- a/handlers/mw.go
+++ b/handlers/mw.go
@@ -37,7 +37,7 @@ var Started time.Time
 var (
 	redirect = func(w http.ResponseWriter, r *http.Request) error {
 		zhttp.Flash(w, "Need to log in")
-		return guru.Errorf(303, "/user/new")
+		return guru.Errorf(303, goatcounter.Config(r.Context()).BasePath+"/user/new")
 	}
 
 	loggedIn = auth.Filter(func(w http.ResponseWriter, r *http.Request) error {
@@ -76,7 +76,7 @@ var (
 				Secure:   zhttp.CookieSecure,
 				SameSite: zhttp.CookieSameSite,
 			})
-			return guru.Errorf(303, "/")
+			return guru.Errorf(303, goatcounter.Config(r.Context()).BasePath+"/")
 		}
 		if c, err := r.Cookie("access-token"); err == nil && s.Settings.CanView(c.Value) {
 			return nil
@@ -220,7 +220,7 @@ func addctx(db zdb.DB, loadSite bool, dashTimeout int) func(http.Handler) http.H
 
 func noSites(db zdb.DB, w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path != "/" {
-		w.Header().Set("Location", "/")
+		w.Header().Set("Location", goatcounter.Config(r.Context()).BasePath+"/")
 		w.WriteHeader(307)
 		return
 	}
@@ -290,7 +290,7 @@ func noSites(db zdb.DB, w http.ResponseWriter, r *http.Request) {
 			tplErr = errors.Unwrap(tplErr) // Remove "zdb.TX fn: "
 		}
 		if tplErr == nil && !v.HasErrors() {
-			zhttp.SeeOther(w, "/")
+			SeeOther(w, r, "/")
 		}
 	}
 
@@ -302,11 +302,12 @@ func noSites(db zdb.DB, w http.ResponseWriter, r *http.Request) {
 	}
 
 	err := zhttp.Template(w, "serve_newsite.gohtml", struct {
+		Globals
 		Validate *zvalidate.Validator
 		Error    error
 		Email    string
 		Cname    string
-	}{&v, tplErr, args.Email, args.Cname})
+	}{newGlobals(w, r), &v, tplErr, args.Email, args.Cname})
 	if err != nil {
 		zlog.Error(err)
 	}
diff --git a/handlers/redirect.go b/handlers/redirect.go
new file mode 100644
index 000000000..229a43b54
--- /dev/null
+++ b/handlers/redirect.go
@@ -0,0 +1,27 @@
+// Copyright © Martin Tournoij – This file is part of GoatCounter and published
+// under the terms of a slightly modified EUPL v1.2 license, which can be found
+// in the LICENSE file or at https://license.goatcounter.com
+
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+
+	"zgo.at/goatcounter/v2"
+	"zgo.at/zhttp"
+)
+
+func MovedPermanently(w http.ResponseWriter, r *http.Request, path string) error {
+	if path == "" || path[0] != '/' {
+		panic(fmt.Sprintf("handlers.MovedPermantly: %q does not start with slash", path))
+	}
+	return zhttp.MovedPermanently(w, goatcounter.Config(r.Context()).BasePath+path)
+}
+
+func SeeOther(w http.ResponseWriter, r *http.Request, path string) error {
+	if path == "" || path[0] != '/' {
+		panic(fmt.Sprintf("handlers.SeeOther: %q does not start with slash", path))
+	}
+	return zhttp.SeeOther(w, goatcounter.Config(r.Context()).BasePath+path)
+}
diff --git a/handlers/settings.go b/handlers/settings.go
index 5737b54c3..a82a995d2 100644
--- a/handlers/settings.go
+++ b/handlers/settings.go
@@ -42,7 +42,7 @@ type settings struct{}
 func (h settings) mount(r chi.Router) {
 	{ // User settings.
 		r.Get("/user", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			zhttp.SeeOther(w, "/user/pref")
+			SeeOther(w, r, "/user/pref")
 		}))
 
 		r.Get("/user/pref", zhttp.Wrap(h.userPref(nil)))
@@ -63,7 +63,7 @@ func (h settings) mount(r chi.Router) {
 		set := r.With(requireAccess(goatcounter.AccessSettings))
 
 		set.Get("/settings", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			zhttp.SeeOther(w, "/settings/main")
+			SeeOther(w, r, "/settings/main")
 		}))
 		set.Get("/settings/main", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
 			return h.main(nil)(w, r)
@@ -209,7 +209,7 @@ func (h settings) mainSave(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/saved|Saved!"))
-	return zhttp.SeeOther(w, "/settings")
+	return SeeOther(w, r, "/settings")
 }
 
 func (h settings) changeCode(w http.ResponseWriter, r *http.Request) error {
@@ -299,7 +299,7 @@ func (h settings) sitesAdd(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		zhttp.Flash(w, T(r.Context(), "notify/restored-previously-deleted-site|Site ‘%(url)’ was previously deleted; restored site with all data.", newSite.URL(r.Context())))
-		return zhttp.SeeOther(w, "/settings/sites")
+		return SeeOther(w, r, "/settings/sites")
 	}
 
 	// Create new site.
@@ -317,11 +317,11 @@ func (h settings) sitesAdd(w http.ResponseWriter, r *http.Request) error {
 	})
 	if err != nil {
 		zhttp.FlashError(w, err.Error())
-		return zhttp.SeeOther(w, "/settings/sites")
+		return SeeOther(w, r, "/settings/sites")
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/site-added|Site ‘%(url)’ added.", newSite.URL(r.Context())))
-	return zhttp.SeeOther(w, "/settings/sites")
+	return SeeOther(w, r, "/settings/sites")
 }
 
 func (h settings) getSite(ctx context.Context, id int64) (*goatcounter.Site, error) {
@@ -388,11 +388,11 @@ func (h settings) sitesRemove(w http.ResponseWriter, r *http.Request) error {
 		err = parent.ByID(r.Context(), *s.Parent)
 		if err != nil {
 			zlog.Error(err)
-			return zhttp.SeeOther(w, "/")
+			return SeeOther(w, r, "/")
 		}
-		return zhttp.SeeOther(w, parent.URL(r.Context()))
+		return SeeOther(w, r, parent.URL(r.Context()))
 	}
-	return zhttp.SeeOther(w, "/settings/sites")
+	return SeeOther(w, r, "/settings/sites")
 }
 
 func (h settings) sitesCopySettings(w http.ResponseWriter, r *http.Request) error {
@@ -436,7 +436,7 @@ func (h settings) sitesCopySettings(w http.ResponseWriter, r *http.Request) erro
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/settings-copied-to-site|Settings copied to the selected sites."))
-	return zhttp.SeeOther(w, "/settings/sites")
+	return SeeOther(w, r, "/settings/sites")
 }
 
 func (h settings) purge(w http.ResponseWriter, r *http.Request) error {
@@ -486,7 +486,7 @@ func (h settings) purgeDo(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/started-background-process|Started in the background; may take about 10-20 seconds to fully process."))
-	return zhttp.SeeOther(w, "/settings/purge")
+	return SeeOther(w, r, "/settings/purge")
 }
 
 func (h settings) merge(w http.ResponseWriter, r *http.Request) error {
@@ -512,7 +512,7 @@ func (h settings) merge(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/started-background-process|Started in the background; may take about 10-20 seconds to fully process."))
-	return zhttp.SeeOther(w, "/settings/purge")
+	return SeeOther(w, r, "/settings/purge")
 }
 
 func (h settings) export(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -548,7 +548,7 @@ func (h settings) exportDownload(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if os.IsNotExist(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/export-expired|It looks like there is no export yet or the export has expired."))
-			return zhttp.SeeOther(w, "/settings/export")
+			return SeeOther(w, r, "/settings/export")
 		}
 
 		return err
@@ -633,7 +633,7 @@ func (h settings) exportImport(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/import-started-in-background|Import started in the background; you’ll get an email when it’s done."))
-	return zhttp.SeeOther(w, "/settings/export")
+	return SeeOther(w, r, "/settings/export")
 }
 
 func (h settings) exportStart(w http.ResponseWriter, r *http.Request) error {
@@ -656,7 +656,7 @@ func (h settings) exportStart(w http.ResponseWriter, r *http.Request) error {
 		func() { export.Run(ctx, fp, true) })
 
 	zhttp.Flash(w, T(r.Context(), "notify/export-started-in-background|Export started in the background; you’ll get an email with a download link when it’s done."))
-	return zhttp.SeeOther(w, "/settings/export")
+	return SeeOther(w, r, "/settings/export")
 }
 
 func (h settings) delete(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -713,7 +713,7 @@ func (h settings) deleteDo(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		return err
 	}
-	return zhttp.SeeOther(w, "https://"+goatcounter.Config(r.Context()).Domain)
+	return SeeOther(w, r, "https://"+goatcounter.Config(r.Context()).Domain)
 }
 
 func (h settings) users(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -829,7 +829,7 @@ func (h settings) usersAdd(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/user-added|User ‘%(email)’ added.", newUser.Email))
-	return zhttp.SeeOther(w, "/settings/users")
+	return SeeOther(w, r, "/settings/users")
 }
 
 func (h settings) usersEdit(w http.ResponseWriter, r *http.Request) error {
@@ -887,7 +887,7 @@ func (h settings) usersEdit(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/users-edited|User ‘%(email)’ edited.", editUser.Email))
-	return zhttp.SeeOther(w, "/settings/users")
+	return SeeOther(w, r, "/settings/users")
 }
 
 func (h settings) usersRemove(w http.ResponseWriter, r *http.Request) error {
@@ -915,7 +915,7 @@ func (h settings) usersRemove(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/user-removed|User ‘%(email)’ removed.", user.Email))
-	return zhttp.SeeOther(w, "/settings/users")
+	return SeeOther(w, r, "/settings/users")
 }
 
 func (h settings) bosmang(w http.ResponseWriter, r *http.Request) error {
diff --git a/handlers/settings_user.go b/handlers/settings_user.go
index 647bfb1a2..77160431a 100644
--- a/handlers/settings_user.go
+++ b/handlers/settings_user.go
@@ -55,7 +55,7 @@ func (h settings) userPrefSave(w http.ResponseWriter, r *http.Request) error {
 
 	if oldFewerNums && !args.User.Settings.FewerNumbers && args.User.Settings.FewerNumbersLockUntil.After(ztime.Now()) {
 		zhttp.FlashError(w, "Nice try")
-		return zhttp.SeeOther(w, "/user/pref")
+		return SeeOther(w, r, "/user/pref")
 	}
 
 	if args.FewerNumbersLock != "" {
@@ -99,7 +99,7 @@ func (h settings) userPrefSave(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/saved|Saved!"))
-	return zhttp.SeeOther(w, "/user/pref")
+	return SeeOther(w, r, "/user/pref")
 }
 
 func (h settings) userDashboardWidget(w http.ResponseWriter, r *http.Request) error {
@@ -213,7 +213,7 @@ func (h settings) userDashboardSave(w http.ResponseWriter, r *http.Request) erro
 			return err
 		}
 		zhttp.Flash(w, T(r.Context(), "notify/reset-to-default|Reset to defaults!"))
-		return zhttp.SeeOther(w, "/user/dashboard")
+		return SeeOther(w, r, "/user/dashboard")
 	}
 
 	if len(args.Widgets) == 0 {
@@ -257,7 +257,7 @@ func (h settings) userDashboardSave(w http.ResponseWriter, r *http.Request) erro
 	}
 
 	zhttp.Flash(w, "Saved!")
-	return zhttp.SeeOther(w, "/user/dashboard")
+	return SeeOther(w, r, "/user/dashboard")
 }
 
 func (h settings) userAuth(verr *zvalidate.Validator) zhttp.HandlerFunc {
diff --git a/handlers/user.go b/handlers/user.go
index 5011aabb9..cfe0186ea 100644
--- a/handlers/user.go
+++ b/handlers/user.go
@@ -54,7 +54,7 @@ func (h user) mount(r chi.Router) {
 	rate.Post("/user/requestlogin", zhttp.Wrap(h.requestLogin))
 	r.Get("/user/requestlogin", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Redirect, as panic()s and such can end up here.
-		zhttp.SeeOther(w, "/user/new")
+		SeeOther(w, r, "/user/new")
 	}))
 	rate.Post("/user/totplogin", zhttp.Wrap(h.totpLogin))
 	rate.Get("/user/reset/{key}", zhttp.Wrap(h.reset))
@@ -76,7 +76,7 @@ func (h user) mount(r chi.Router) {
 func (h user) login(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	return zhttp.Template(w, "user.gohtml", struct {
@@ -88,7 +88,7 @@ func (h user) login(w http.ResponseWriter, r *http.Request) error {
 func (h user) forgot(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	return zhttp.Template(w, "user_forgot_pw.gohtml", struct {
@@ -102,7 +102,7 @@ func (h user) forgot(w http.ResponseWriter, r *http.Request) error {
 func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	// Legacy email flow.
@@ -118,7 +118,7 @@ func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if zdb.ErrNoRows(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/reset-user-no-account|Not an account on this site: %(email)", args.Email))
-			return zhttp.SeeOther(w, fmt.Sprintf("/user/new?email=%s", url.QueryEscape(args.Email)))
+			return SeeOther(w, r, fmt.Sprintf("/user/new?email=%s", url.QueryEscape(args.Email)))
 		}
 		return err
 	}
@@ -142,13 +142,13 @@ func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/reset-user-sent|Email sent to %(email)", args.Email))
-	return zhttp.SeeOther(w, "/user/forgot")
+	return SeeOther(w, r, "/user/forgot")
 }
 
 func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 { // Already logged in.
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	args := struct {
@@ -165,14 +165,14 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if zdb.ErrNoRows(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/login-not-found|User %(email) not found", args.Email))
-			return zhttp.SeeOther(w, "/user/new")
+			return SeeOther(w, r, "/user/new")
 		}
 		return err
 	}
 
 	if user.Password == nil || len(user.Password) == 0 {
 		zhttp.FlashError(w, T(r.Context(), "error/login-no-password|There is no password set for %(email); please reset it", args.Email))
-		return zhttp.SeeOther(w, "/user/forgot?email="+url.QueryEscape(args.Email))
+		return SeeOther(w, r, "/user/forgot?email="+url.QueryEscape(args.Email))
 	}
 
 	err = bcrypt.CompareHashAndPassword(user.Password, []byte(args.Password))
@@ -183,7 +183,7 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 			zhttp.FlashError(w, "Something went wrong :-( An error has been logged for investigation.") // TODO: should be more generic
 			zlog.FieldsRequest(r).Error(err)
 		}
-		return zhttp.SeeOther(w, "/user/new?email="+url.QueryEscape(args.Email))
+		return SeeOther(w, r, "/user/new?email="+url.QueryEscape(args.Email))
 	}
 
 	err = user.Login(r.Context())
@@ -197,7 +197,7 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.SetCookie(w, *user.LoginToken, cookieDomain(Site(r.Context()), r))
-	return zhttp.SeeOther(w, "/")
+	return SeeOther(w, r, "/")
 }
 
 func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
@@ -223,7 +223,7 @@ func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 	if !valid {
 		zhttp.Flash(w, T(r.Context(), "error/login-invalid|Invalid login"))
-		return zhttp.SeeOther(w, "/user/new")
+		return SeeOther(w, r, "/user/new")
 	}
 
 	tokInt, err := strconv.ParseInt(args.Token, 10, 32)
@@ -243,7 +243,7 @@ func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.SetCookie(w, *u.LoginToken, cookieDomain(Site(r.Context()), r))
-	return zhttp.SeeOther(w, "/")
+	return SeeOther(w, r, "/")
 }
 
 func (h user) totpForm(w http.ResponseWriter, r *http.Request, loginToken, loginMAC string) error {
@@ -297,7 +297,7 @@ func (h user) doReset(w http.ResponseWriter, r *http.Request) error {
 
 	if args.Password != args.Password2 {
 		zhttp.FlashError(w, T(r.Context(), "error/password-does-not-match|Password confirmation doesn’t match."))
-		return zhttp.SeeOther(w, "/user/new")
+		return SeeOther(w, r, "/user/new")
 	}
 
 	err = zdb.TX(r.Context(), func(ctx context.Context) error {
@@ -317,13 +317,13 @@ func (h user) doReset(w http.ResponseWriter, r *http.Request) error {
 		var vErr *zvalidate.Validator
 		if errors.As(err, &vErr) {
 			zhttp.FlashError(w, fmt.Sprintf("%s", err))
-			return zhttp.SeeOther(w, "/user/new")
+			return SeeOther(w, r, "/user/new")
 		}
 		return err
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/login-after-password-reset|Password reset; use your new password to login."))
-	return zhttp.SeeOther(w, "/user/new")
+	return SeeOther(w, r, "/user/new")
 }
 
 func (h user) logout(w http.ResponseWriter, r *http.Request) error {
@@ -337,7 +337,7 @@ func (h user) logout(w http.ResponseWriter, r *http.Request) error {
 		}
 		if isBosmang {
 			auth.ClearCookie(w, Site(r.Context()).Domain(r.Context()))
-			return zhttp.SeeOther(w, "https://www.goatcounter.com")
+			return SeeOther(w, r, "https://www.goatcounter.com")
 		}
 	}
 
@@ -348,7 +348,7 @@ func (h user) logout(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.ClearCookie(w, Site(r.Context()).Domain(r.Context()))
-	return zhttp.SeeOther(w, "/")
+	return SeeOther(w, r, "/")
 }
 
 func (h user) disableTOTP(w http.ResponseWriter, r *http.Request) error {
@@ -359,7 +359,7 @@ func (h user) disableTOTP(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/disabled-multi-factor-auth|Multi-factor authentication disabled."))
-	return zhttp.SeeOther(w, "/user/auth")
+	return SeeOther(w, r, "/user/auth")
 }
 
 func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
@@ -385,7 +385,7 @@ func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
 		tokGen(-1, nil) != int32(tokInt) &&
 		tokGen(1, nil) != int32(tokInt) {
 		zhttp.FlashError(w, mfaError)
-		return zhttp.SeeOther(w, "/user/auth")
+		return SeeOther(w, r, "/user/auth")
 	}
 
 	err = u.EnableTOTP(r.Context())
@@ -394,7 +394,7 @@ func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/multi-factor-auth-enabled|Multi-factor authentication enabled."))
-	return zhttp.SeeOther(w, "/user/auth")
+	return SeeOther(w, r, "/user/auth")
 }
 
 func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
@@ -416,13 +416,13 @@ func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
 		}
 		if !ok {
 			zhttp.FlashError(w, T(r.Context(), "error/incorrect-password|Current password is incorrect."))
-			return zhttp.SeeOther(w, "/user/auth")
+			return SeeOther(w, r, "/user/auth")
 		}
 	}
 
 	if args.Password != args.Password2 {
 		zhttp.FlashError(w, T(r.Context(), "error/password-does-not-match|Password confirmation doesn’t match."))
-		return zhttp.SeeOther(w, "/user/auth")
+		return SeeOther(w, r, "/user/auth")
 	}
 
 	err = u.UpdatePassword(r.Context(), args.Password)
@@ -430,32 +430,32 @@ func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
 		var vErr *zvalidate.Validator
 		if errors.As(err, &vErr) {
 			zhttp.FlashError(w, fmt.Sprintf("%s", err))
-			return zhttp.SeeOther(w, "/user/auth")
+			return SeeOther(w, r, "/user/auth")
 		}
 		return err
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/password-changed|Password changed."))
-	return zhttp.SeeOther(w, "/user/auth")
+	return SeeOther(w, r, "/user/auth")
 }
 
 func (h user) resendVerify(w http.ResponseWriter, r *http.Request) error {
 	user := User(r.Context())
 	if user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/email-already-verified|%(email) is already verified.", user.Email))
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	sendEmailVerify(r.Context(), Site(r.Context()), user, goatcounter.Config(r.Context()).EmailFrom)
 	zhttp.Flash(w, T(r.Context(), "notify/sent-to-email|Sent to %(email).", user.Email))
-	return zhttp.SeeOther(w, "/")
+	return SeeOther(w, r, "/")
 }
 
 func (h user) newAPIToken(w http.ResponseWriter, r *http.Request) error {
 	user := User(r.Context())
 	if !user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/need-email-verification-for-api|You need to verify your email before you can use the API."))
-		return zhttp.SeeOther(w, "/user/auth")
+		return SeeOther(w, r, "/user/auth")
 	}
 
 	var token goatcounter.APIToken
@@ -470,7 +470,7 @@ func (h user) newAPIToken(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/api-token-created|API token created."))
-	return zhttp.SeeOther(w, "/user/api")
+	return SeeOther(w, r, "/user/api")
 }
 
 func (h user) deleteAPIToken(w http.ResponseWriter, r *http.Request) error {
@@ -492,7 +492,7 @@ func (h user) deleteAPIToken(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/api-token-removed|API token removed."))
-	return zhttp.SeeOther(w, "/user/api")
+	return SeeOther(w, r, "/user/api")
 }
 
 func sendEmailVerify(ctx context.Context, site *goatcounter.Site, user *goatcounter.User, emailFrom string) {
@@ -521,12 +521,12 @@ func (h user) verify(w http.ResponseWriter, r *http.Request) error {
 
 	if user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/email-already-verified|%(email) is already verified.", user.Email))
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	if key != *user.EmailToken {
 		zhttp.FlashError(w, T(r.Context(), "error/wrong-verification-key|Wrong verification key."))
-		return zhttp.SeeOther(w, "/")
+		return SeeOther(w, r, "/")
 	}
 
 	err = user.VerifyEmail(r.Context())
@@ -535,10 +535,10 @@ func (h user) verify(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "%q verified", user.Email)
-	return zhttp.SeeOther(w, "/")
+	return SeeOther(w, r, "/")
 }
 
-// Make sure to use the currect cookie, since both "custom.example.com" and
+// Make sure to use the correct cookie, since both "custom.example.com" and
 // "example.goatcounter.com" will work if you're using a custom domain.
 func cookieDomain(site *goatcounter.Site, r *http.Request) string {
 	if r.Host == site.Domain(r.Context()) {
diff --git a/handlers/website.go b/handlers/website.go
index 9e9e0ce3e..25859203b 100644
--- a/handlers/website.go
+++ b/handlers/website.go
@@ -92,7 +92,7 @@ func (h website) Mount(r chi.Router, db zdb.DB, dev bool) {
 	}
 
 	r.Get("/translating", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/translating")
+		return MovedPermanently(w, r, "/help/translating")
 	}))
 }
 
@@ -108,22 +108,22 @@ func (h website) MountShared(r chi.Router) {
 	r.Get("/contact", zhttp.Wrap(h.tpl))
 
 	r.Get("/terms", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/terms")
+		return MovedPermanently(w, r, "/help/terms")
 	}))
 	r.Get("/privacy", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/privacy")
+		return MovedPermanently(w, r, "/help/privacy")
 	}))
 	r.Get("/gdpr", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/gdpr")
+		return MovedPermanently(w, r, "/help/gdpr")
 	}))
 	r.Get("/api", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/api")
+		return MovedPermanently(w, r, "/help/api")
 	}))
 	r.Get("/code", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help")
+		return MovedPermanently(w, r, "/help")
 	}))
 	r.Get("/code/*", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return zhttp.MovedPermanently(w, "/help/"+chi.URLParam(r, "*"))
+		return MovedPermanently(w, r, "/help/"+chi.URLParam(r, "*"))
 	}))
 }
 
@@ -199,7 +199,7 @@ func (h website) contact(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "Message sent!")
-	return zhttp.SeeOther(w, args.Return)
+	return SeeOther(w, r, args.Return)
 }
 
 func (h website) openAPI(w http.ResponseWriter, r *http.Request) error {
@@ -394,7 +394,7 @@ func (h website) doSignup(w http.ResponseWriter, r *http.Request) error {
 		}
 	})
 
-	return zhttp.SeeOther(w, fmt.Sprintf("%s/user/new", site.URL(r.Context())))
+	return zhttp.SeeOther(w, site.URL(r.Context())+"/user/new")
 }
 
 func (h website) forgot(err error, email, turingTest string) zhttp.HandlerFunc {
@@ -470,7 +470,7 @@ func (h website) doForgot(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, "List of login URLs mailed to %s", args.Email)
-	return zhttp.SeeOther(w, "/user/forgot")
+	return SeeOther(w, r, "/user/forgot")
 }
 
 func (h website) help(w http.ResponseWriter, r *http.Request) error {
@@ -481,16 +481,12 @@ func (h website) help(w http.ResponseWriter, r *http.Request) error {
 
 	dc := goatcounter.Config(r.Context()).DomainCount
 	if dc == "" {
-		dc = Site(r.Context()).Domain(r.Context())
-		port := goatcounter.Config(r.Context()).Port
-		if port != "" {
-			dc += port
-		}
+		dc = Site(r.Context()).SchemelessURL(r.Context())
 	}
 
 	cp := chi.URLParam(r, "*")
 	if cp == "" {
-		return zhttp.MovedPermanently(w, "/help/start")
+		return MovedPermanently(w, r, "/help/start")
 	}
 
 	{
diff --git a/public/backend.js b/public/backend.js
index 2bac0798d..ed95875b8 100644
--- a/public/backend.js
+++ b/public/backend.js
@@ -8,6 +8,7 @@
 	$(document).ready(function() {
 		window.I18N              = JSON.parse($('#js-i18n').text())
 		window.USER_SETTINGS     = JSON.parse($('#js-settings').text())
+		window.BASE_PATH         = $('#js-settings').attr('data-base-path') || ""
 		window.CSRF              = $('#js-settings').attr('data-csrf')
 		window.TZ_OFFSET         = parseInt($('#js-settings').attr('data-offset'), 10) || 0
 		window.SITE_FIRST_HIT_AT = $('#js-settings').attr('data-first-hit-at') * 1000
@@ -25,9 +26,9 @@
 	var report_errors = function() {
 		window.onerror = on_error
 		$(document).on('ajaxError', function(e, xhr, settings, err) {
-			if (settings.url === '/jserr')  // Just in case, otherwise we'll be stuck.
+			if (settings.url === BASE_PATH + '/jserr')  // Just in case, otherwise we'll be stuck.
 				return
-			if (settings.url === '/load-widget')
+			if (settings.url === BASE_PATH + '/load-widget')
 				return
 			var msg = T("error/load-url", {url: settings.url, error: err})
 			console.error(msg)
@@ -52,7 +53,7 @@
 			return
 
 		jQuery.ajax({
-			url:    '/jserr',
+			url:    BASE_PATH + '/jserr',
 			method: 'POST',
 			data:    {msg: msg, url: url, line: line, column: column, stack: (err||{}).stack, ua: navigator.userAgent, loc: window.location+''},
 		})
@@ -124,7 +125,7 @@
 			e.preventDefault()
 
 			jQuery.ajax({
-				url:     '/settings/main/ip',
+				url:     BASE_PATH + '/settings/main/ip',
 				success: function(data) {
 					var input   = $('[name="settings.ignore_ips"]'),
 						current = input.val().split(',').
@@ -192,7 +193,7 @@
 				return
 
 			jQuery.ajax({
-				url:     '/user/dashboard/widget/' + this.selectedOptions[0].value,
+				url:     BASE_PATH + '/user/dashboard/widget/' + this.selectedOptions[0].value,
 				success: function(data) {
 					var i    = 1 + $('.index').toArray().map((e) => parseInt(e.value, 10)).sort().pop(),
 						html = $(data.replace(/widgets([\[_])0([\]_])/g, `widgets$1${i}$2`))
diff --git a/public/dashboard.js b/public/dashboard.js
index 37cbdf141..b13e8f6c0 100644
--- a/public/dashboard.js
+++ b/public/dashboard.js
@@ -26,7 +26,7 @@
 			return
 
 		let cid  = $('#js-connect-id').text()
-		window.WEBSOCKET = new WebSocket((location.protocol === 'https:' ? 'wss://' : 'ws://') + document.location.host + '/loader?id=' + cid)
+		window.WEBSOCKET = new WebSocket((location.protocol === 'https:' ? 'wss://' : 'ws://') + document.location.host + BASE_PATH + '/loader?id=' + cid)
 		window.WEBSOCKET.onmessage = function(e) {
 			let msg = JSON.parse(e.data),
 				wid = $(`#dash-widgets div[data-widget=${msg.id}]`)
@@ -47,7 +47,7 @@
 				btn    = $(this),
 				pos    = btn.offset(),
 				wid    = btn.closest('[data-widget]').attr('data-widget'),
-				url    = '/user/dashboard/' + wid,
+				url    = BASE_PATH + '/user/dashboard/' + wid,
 				remove = function() {
 					pop.remove()
 					$(document.body).off('.unpop')
@@ -94,7 +94,7 @@
 		data['total']  = $('.js-total-utc').text()
 
 		jQuery.ajax({
-			url:  '/load-widget',
+			url:  BASE_PATH + '/load-widget',
 			type: 'get',
 			data: append_period(data),
 			success: function(data) {
@@ -112,7 +112,7 @@
 	// Reload all widgets on the dashboard.
 	var reload_dashboard = function(done) {
 		jQuery.ajax({
-			url:     '/',
+			url:     BASE_PATH + '/',
 			data:    append_period({
 				daily:     $('#daily').is(':checked'),
 				max:       get_original_scale(),
@@ -326,7 +326,7 @@
 
 			var done = paginate_button($(this), () => {
 				jQuery.ajax({
-					url:    '/user/view',
+					url:    BASE_PATH + '/user/view',
 					method: 'POST',
 					data: {
 						csrf:      CSRF,
@@ -387,7 +387,7 @@
 			$('.list-ref-pages').remove()
 			var done = paginate_button(btn, () => {
 				jQuery.ajax({
-					url: '/pages-by-ref',
+					url: BASE_PATH + '/pages-by-ref',
 					data: append_period({name: btn.text()}),
 					success: function(data) {
 						p.append(data.html)
@@ -677,7 +677,7 @@
 				pages = $(this).closest('.pages-list')
 			let done = paginate_button(btn, () => {
 				jQuery.ajax({
-					url:  '/load-widget',
+					url:  BASE_PATH + '/load-widget',
 					data: append_period({
 						widget:    pages.attr('data-widget'),
 						daily:     $('#daily').is(':checked'),
@@ -752,7 +752,7 @@
 			push_query({showrefs: path})
 			let done = paginate_button(btn , () => {
 				jQuery.ajax({
-					url:   '/load-widget',
+					url:   BASE_PATH + '/load-widget',
 					data: append_period({
 						widget: widget,
 						key:    path,
@@ -806,7 +806,7 @@
 				rows.data('pagesize', rows.children().length)
 			let done = paginate_button($(this), () => {
 				jQuery.ajax({
-					url:  '/load-widget',
+					url:  BASE_PATH + '/load-widget',
 					data: append_period({
 						widget: chart.attr('data-widget'),
 						total:  get_total(),
@@ -840,7 +840,7 @@
 			l.addClass('loading')
 			var done = paginate_button(l, () => {
 				jQuery.ajax({
-					url:     '/load-widget',
+					url:     BASE_PATH + '/load-widget',
 					data:    append_period({
 						widget: widget,
 						key:    key,
diff --git a/public/help.js b/public/help.js
index a1f8fcf90..7caa9ad7a 100644
--- a/public/help.js
+++ b/public/help.js
@@ -1,5 +1,7 @@
+let helpIndex = window.location.pathname.lastIndexOf('/help');
+let basePath = window.location.pathname.slice(0, helpIndex === -1 ? 0 : helpIndex)
 document.querySelector('select').addEventListener('change', function(e) {
-	window.location = '/code/' + this.value
+	window.location = basePath + '/help/' + this.value
 })
 document.querySelector('.show-contact').addEventListener('click', function(e) {
 	e.preventDefault()
@@ -26,7 +28,7 @@ if (expand)
 			})
 	})
 
-if (window.location.pathname === '/help/visitor-counter') {
+if (window.location.pathname == basePath + '/help/visitor-counter') {
 	var t = setInterval(function() {
 		if (window.goatcounter && window.goatcounter.visit_count) {
 			clearInterval(t)
diff --git a/settings.go b/settings.go
index adc9e50e4..8b07d48bf 100644
--- a/settings.go
+++ b/settings.go
@@ -405,7 +405,7 @@ func (ss SiteSettings) CollectFlags(ctx context.Context) []CollectFlag {
 	return []CollectFlag{
 		{
 			Label: z18n.T(ctx, "data-collect/label/sessions|Sessions"),
-			Help:  z18n.T(ctx, "data-collect/help/sessions|%[Track unique visitors] for up to 8 hours; if you disable this then someone pressing e.g. F5 to reload the page will just show as 2 pageviews instead of 1.", z18n.Tag("a", `href="/help/sessions"`)),
+			Help:  z18n.T(ctx, "data-collect/help/sessions|%[Track unique visitors] for up to 8 hours; if you disable this then someone pressing e.g. F5 to reload the page will just show as 2 pageviews instead of 1.", z18n.Tag("a", fmt.Sprintf(`href="%s/help/sessions"`, Config(ctx).BasePath))),
 			Flag:  CollectSession,
 		},
 		{
diff --git a/site.go b/site.go
index 003c7dce6..ed9b7a0f1 100644
--- a/site.go
+++ b/site.go
@@ -523,17 +523,22 @@ func (s Site) Display(ctx context.Context) string {
 	return fmt.Sprintf("%s.%s", s.Code, znet.RemovePort(Config(ctx).Domain))
 }
 
-// URL to this site.
-func (s Site) URL(ctx context.Context) string {
+// URL to this site, without the scheme.
+func (s Site) SchemelessURL(ctx context.Context) string {
 	if s.Cname != nil && s.CnameSetupAt != nil {
-		return fmt.Sprintf("http%s://%s%s",
-			map[bool]string{true: "", false: "s"}[Config(ctx).Dev],
-			*s.Cname, Config(ctx).Port)
+		return *s.Cname + Config(ctx).Port + Config(ctx).BasePath
 	}
 
-	return fmt.Sprintf("http%s://%s.%s%s",
-		map[bool]string{true: "", false: "s"}[Config(ctx).Dev],
-		s.Code, Config(ctx).Domain, Config(ctx).Port)
+	return fmt.Sprintf("%s.%s%s%s",
+		s.Code, Config(ctx).Domain, Config(ctx).Port, Config(ctx).BasePath)
+}
+
+// URL to this site.
+func (s Site) URL(ctx context.Context) string {
+	if Config(ctx).Dev {
+		return "http://" + s.SchemelessURL(ctx)
+	}
+	return "https://" + s.SchemelessURL(ctx)
 }
 
 // LinkDomainURL creates a valid url to the configured LinkDomain.
diff --git a/tpl/_backend_bottom.gohtml b/tpl/_backend_bottom.gohtml
index 31da781b0..1f506a364 100644
--- a/tpl/_backend_bottom.gohtml
+++ b/tpl/_backend_bottom.gohtml
@@ -8,6 +8,7 @@
 		data-offset="{{.User.Settings.Timezone.Offset}}"
 		data-first-hit-at="{{.Site.FirstHitAt.Unix}}"
 		data-websocket="{{.Websocket}}"
+		{{if .Base}}data-base-path="{{.Base}}"{{end}}
 		{{if .User.ID}}data-csrf="{{.User.CSRFToken}}"{{end}}
 	>
 		{{- .User.Settings.String | unsafe_js -}}
diff --git a/tpl/_backend_signin.gohtml b/tpl/_backend_signin.gohtml
index 712e76089..6b212a985 100644
--- a/tpl/_backend_signin.gohtml
+++ b/tpl/_backend_signin.gohtml
@@ -1,4 +1,4 @@
-<form method="post" action="/user/requestlogin" class="vertical">
+<form method="post" action="{{.Base}}/user/requestlogin" class="vertical">
 	<label for="email">{{.T "label/email-address|Email address"}}</label>
 	<input type="email" name="email" id="email" value="{{.Email}}" autofocus required><br>
 
@@ -7,4 +7,4 @@
 	<button>{{.T "button/sign-in|Sign in"}}</button>
 </form>
 
-<p><a href="/user/forgot">{{.T "button/forgot-password|Forgot password?"}}</a></p>
+<p><a href="{{.Base}}/user/forgot">{{.T "button/forgot-password|Forgot password?"}}</a></p>
diff --git a/tpl/_backend_top.gohtml b/tpl/_backend_top.gohtml
index ec4e7db78..6f125c4d6 100644
--- a/tpl/_backend_top.gohtml
+++ b/tpl/_backend_top.gohtml
@@ -52,22 +52,22 @@
 						</div>
 					{{- end -}}
 				{{else if has_prefix .Path "/settings/sites/remove/"}}
-					<strong id="back"><a href="/settings/sites">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
+					<strong id="back"><a href="{{.Base}}/settings/sites">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
 				{{else if has_prefix .Path "/settings/purge/confirm"}}
-					<strong id="back"><a href="/settings/purge">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
+					<strong id="back"><a href="{{.Base}}/settings/purge">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
 				{{else if has_prefix .Path "/i18n/"}}
-					<strong id="back"><a href="/i18n">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
+					<strong id="back"><a href="{{.Base}}/i18n">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
 				{{else if has_prefix .Path "/bosmang/"}}
-					<strong id="back"><a href="/settings/server">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
+					<strong id="back"><a href="{{.Base}}/settings/server">←&#xfe0e; {{.T "top-nav/back|Back"}}</a></strong>
 				{{else}}
-					<strong id="back"><a href="/">←&#xfe0e; {{.T "top-nav/dashboard|Dashboard"}}</a></strong>
+					<strong id="back"><a href="{{.Base}}/">←&#xfe0e; {{.T "top-nav/dashboard|Dashboard"}}</a></strong>
 				{{end}}
 			</div>
 			<div id="usermenu">
-				<a {{if eq .Path "/help"}}class="active" {{end}}href="/help">{{.T "top-nav/documentation|Help"}}</a> |
-				{{if .User.AccessSettings}}<a {{if has_prefix .Path "/settings"}}class="active" {{end}}href="/settings">{{.T "top-nav/settings|Settings"}}</a> |{{end}}
-				<a {{if has_prefix .Path "/user"}}class="active" {{end}}href="/user">{{.User.EmailShort}}</a> |
-				<form method="post" action="/user/logout">
+				<a {{if eq .Path "/help"}}class="active" {{end}}href="{{.Base}}/help">{{.T "top-nav/documentation|Help"}}</a> |
+				{{if .User.AccessSettings}}<a {{if has_prefix .Path "/settings"}}class="active" {{end}}href="{{.Base}}/settings">{{.T "top-nav/settings|Settings"}}</a> |{{end}}
+				<a {{if has_prefix .Path "/user"}}class="active" {{end}}href="{{.Base}}/user">{{.User.EmailShort}}</a> |
+				<form method="post" action="{{.Base}}/user/logout">
 					<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 					<button class="link">{{.T "top-nav/sign-out|Sign out"}}</button>
 				</form>
@@ -84,7 +84,7 @@
 					"timezone-offset" .User.Settings.Timezone.OffsetDisplay
 				)}}
 			</div>
-			<div id="signin"><a href="/user/new">{{.T "top-nav/sign-in|Sign in"}}</a></div>
+			<div id="signin"><a href="{{.Base}}/user/new">{{.T "top-nav/sign-in|Sign in"}}</a></div>
 		{{- end -}}
 	</nav>
 
@@ -94,7 +94,7 @@
 	{{if and .User.ID (before .Site.CreatedAt "2024-04-07")}}
 		<div class="flash flash-i onetime onetime-dark">
 			The default theme colours are now set from your system; you can change it back to the
-			previous by changing it in <a href="/user/pref#section-email-reports">your user settings</a>
+			previous by changing it in <a href="{{.Base}}/user/pref#section-email-reports">your user settings</a>
 			–
 			<a href="" class="close">don’t show again</a>
 		</div>
diff --git a/tpl/_bottom_links.gohtml b/tpl/_bottom_links.gohtml
index 9454921fe..748a85f15 100644
--- a/tpl/_bottom_links.gohtml
+++ b/tpl/_bottom_links.gohtml
@@ -1,9 +1,9 @@
 <footer class="center cbox">
 	<div>
 		<a {{if .Site}}target="_blank" rel="noopener"{{end}} href="https://www.goatcounter.com">{{.T "nav-bot/home|Home"}}</a><span> |</span>
-		<a href="/contact"   >{{.T "nav-bot/contact|Contact"}}</a><span> |</span>
-		<a href="/help"      >{{.T "nav-bot/docs|Documentation"}}</a><span> |</span>
-		<a href="/contribute">{{.T "nav-bot/contribute|Contribute"}}</a>
+		<a href="{{.Base}}/contact"   >{{.T "nav-bot/contact|Contact"}}</a><span> |</span>
+		<a href="{{.Base}}/help"      >{{.T "nav-bot/docs|Documentation"}}</a><span> |</span>
+		<a href="{{.Base}}/contribute">{{.T "nav-bot/contribute|Contribute"}}</a>
 	</div>
 	<div>
 		<a href="https://github.com/arp242/goatcounter"                target="_blank" rel="noopener">{{.T "nav-bot/src|Source code"}}</a><span> |</span>
diff --git a/tpl/_contact.gohtml b/tpl/_contact.gohtml
index abfe9f5bf..74646f5a6 100644
--- a/tpl/_contact.gohtml
+++ b/tpl/_contact.gohtml
@@ -8,7 +8,7 @@
 		<a href="mailto:support@goatcounter.com">support@goatcounter.com</a>.</li>
 </ul>
 
-<form method="post" action="/contact" class="contact-form">
+<form method="post" action="{{.Base}}/contact" class="contact-form">
 	<input type="hidden" name="return" value="{{if .a}}{{.a.Return}}{{else}}{{.r}}{{end}}">
 
 	<strong>Send message</strong>
diff --git a/tpl/_dashboard_configure_widget.gohtml b/tpl/_dashboard_configure_widget.gohtml
index 297e22f9e..c4ea048ef 100644
--- a/tpl/_dashboard_configure_widget.gohtml
+++ b/tpl/_dashboard_configure_widget.gohtml
@@ -1,4 +1,4 @@
-<form class="widget-settings" method="post" action="/user/dashboard/{{.I}}">
+<form class="widget-settings" method="post" action="{{.Base}}/user/dashboard/{{.I}}">
 	{{template "_user_dashboard_widget.gohtml" .}}
 	<button>{{.T "button/save|Save"}}</button>
 </form>
diff --git a/tpl/_dashboard_hchart.gohtml b/tpl/_dashboard_hchart.gohtml
index 32508c6db..8767bee65 100644
--- a/tpl/_dashboard_hchart.gohtml
+++ b/tpl/_dashboard_hchart.gohtml
@@ -10,7 +10,7 @@
 				<a href="#" class="logged-in configure-widget" aria-label="{{t $.Context "button/cfg-dashboard|Configure"}}">⚙&#xfe0f;</a>
 			{{end}}
 		</div>
-		{{template "_dashboard_warn_collect.gohtml" (map "IsCollected" .IsCollected "Context" .Context)}}
+		{{template "_dashboard_warn_collect.gohtml" (map "IsCollected" .IsCollected "Context" .Context "Base" .Base)}}
 		{{if .Err}}
 			<em>{{t $.Context "p/error|Error: %(error-message)" .Err}}</em>
 		{{else}}
diff --git a/tpl/_dashboard_warn_collect.gohtml b/tpl/_dashboard_warn_collect.gohtml
index bdceedd01..42fda4f19 100644
--- a/tpl/_dashboard_warn_collect.gohtml
+++ b/tpl/_dashboard_warn_collect.gohtml
@@ -1,7 +1,7 @@
 {{if not .IsCollected}}
 	<div class="not-collected">
 		{{t .Context "p/collect-disabled|Collecting this information is currently %[disabled in settings]."
-			(tag "a" `href="/settings/main#section-collect"`)}}
+			(tag "a" (printf `href="%s/settings/main#section-collect"` .Base))}}
 	</div>
 {{end}}
 
diff --git a/tpl/_settings_nav.gohtml b/tpl/_settings_nav.gohtml
index e5efe92d4..c40810d5d 100644
--- a/tpl/_settings_nav.gohtml
+++ b/tpl/_settings_nav.gohtml
@@ -1,16 +1,16 @@
 <nav class="tab-nav">
-	<a class="{{if has_prefix .Path "/settings/main"}}active{{end}}"   href="/settings/main">{{.T "link/settings|Settings"}}</a>
-	<a class="{{if has_prefix .Path "/settings/purge"}}active{{end}}"  href="/settings/purge">{{.T "link/manage-pageviews|Manage pageviews"}}</a>
-	<a class="{{if has_prefix .Path "/settings/export"}}active{{end}}" href="/settings/export">{{.T "link/import|Import/Export"}}</a>
+	<a class="{{if has_prefix .Path "/settings/main"}}active{{end}}"   href="{{.Base}}/settings/main">{{.T "link/settings|Settings"}}</a>
+	<a class="{{if has_prefix .Path "/settings/purge"}}active{{end}}"  href="{{.Base}}/settings/purge">{{.T "link/manage-pageviews|Manage pageviews"}}</a>
+	<a class="{{if has_prefix .Path "/settings/export"}}active{{end}}" href="{{.Base}}/settings/export">{{.T "link/import|Import/Export"}}</a>
 
 	{{if .User.AccessAdmin}}
-	<a class="{{if has_prefix .Path "/settings/users"}}active{{end}}"  href="/settings/users">{{.T "link/users|Users"}}</a>
-	<a class="{{if has_prefix .Path "/settings/sites"}}active{{end}}"  href="/settings/sites">{{.T "link/sites|Sites"}}</a>
+	<a class="{{if has_prefix .Path "/settings/users"}}active{{end}}"  href="{{.Base}}/settings/users">{{.T "link/users|Users"}}</a>
+	<a class="{{if has_prefix .Path "/settings/sites"}}active{{end}}"  href="{{.Base}}/settings/sites">{{.T "link/sites|Sites"}}</a>
 		{{if .GoatcounterCom}}
-		<a class="{{if has_prefix .Path "/settings/delete-account"}}active{{end}}" href="/settings/delete-account">{{.T "link/rm-account|Delete account"}}</a>
+		<a class="{{if has_prefix .Path "/settings/delete-account"}}active{{end}}" href="{{.Base}}/settings/delete-account">{{.T "link/rm-account|Delete account"}}</a>
 		{{end}}
 	{{end}}
 	{{if .User.AccessSuperuser}}
-		<a class="{{if has_prefix .Path "/settings/server"}}active{{end}}"  href="/settings/server">Server management</a>
+		<a class="{{if has_prefix .Path "/settings/server"}}active{{end}}"  href="{{.Base}}/settings/server">Server management</a>
 	{{end}}
 </nav>
diff --git a/tpl/_top.gohtml b/tpl/_top.gohtml
index c2bba81d3..c142738ba 100644
--- a/tpl/_top.gohtml
+++ b/tpl/_top.gohtml
@@ -8,12 +8,12 @@
 	<link rel="stylesheet" href="{{.Static}}/vars.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/style.css?v={{.Version}}">
-	<link rel="canonical" href="https://{{.Domain}}{{if ne .Page "home"}}/{{.Page}}{{end}}">
+	<link rel="canonical" href="https://{{.Domain}}{{.Base}}/{{if ne .Page "home"}}{{.Page}}{{end}}">
 </head>
 
 <body>
 	{{if ne .Page "home"}}<nav class="center">
-		<strong id="back"><a href="/">←&#xfe0e; {{if .Site}}Dashboard{{else}}Home{{end}}</a></strong>
+		<strong id="back"><a href="{{.Base}}/">←&#xfe0e; {{if .Site}}Dashboard{{else}}Home{{end}}</a></strong>
 	</nav>{{end}}
 	<div class="page page-{{.Page}}">
 	{{- if .Flash}}<div class="flash flash-{{.Flash.Level}}">{{.Flash.Message}}</div>{{end -}}
diff --git a/tpl/_user_nav.gohtml b/tpl/_user_nav.gohtml
index 3f627149e..e0029afdb 100644
--- a/tpl/_user_nav.gohtml
+++ b/tpl/_user_nav.gohtml
@@ -1,9 +1,9 @@
 <nav class="tab-nav">
-	<a class="{{if has_prefix .Path "/user/pref"}}active{{end}}"      href="/user/pref">{{.T "link/preferences|Preferences"}}</a>
-	<a class="{{if has_prefix .Path "/user/dashboard"}}active{{end}}" href="/user/dashboard">{{.T "link/dashboard|Dashboard"}}</a>
-	<a class="{{if has_prefix .Path "/user/auth"}}active{{end}}"      href="/user/auth">{{.T "link/passwd-mfa|Password & MFA"}}</a>
+	<a class="{{if has_prefix .Path "/user/pref"}}active{{end}}"      href="{{.Base}}/user/pref">{{.T "link/preferences|Preferences"}}</a>
+	<a class="{{if has_prefix .Path "/user/dashboard"}}active{{end}}" href="{{.Base}}/user/dashboard">{{.T "link/dashboard|Dashboard"}}</a>
+	<a class="{{if has_prefix .Path "/user/auth"}}active{{end}}"      href="{{.Base}}/user/auth">{{.T "link/passwd-mfa|Password & MFA"}}</a>
 	{{if .User.AccessAdmin}}
-	<a class="{{if has_prefix .Path "/user/api"}}active{{end}}"       href="/user/api">{{.T "link/api|API"}}</a>
+	<a class="{{if has_prefix .Path "/user/api"}}active{{end}}"       href="{{.Base}}/user/api">{{.T "link/api|API"}}</a>
 	{{end}}
 </nav>
 <p>{{.T "p/settings-all-sites|These settings take effect for all the sites you have access to."}}</p>
diff --git a/tpl/bosmang_bgrun.gohtml b/tpl/bosmang_bgrun.gohtml
index fc43d36e5..c39c05aef 100644
--- a/tpl/bosmang_bgrun.gohtml
+++ b/tpl/bosmang_bgrun.gohtml
@@ -16,7 +16,7 @@
 			<td>{{$t.Period}}</td>
 			<td>{{$t.ID}}</td>
 			<td>{{$t.Desc}}</td>
-			<td><form method="post" action="/bosmang/bgrun/{{$i}}">
+			<td><form method="post" action="{{$.Base}}/bosmang/bgrun/{{$i}}">
 				<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
 				<button class="link" title="Run the task now; this won't reset the timer for the scheduled task">Run now</button>
 			</form></td>
diff --git a/tpl/contact.gohtml b/tpl/contact.gohtml
index 1a049a2b6..fcc833328 100644
--- a/tpl/contact.gohtml
+++ b/tpl/contact.gohtml
@@ -2,6 +2,6 @@
 
 <h1>GoatCounter contact</h1>
 <p>There are a few ways to contact me:</p>
-{{template "_contact.gohtml" (map "v" .Validate "r" "/contact" "a" .Args)}}
+{{template "_contact.gohtml" (map "v" .Validate "r" "/contact" "a" .Args "Base" .Base)}}
 
 {{template "_bottom.gohtml" .}}
diff --git a/tpl/dashboard.gohtml b/tpl/dashboard.gohtml
index 752418ee3..999b582c6 100644
--- a/tpl/dashboard.gohtml
+++ b/tpl/dashboard.gohtml
@@ -12,9 +12,9 @@
 				"sup"   (tag "a" `class="sup" href="https://www.goatcounter.com/help/faq#verify-email" target="_blank"`)
 			)}}<br>
 
-			{{.T "p/change-email|Change the email address in the %[settings]." (tag "a" `href="/user"`)}}
+			{{.T "p/change-email|Change the email address in the %[settings]." (tag "a" (printf `href="%s/user"` .Base))}}
 
-			<form method="post" action="/user/resend-verify">
+			<form method="post" action="{{.Base}}/user/resend-verify">
 				<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 				<button class="link">{{.T "button/resend-email|Resend email"}}</button>.
 			</form>
@@ -36,7 +36,7 @@
 				"bold"      (tag "strong" "")
 				"pre"       (tag "pre" "")
 				"domain"    (.Site.Domain .Context)
-				"link_docs" (tag "a" `href="/help"`)
+				"link_docs" (tag "a" (printf `href="%s/help"` .Base))
 				"js_code"   (printf "<script data-goatcounter=\"%s/count\"\n        async src=\"//%s/count.js\"></script>" (.Site.URL .Context) .CountDomain)
 			)}}
 		</div>
@@ -68,7 +68,7 @@
 				{{/* TODO: it might be better to load the settings page "inline"
 				here, instead of a settings tab; would also declutter that a bit
 				since we can remove it there. */}}
-				<a href="/user/dashboard">{{.T "button/cfg-dashboard|Configure dashboard layout"}}</a><br>
+				<a href="{{.Base}}/user/dashboard">{{.T "button/cfg-dashboard|Configure dashboard layout"}}</a><br>
 				<small>{{.T "help/cfg-dashboard|Change what to display on the dashboard and in what order."}}</small>
 			</div>
 		</div>
diff --git a/tpl/error.gohtml b/tpl/error.gohtml
index f88ebe55d..81401931f 100644
--- a/tpl/error.gohtml
+++ b/tpl/error.gohtml
@@ -121,6 +121,7 @@ sub {
 </head>
 
 <body>
+  {{/* We should use href="{{.Base}}/" below, but it's not accessible with zhttp.DefaultErrPage. */}}
 	{{if ne .Path "/"}}<nav class="center"><strong><a href="/">← Home</a></strong></nav>{{end}}
 	<div class="page">
 		{{if eq .Code 404}}
diff --git a/tpl/help.gohtml b/tpl/help.gohtml
index bc9c8c0e3..6f2e736c5 100644
--- a/tpl/help.gohtml
+++ b/tpl/help.gohtml
@@ -58,7 +58,7 @@ hr                  { margin: 0; }
 
 <body>
 	<nav class="center">
-		<strong id="back"><a href="/">←&#xfe0e; {{if .Site}}Dashboard{{else}}Home{{end}}</a></strong>
+		<strong id="back"><a href="{{.Base}}/">←&#xfe0e; {{if .Site}}Dashboard{{else}}Home{{end}}</a></strong>
 	</nav>
 
 	<div class="center code-wrap">
@@ -81,7 +81,7 @@ hr                  { margin: 0; }
 
 				<p>Ways to contact me: <a href="#" class="show-contact">show</a> </p>
 				<div style="display: none;" class="contact">
-					{{template "_contact.gohtml" (map "v" .Validate "r" (printf "/help/%s" .CodePage) "a" .Args)}}
+					{{template "_contact.gohtml" (map "v" .Validate "r" (printf "/help/%s" .CodePage) "a" .Args "Base" .Base)}}
 				</div>
 			</div>
 		</div>
diff --git a/tpl/home.gohtml b/tpl/home.gohtml
index 2ec7400ee..0f36dfb34 100644
--- a/tpl/home.gohtml
+++ b/tpl/home.gohtml
@@ -11,12 +11,12 @@
 			service or <em>self-hosted</em> app. It aims to offer easy to use
 			and meaningful privacy-friendly web analytics as an alternative to
 			Google Analytics or Matomo.<br>
-			<a href="/why">Why I made GoatCounter</a>
+			<a href="{{.Base}}/why">Why I made GoatCounter</a>
 		</p>
 	</div>
 
 	<div id="home-login">
-		<a class="hlink cbox" href="/signup"><img src="{{.Static}}/index.svg" alt=""> Sign up</a>
+		<a class="hlink cbox" href="{{.Base}}/signup"><img src="{{.Static}}/index.svg" alt=""> Sign up</a>
 		<p>{{if .LoggedIn}}{{.LoggedIn}}{{else}}Already have an account? Sign in at <em>yourcode</em>.goatcounter.com.
 		<a href="//{{.Domain}}/user/forgot">Forgot?</a>{{end}}</p>
 	</div>
@@ -43,8 +43,8 @@
 	<div>
 		<p><strong>Privacy-aware</strong>; doesn’t track users with unique
 		identifiers and doesn't need a GDPR notice. Fine-grained <strong>control over
-			which data is collected</strong>. Also see the <a href="/privacy">privacy
-			policy</a> and <a href="/gdpr">GDPR consent notices</a>.</p>
+			which data is collected</strong>. Also see the <a href="{{.Base}}/privacy">privacy
+			policy</a> and <a href="{{.Base}}/gdpr">GDPR consent notices</a>.</p>
 
 		<p><strong>Lightweight</strong> and <strong>fast</strong>; adds just
 			~3.5KB of extra data to your site. Also has JavaScript-free
@@ -56,7 +56,7 @@
 	<div>
 		<p>Identify <strong>unique visits</strong> without cookies or
 			persistently storing any personal data
-			(<a href="/help/sessions.md">details</a>).</p>
+			(<a href="{{.Base}}/help/sessions.md">details</a>).</p>
 
 		<p>Keeps useful statistics such as <strong>browser</strong> information,
 			<strong>location</strong>, and <strong>screen size</strong>. Keep
@@ -96,10 +96,10 @@
 
 <h2 id="docs">Documents</h2>
 <div class="page" id="docs-list">
-	<p>Some documents about GoatCounter that don’t fit the <a href="/help">documentation page</a>:</p>
+	<p>Some documents about GoatCounter that don’t fit the <a href="{{.Base}}/help">documentation page</a>:</p>
 	<ul>
-		<li><a href="/why">Why I made GoatCounter</a></li>
-		<li><a href="/design">Notes about GoatCounter's design</a></li>
+		<li><a href="{{.Base}}/why">Why I made GoatCounter</a></li>
+		<li><a href="{{.Base}}/design">Notes about GoatCounter's design</a></li>
 
 		<li><a target="_blank" rel="noopener" href="https://www.arp242.net/personal-analytics.html">Analytics on personal websites</a></li>
 		<li><a target="_blank" rel="noopener" href="https://www.arp242.net/dnt.html">Why GoatCounter ignores Do Not Track</a></li>
diff --git a/tpl/i18n_list.gohtml b/tpl/i18n_list.gohtml
index 9e0bffc3e..5fc76d834 100644
--- a/tpl/i18n_list.gohtml
+++ b/tpl/i18n_list.gohtml
@@ -22,8 +22,8 @@
 <h2>Edit translations</h2>
 <ul>
 	{{range $f := .Files}}
-		<li><a style="display: inline-block; width: 10em;" href="/i18n/{{index $f 0}}">{{index $f 1}}</a> –
-			<form method="post" action="/i18n/set/{{index $f 0}}">
+		<li><a style="display: inline-block; width: 10em;" href="{{$.Base}}/i18n/{{index $f 0}}">{{index $f 1}}</a> –
+			<form method="post" action="{{$.Base}}/i18n/set/{{index $f 0}}">
 				<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
 				<input type="hidden" name="language" value="{{index $f 0}}">
 				<button class="link">set as active</button>
@@ -33,7 +33,7 @@
 </ul>
 
 <h2>Create new</h2>
-<form method="post" action="/i18n" class="vertical">
+<form method="post" action="{{.Base}}/i18n" class="vertical">
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 	<label for="language">Language</label>
diff --git a/tpl/i18n_show.gohtml b/tpl/i18n_show.gohtml
index 6bbc70935..8c566b87d 100644
--- a/tpl/i18n_show.gohtml
+++ b/tpl/i18n_show.gohtml
@@ -55,7 +55,7 @@
 		- Merge from template
 		- Delete
 		*/}}
-		<form method="POST" action="/i18n/submit/{{.TOMLFile}}">
+		<form method="POST" action="{{.Base}}/i18n/submit/{{.TOMLFile}}">
 			<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
 			<button>Send changes<br><small>Changes are saved automatically; use this when you're finished</small></button>
 		</form>
@@ -63,7 +63,7 @@
 </div>
 
 {{range $e := .File.Strings}}
-	{{$o := index $.Base.Strings $e.ID}}
+	{{$o := index $.BaseFile.Strings $e.ID}}
 	{{$status := ""}}
 	{{if not $e.Default}}              {{$status = "untrans"}}
 	{{else if eq $e.Updated "unused"}} {{$status = "unused"}}
diff --git a/tpl/serve_newsite.gohtml b/tpl/serve_newsite.gohtml
index a51cc3fa8..eba39efd4 100644
--- a/tpl/serve_newsite.gohtml
+++ b/tpl/serve_newsite.gohtml
@@ -118,7 +118,7 @@
 
 {{if or .Error .Validate.HasErrors}}<div class="flash flash-e">{{.Validate.HTML}}{{.Error}}</div>{{end}}
 
-<form method="POST" action="/">
+<form method="POST" action="{{.Base}}/">
 	<fieldset>
 	<label for="email">Email</label>
 	<input type="email" name="email" id="email" value="{{.Email}}">
diff --git a/tpl/settings_delete.gohtml b/tpl/settings_delete.gohtml
index 3c17e461a..7edced432 100644
--- a/tpl/settings_delete.gohtml
+++ b/tpl/settings_delete.gohtml
@@ -18,7 +18,7 @@
 </div>
 {{end}}
 
-<form method="post" action="/settings/delete-account" class="form-max-width"
+<form method="post" action="{{.Base}}/settings/delete-account" class="form-max-width"
 	data-confirm={{.T "label/delete-account-confirmation|Are you sure you want to delete your entire account?"}}>
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
diff --git a/tpl/settings_export.gohtml b/tpl/settings_export.gohtml
index 3d743e9a3..df48a5b70 100644
--- a/tpl/settings_export.gohtml
+++ b/tpl/settings_export.gohtml
@@ -4,10 +4,10 @@
 <h2 id="export">{{.T "header/export-or-import|Export/Import"}}</h2>
 
 <p>{{.T "p/csv-file-format|The format of the CSV file is %[documented over here]."
-	(tag "a" `href="/help/export"`)}}</p>
+	(tag "a" (printf `href="%s/help/export"` .Base))}}</p>
 
 <div class="flex-form">
-	<form method="post" action="/settings/export" class="vertical">
+	<form method="post" action="{{.Base}}/settings/export" class="vertical">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 		<fieldset>
@@ -33,7 +33,7 @@
 		</fieldset>
 	</form>
 
-	<form method="post" action="/settings/export/import" enctype="multipart/form-data" class="vertical">
+	<form method="post" action="{{.Base}}/settings/export/import" enctype="multipart/form-data" class="vertical">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 		<fieldset>
@@ -75,7 +75,7 @@
 			<td class="hash"><input style="width: 8em" value="{{$e.Hash}}"></td>
 			<td>
 				{{if and $e.Exists $e.FinishedAt}}
-					<a href="/settings/export/{{$e.ID}}">download</a>
+					<a href="{{$.Base}}/settings/export/{{$e.ID}}">download</a>
 				{{else}}
 					<em>{{if $e.FinishedAt}}expired{{else}}not yet ready{{end}}</em>
 				{{end}}
diff --git a/tpl/settings_main.gohtml b/tpl/settings_main.gohtml
index ef42fdf40..9d36cb117 100644
--- a/tpl/settings_main.gohtml
+++ b/tpl/settings_main.gohtml
@@ -4,7 +4,7 @@
 <h2 id="setting">{{.T "header/settings|Settings"}}</h2>
 
 <div class="form-wrap">
-	<form method="post" action="/settings/main" class="vertical">
+	<form method="post" action="{{.Base}}/settings/main" class="vertical">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 		<fieldset id="section-site">
@@ -18,7 +18,7 @@
 			<label>{{checkbox .Site.Settings.AllowCounter "settings.allow_counter"}}
 				{{.T "label/allow-visitor-counts|Allow adding visitor counts on your website"}}</label>
 			<span>{{.T "help/allow-visitor-counts|See %[the documentation] for details on how to use."
-				(tag "a" `href="/help/visitor-counter"`)}}</span>
+				(tag "a" (printf `href="%s/help/visitor-counter"` .Base))}}</span>
 
 			<label for="settings-allow-embed">{{.T "label/dashboard-allow-embed|Sites that can embed GoatCounter"}}</label>
 			<input type="text" name="settings.allow_embed" id="settings-allow-embed" value="{{.Site.Settings.AllowEmbed}}"></input>
@@ -56,7 +56,7 @@
 				{{.T `label/change-code|You will access your account at https://<em>[my-code]</em>.%(domain) – %[%link change].`
 					(map
 						"domain" .Domain
-						"link"   (tag "a" `href="/settings/change-code"`)
+						"link"   (tag "a" (printf `href="%s/settings/change-code"` .Base))
 					)}}
 				</span>
 			{{end}}
diff --git a/tpl/settings_purge.gohtml b/tpl/settings_purge.gohtml
index d83e5de02..d549053a1 100644
--- a/tpl/settings_purge.gohtml
+++ b/tpl/settings_purge.gohtml
@@ -14,7 +14,7 @@
 	meaning.
 `}}</p>
 
-<form method="get" action="/settings/purge">
+<form method="get" action="{{.Base}}/settings/purge">
 	<input type="text" name="path" placeholder="Path" value="{{.PurgePath}}" required autocomplete="off">
 	<button type="submit">{{.T "button/search|Search"}}</button><br>
 	<label>{{checkbox .MatchTitle "match-title"}} {{.T "label/match-title|Match title as well"}}</label>
@@ -46,7 +46,7 @@
 			align-items: end;
 			margin-top: 2em;
 		">
-			<form method="post" action="/settings/merge"
+			<form method="post" action="{{.Base}}/settings/merge"
 				data-confirm="{{.T "help/no-undo|This cannot be undone!"}}"
 			>
 				<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
@@ -62,7 +62,7 @@
 				<br>
 				<strong>{{.T "help/no-undo|This cannot be undone!"}}</strong><br>
 			</form>
-			<form method="post" action="/settings/purge"
+			<form method="post" action="{{.Base}}/settings/purge"
 				data-confirm="{{.T "help/no-undo|This cannot be undone!"}}"
 				style="text-align: right;"
 			>
diff --git a/tpl/settings_server.gohtml b/tpl/settings_server.gohtml
index f841e8887..dab6564ab 100644
--- a/tpl/settings_server.gohtml
+++ b/tpl/settings_server.gohtml
@@ -14,12 +14,12 @@ Uptime:    {{.Uptime}}
 <p>Various special pages for server management; these pages are available only
 to users with “server mangagement” access set.</p>
 <ul>
-	<li><a href="/bosmang/cache"   >Cache</a>            – View contents of caches.</li>
-	<li><a href="/bosmang/bgrun"   >Background tasks</a> – View and manage background tasks.</li>
-	<li><a href="/bosmang/metrics" >Metrics</a>          – Some performance metrics.</li>
-	<li><a href="/bosmang/profile" >Profile</a>          – Go internal performance metrics (pprof).</li>
-	<li><a href="/bosmang/sites"   >Sites</a>            – Overview of all sites and usage (PostgreSQL only).</li>
-	<li><a href="/bosmang/error"   >Error</a>            – Generate an error; for testing logs and -errors flag.</li>
+	<li><a href="{{.Base}}/bosmang/cache"   >Cache</a>            – View contents of caches.</li>
+	<li><a href="{{.Base}}/bosmang/bgrun"   >Background tasks</a> – View and manage background tasks.</li>
+	<li><a href="{{.Base}}/bosmang/metrics" >Metrics</a>          – Some performance metrics.</li>
+	<li><a href="{{.Base}}/bosmang/profile" >Profile</a>          – Go internal performance metrics (pprof).</li>
+	<li><a href="{{.Base}}/bosmang/sites"   >Sites</a>            – Overview of all sites and usage (PostgreSQL only).</li>
+	<li><a href="{{.Base}}/bosmang/error"   >Error</a>            – Generate an error; for testing logs and -errors flag.</li>
 </ul>
 
 {{template "_backend_bottom.gohtml" .}}
diff --git a/tpl/settings_sites.gohtml b/tpl/settings_sites.gohtml
index abb77d831..654ad5c87 100644
--- a/tpl/settings_sites.gohtml
+++ b/tpl/settings_sites.gohtml
@@ -12,7 +12,7 @@
 	<p>You can add as many as you want.</p>
 `}}
 
-<form method="post" action="/settings/sites/add">
+<form method="post" action="{{.Base}}/settings/sites/add">
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 	<table class="auto">
 		<thead><tr><th>{{if .GoatcounterCom}}{{.T "header/code|Code"}}{{else}}{{.T "header/domain|Domain"}}{{end}}</th><th></th></tr></thead>
@@ -27,7 +27,7 @@
 					{{if and $.GoatcounterCom (not $s.Parent)}}
 						{{$.T "error/delete-main-site|Can’t delete main site"}}
 					{{else}}
-						<a href="/settings/sites/remove/{{$s.ID}}">{{$.T "button/delete|delete"}}</a>
+						<a href="{{$.Base}}/settings/sites/remove/{{$s.ID}}">{{$.T "button/delete|delete"}}</a>
 					{{end}}
 					{{if eq $s.ID $.Site.ID}}&nbsp;&nbsp;&nbsp;{{$.T "label/mark-current|(current)"}}{{end}}
 				</td>
@@ -54,7 +54,7 @@
 
 <p><strong>{{.T "p/text-data-retention|This includes the data retention and collection settings!"}}</strong></p>
 
-<form method="post" action="/settings/sites/copy-settings">
+<form method="post" action="{{.Base}}/settings/sites/copy-settings">
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 	{{range $s := .SubSites}}<tr>
 		{{if ne $s.ID $.Site.ID}}
diff --git a/tpl/settings_users.gohtml b/tpl/settings_users.gohtml
index b1b4553a0..dc7fc120f 100644
--- a/tpl/settings_users.gohtml
+++ b/tpl/settings_users.gohtml
@@ -12,8 +12,8 @@
 				{{if and $.GoatcounterCom (eq (len $.Users.Admins) 1) $u.AccessAdmin}}
 					{{$.T "p/last-user|Can’t delete or edit last admin user"}}
 				{{else}}
-					<a href="/settings/users/{{$u.ID}}">{{$.T "button/edit|edit"}}</a> |
-					<form method="post" action="/settings/users/remove/{{$u.ID}}"
+					<a href="{{$.Base}}/settings/users/{{$u.ID}}">{{$.T "button/edit|edit"}}</a> |
+					<form method="post" action="{{$.Base}}/settings/users/remove/{{$u.ID}}"
 						data-confirm="{{$.T "confirm/delete-user|Delete %(email)?" $u.Email}}"
 					>
 						<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
@@ -26,6 +26,6 @@
 </tbody></table>
 <br>
 
-<a href="/settings/users/add">{{.T "button/add-user|Add new user"}}</a>
+<a href="{{.Base}}/settings/users/add">{{.T "button/add-user|Add new user"}}</a>
 
 {{template "_backend_bottom.gohtml" .}}
diff --git a/tpl/signup.gohtml b/tpl/signup.gohtml
index 1d5b96afa..3a1dcc779 100644
--- a/tpl/signup.gohtml
+++ b/tpl/signup.gohtml
@@ -6,7 +6,7 @@
 → <em>sites</em> for separating them out.</p>
 
 <div id="signup-form">
-	<form class="vertical" method="post" action="/signup">
+	<form class="vertical" method="post" action="{{.Base}}/signup">
 		<fieldset class="two">
 			<div>
 				<div>
diff --git a/tpl/totp.gohtml b/tpl/totp.gohtml
index fd160d003..99370d34a 100644
--- a/tpl/totp.gohtml
+++ b/tpl/totp.gohtml
@@ -3,7 +3,7 @@
 <h1>Multi-factor auth</h1>
 <p>{{.T "p/have-mfa|This account is protected with multi-factor auth; please enter the code from your authenticator app."}}</p>
 
-<form method="post" action="/user/totplogin" class="vertical">
+<form method="post" action="{{.Base}}/user/totplogin" class="vertical">
 	<input type="hidden" name="loginmac" value="{{.LoginMAC}}">
 	<input type="hidden" name="user_logintoken" value="{{.LoginToken}}">
 
diff --git a/tpl/user_api.gohtml b/tpl/user_api.gohtml
index 0d0fa55f9..3f6533656 100644
--- a/tpl/user_api.gohtml
+++ b/tpl/user_api.gohtml
@@ -5,15 +5,15 @@
 {{if not .User.EmailVerified}}
 	<p>You need to verify your email before you can use the API; a link was sent to {{.User.Email}}.</p>
 
-	Change the email address in the <a href="/user/pref">{{.T "link/settings|settings"}}</a> –
-	<form method="post" action="/user/resend-verify">
+	Change the email address in the <a href="{{.Base}}/user/pref">{{.T "link/settings|settings"}}</a> –
+	<form method="post" action="{{.Base}}/user/resend-verify">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 		<button class="link">{{.T "button/resend-email|Resend email"}}</button>.
 	</form>
 </div>
 {{else}}
 	<p>{{.T "p/api-intro|GoatCounter comes with an API to count pageviews, read statistics, create exports, and manage sites and users."}}</p>
-	<p><a href="/api">{{.T "link/api-docs|API documentation"}}</a></p>
+	<p><a href="{{.Base}}/api">{{.T "link/api-docs|API documentation"}}</a></p>
 
 	<fieldset>
 		<legend>{{.T "header/api-tokens|API tokens"}}</legend>
@@ -45,7 +45,7 @@
 					{{end}}</td>
 
 					<td>
-						<form method="post" action="/user/api-token/remove/{{$t.ID}}" data-confirm="Delete token {{$t.Name}}?">
+						<form method="post" action="{{$.Base}}/user/api-token/remove/{{$t.ID}}" data-confirm="Delete token {{$t.Name}}?">
 							<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
 							<button class="link">{{$.T "button/delete|delete"}}</button>
 						</form>
@@ -53,7 +53,7 @@
 				</tr>{{end}}
 
 				<tr>
-					<form method="post" action="/user/api-token">
+					<form method="post" action="{{.Base}}/user/api-token">
 						<input type="hidden" name="csrf" value="{{$.User.CSRFToken}}">
 
 						<td>
diff --git a/tpl/user_auth.gohtml b/tpl/user_auth.gohtml
index d9e65a0ab..e5e07d355 100644
--- a/tpl/user_auth.gohtml
+++ b/tpl/user_auth.gohtml
@@ -3,7 +3,7 @@
 
 <h2 id="auth">{{.T "header/passwd-mfa|Password & MFA"}}</h2>
 <div class="flex-form">
-	<form method="post" action="/user/change-password" class="vertical">
+	<form method="post" action="{{.Base}}/user/change-password" class="vertical">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 		<fieldset>
@@ -25,7 +25,7 @@
 	</form>
 
 	{{if .User.TOTPEnabled}}
-		<form method="post" action="/user/disable-totp" class="vertical">
+		<form method="post" action="{{.Base}}/user/disable-totp" class="vertical">
 			<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 			<fieldset>
@@ -36,7 +36,7 @@
 			</fieldset>
 		</form>
 	{{else}}
-		<form method="post" action="/user/enable-totp">
+		<form method="post" action="{{.Base}}/user/enable-totp">
 			<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 			<fieldset>
diff --git a/tpl/user_dashboard.gohtml b/tpl/user_dashboard.gohtml
index 0beb521a9..4f6796a5c 100644
--- a/tpl/user_dashboard.gohtml
+++ b/tpl/user_dashboard.gohtml
@@ -4,7 +4,7 @@
 <h2 id="dashboard">{{.T "header/dashboard|Dashboard"}}</h2>
 
 <script crossorigin="anonymous" src="{{.Static}}/dragula.js?v={{.Version}}"></script>
-<form method="post" action="/user/dashboard" id="widget-settings">
+<form method="post" action="{{.Base}}/user/dashboard" id="widget-settings">
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 	<input type="hidden" name="reset" value="">
 
diff --git a/tpl/user_forgot_code.gohtml b/tpl/user_forgot_code.gohtml
index 23a4ab869..937c38f37 100644
--- a/tpl/user_forgot_code.gohtml
+++ b/tpl/user_forgot_code.gohtml
@@ -5,7 +5,7 @@
 
 <p>{{.T "forgot-domain-help|Email a list of all domains associated with an email address."}}</p>
 
-<form method="post" action="/user/forgot" class="vertical">
+<form method="post" action="{{.Base}}/user/forgot" class="vertical">
 	<label for="email">{{.T "label/email-address|Email address"}}</label>
 	<input type="email" name="email" id="email" value="{{.Email}}" required>
 	{{validate "email" .Validate}}
diff --git a/tpl/user_forgot_pw.gohtml b/tpl/user_forgot_pw.gohtml
index cf3a696ab..9732b5a1a 100644
--- a/tpl/user_forgot_pw.gohtml
+++ b/tpl/user_forgot_pw.gohtml
@@ -2,7 +2,7 @@
 
 <h1>{{.T "header/forgot-password|Forgot password"}}</h1>
 
-<form method="post" action="/user/request-reset" class="vertical">
+<form method="post" action="{{.Base}}/user/request-reset" class="vertical">
 	<label for="email">{{.T "label/email-address|Email address"}}</label>
 	<input type="email" name="email" id="email" value="{{.Email}}" required><br>
 
diff --git a/tpl/user_pref.gohtml b/tpl/user_pref.gohtml
index dd0a42dd4..df905c56c 100644
--- a/tpl/user_pref.gohtml
+++ b/tpl/user_pref.gohtml
@@ -3,7 +3,7 @@
 
 <h2 id="setting">{{.T "header/preferences|Preferences"}}</h2>
 <div class="form-wrap">
-	<form method="post" action="/user/pref" class="vertical">
+	<form method="post" action="{{.Base}}/user/pref" class="vertical">
 		<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 
 		<fieldset>
@@ -39,7 +39,7 @@
 				<option {{option_value .User.Settings.Language "zh-TW"}}>中国</option>
 			</select>
 			{{validate "settings.language" .Validate}}
-			<span><a href="/i18n">{{.T "link/add-translation|Add or update translations"}}</a></span>
+			<span><a href="{{.Base}}/i18n">{{.T "link/add-translation|Add or update translations"}}</a></span>
 
 			<label for="date_format">{{.T "label/date-fmt|Date format"}}</label>
 			<select name="user.settings.date_format" id="date_format">
diff --git a/tpl/user_reset.gohtml b/tpl/user_reset.gohtml
index b59154f16..3b6200860 100644
--- a/tpl/user_reset.gohtml
+++ b/tpl/user_reset.gohtml
@@ -4,7 +4,7 @@
 	"email"     .User.Email
 	"site-name" (.Site.Display .Context)
 )}}</h1>
-<form method="post" action="/user/reset/{{.Key}}" class="vertical">
+<form method="post" action="{{.Base}}/user/reset/{{.Key}}" class="vertical">
 	<label for="password">{{.T "label/new-password|New password"}}</label>
 	<input type="password" name="password" id="password" autocomplete="new-password" required><br>
 
diff --git a/widgets/browsers.go b/widgets/browsers.go
index a9ddab0ca..76daea3be 100644
--- a/widgets/browsers.go
+++ b/widgets/browsers.go
@@ -59,6 +59,7 @@ func (w *Browsers) GetData(ctx context.Context, a Args) (more bool, err error) {
 func (w Browsers) RenderHTML(ctx context.Context, shared SharedData) (string, any) {
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -70,7 +71,7 @@ func (w Browsers) RenderHTML(ctx context.Context, shared SharedData) (string, an
 		TotalUTC     int
 		Stats        goatcounter.HitStats
 		Detail       string
-	}{ctx, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectUserAgent),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectUserAgent),
 		z18n.T(ctx, "header/browsers|Browsers"),
 		shared.TotalUTC, w.Stats, w.Detail}
 }
diff --git a/widgets/campaigns.go b/widgets/campaigns.go
index ed224504f..90f896cb4 100644
--- a/widgets/campaigns.go
+++ b/widgets/campaigns.go
@@ -59,6 +59,7 @@ func (w Campaigns) RenderHTML(ctx context.Context, shared SharedData) (string, a
 	//return "_dashboard_campaigns.gohtml", struct {
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -70,6 +71,6 @@ func (w Campaigns) RenderHTML(ctx context.Context, shared SharedData) (string, a
 		TotalUTC     int
 		Stats        goatcounter.HitStats
 		Campaign     int64
-	}{ctx, w.id, true, shared.RowsOnly, w.Campaign == 0, w.loaded, w.err, isCol(ctx, goatcounter.CollectReferrer), w.Label(ctx),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, true, shared.RowsOnly, w.Campaign == 0, w.loaded, w.err, isCol(ctx, goatcounter.CollectReferrer), w.Label(ctx),
 		shared.TotalUTC, w.Stats, w.Campaign}
 }
diff --git a/widgets/languages.go b/widgets/languages.go
index 27635a044..9428ba77e 100644
--- a/widgets/languages.go
+++ b/widgets/languages.go
@@ -53,6 +53,7 @@ func (w Languages) RenderHTML(ctx context.Context, shared SharedData) (string, a
 
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -63,6 +64,6 @@ func (w Languages) RenderHTML(ctx context.Context, shared SharedData) (string, a
 		Header       string
 		TotalUTC     int
 		Stats        goatcounter.HitStats
-	}{ctx, w.id, true, shared.RowsOnly, false, w.loaded, w.err, isCol(ctx, goatcounter.CollectLanguage),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, true, shared.RowsOnly, false, w.loaded, w.err, isCol(ctx, goatcounter.CollectLanguage),
 		header, shared.TotalUTC, w.Stats}
 }
diff --git a/widgets/locations.go b/widgets/locations.go
index c8e278427..72efb2837 100644
--- a/widgets/locations.go
+++ b/widgets/locations.go
@@ -69,6 +69,7 @@ func (w Locations) RenderHTML(ctx context.Context, shared SharedData) (string, a
 
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -80,6 +81,6 @@ func (w Locations) RenderHTML(ctx context.Context, shared SharedData) (string, a
 		TotalUTC     int
 		Stats        goatcounter.HitStats
 		Detail       string
-	}{ctx, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectLocation),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectLocation),
 		header, shared.TotalUTC, w.Stats, w.Detail}
 }
diff --git a/widgets/sizes.go b/widgets/sizes.go
index fed5376e0..7a431ddfb 100644
--- a/widgets/sizes.go
+++ b/widgets/sizes.go
@@ -54,6 +54,7 @@ func (w *Sizes) GetData(ctx context.Context, a Args) (more bool, err error) {
 func (w Sizes) RenderHTML(ctx context.Context, shared SharedData) (string, any) {
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -65,7 +66,7 @@ func (w Sizes) RenderHTML(ctx context.Context, shared SharedData) (string, any)
 		TotalUTC     int
 		Stats        goatcounter.HitStats
 		Detail       string
-	}{ctx, w.id, false, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectScreenSize),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, false, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectScreenSize),
 		z18n.T(ctx, "header/sizes|Sizes"),
 		shared.TotalUTC, w.Stats, w.Detail}
 }
diff --git a/widgets/systems.go b/widgets/systems.go
index 657e118c5..cd78a32da 100644
--- a/widgets/systems.go
+++ b/widgets/systems.go
@@ -59,6 +59,7 @@ func (w *Systems) GetData(ctx context.Context, a Args) (more bool, err error) {
 func (w Systems) RenderHTML(ctx context.Context, shared SharedData) (string, any) {
 	return "_dashboard_hchart.gohtml", struct {
 		Context      context.Context
+		Base         string
 		ID           int
 		CanConfigure bool
 		RowsOnly     bool
@@ -70,7 +71,7 @@ func (w Systems) RenderHTML(ctx context.Context, shared SharedData) (string, any
 		TotalUTC     int
 		Stats        goatcounter.HitStats
 		Detail       string
-	}{ctx, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectUserAgent),
+	}{ctx, goatcounter.Config(ctx).BasePath, w.id, true, shared.RowsOnly, w.Detail == "", w.loaded, w.err, isCol(ctx, goatcounter.CollectUserAgent),
 		z18n.T(ctx, "header/systems|Systems"),
 		shared.TotalUTC, w.Stats, w.Detail}
 }

From bb729fa5aab614de019310bcd7b917b94026bf32 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 16:00:09 -0700
Subject: [PATCH 02/16] Address comments

- Trim slash from start and end of -base-path
- Go back to === in help.js
---
 cmd/goatcounter/serve.go | 17 ++++++-----------
 public/help.js           |  2 +-
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/cmd/goatcounter/serve.go b/cmd/goatcounter/serve.go
index e828ed558..35c4c2e22 100644
--- a/cmd/goatcounter/serve.go
+++ b/cmd/goatcounter/serve.go
@@ -81,10 +81,11 @@ Flags:
   -public-port Port your site is publicly accessible on. Only needed if it's
                not 80 or 443.
 
-  -base-path   Base path to use in URLs sent back to the client. Default: "/".
-               You need this if you are reverse proxying GoatCounter into a
-               subdirectory of your website. This does not affect routing, since
-               it is assumed the reverse proxy will strip off the base path.
+  -base-path   Path under which GoatCounter is available. Usually GoatCounter
+               runs on its own domain or subdomain ("stats.example.com"), but in
+               some cases it's useful to run GoatCounter under a path
+               ("example.com/stats"), in which case you'll beed to set this to
+               "/stats".
 
   -automigrate Automatically run all pending migrations on startup.
 
@@ -182,13 +183,7 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 			flagTLS = map[bool]string{true: "http", false: "acme,rdr"}[dev]
 		}
 
-		if !strings.HasPrefix(basePath, "/") {
-			return fmt.Errorf("invalid -base-path flag: %q: must start with a slash", basePath)
-		}
-		if i := len(basePath) - 1; basePath[i] == '/' {
-			basePath = basePath[:i]
-		}
-
+		basePath = "/" + strings.Trim(basePath, "/")
 		var domainCount, urlStatic string
 		if domainStatic != "" {
 			if p := strings.Index(domainStatic, ":"); p > -1 {
diff --git a/public/help.js b/public/help.js
index 7caa9ad7a..0a0402a3c 100644
--- a/public/help.js
+++ b/public/help.js
@@ -28,7 +28,7 @@ if (expand)
 			})
 	})
 
-if (window.location.pathname == basePath + '/help/visitor-counter') {
+if (window.location.pathname === basePath + '/help/visitor-counter') {
 	var t = setInterval(function() {
 		if (window.goatcounter && window.goatcounter.visit_count) {
 			clearInterval(t)

From f6375507d0b790f97199baf73e43497335346bb0 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 16:11:24 -0700
Subject: [PATCH 03/16] Add {{.Base}} in Markdown

Didn't realize these were templates at first
---
 tpl/help/api.md     |  2 +-
 tpl/help/backend.md |  2 +-
 tpl/help/csp.md     |  2 +-
 tpl/help/domains.md |  2 +-
 tpl/help/js.md      |  9 +++++----
 tpl/help/modify.md  |  4 ++--
 tpl/help/path.md    |  2 +-
 tpl/help/pixel.md   |  4 ++--
 tpl/help/start.md   | 11 ++++++-----
 9 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/tpl/help/api.md b/tpl/help/api.md
index ccd3bd49a..739c13903 100644
--- a/tpl/help/api.md
+++ b/tpl/help/api.md
@@ -63,7 +63,7 @@ API reference
 -------------
 API reference docs are available at:
 
-- [/api.json](/api.json) – OpenAPI 2.0 JSON file.
+- [/api.json]({{.Base}}/api.json) – OpenAPI 2.0 JSON file.
 - Online viewer: [RapiDoc][1], [SwaggerHub][2] <!-- too broken for now  [simple HTML][3] -->
 
 [1]: /api2.html
diff --git a/tpl/help/backend.md b/tpl/help/backend.md
index 51c29db15..eaac3d455 100644
--- a/tpl/help/backend.md
+++ b/tpl/help/backend.md
@@ -11,4 +11,4 @@ A simple example from `curl`:
         -H "Authorization: Bearer $token" \
         --data '{"no_sessions": true, "hits": [{"path": "/one"}, {"path": "/two"}]}'
 
-The [API documentation](/api) contains detailed information and more examples.
+The [API documentation]({{.Base}}/api) contains detailed information and more examples.
diff --git a/tpl/help/csp.md b/tpl/help/csp.md
index b5e2c5b44..9ae2dbb17 100644
--- a/tpl/help/csp.md
+++ b/tpl/help/csp.md
@@ -11,4 +11,4 @@ The `script-src` is needed to load the `count.js` script, and the `connect-src`
 is needed to send pageviews to GoatCounter via `navigator.sendBeacon`.
 
 Alternatively you can host the `count.js` script anywhere you want, or include
-it directly in your page. See [count.js hosting](/code/countjs-host).
+it directly in your page. See [count.js hosting]({{.Base}}/code/countjs-host).
diff --git a/tpl/help/domains.md b/tpl/help/domains.md
index 630a862a6..8bcac25c9 100644
--- a/tpl/help/domains.md
+++ b/tpl/help/domains.md
@@ -24,4 +24,4 @@ This might be improved at some point in the future; the options right now are:
    identifying the source.
 
 
-Also see [setting the endpoint in JavaScript](/code/modify#setting-the-endpoint-in-javascript-4).
+Also see [setting the endpoint in JavaScript]({{.Base}}/code/modify#setting-the-endpoint-in-javascript-4).
diff --git a/tpl/help/js.md b/tpl/help/js.md
index 1202c68e8..ab806e158 100644
--- a/tpl/help/js.md
+++ b/tpl/help/js.md
@@ -3,8 +3,9 @@ is by far the easiest way to integrate GoatCounter, but other options are
 available too.
 
 The script is located at http://gc.zgo.at/count.js; although you can [host it
-somewhere else](/code/countjs-host) if you want, and there are a [stable
-versions](/code/countjs-versions) that can use subresource integrity.
+somewhere else]({{.Base}}/code/countjs-host) if you want, and there are a
+[stable versions]({{.Base}}/code/countjs-versions) that can use subresource
+integrity.
 
 This script is served unminified by design so it can be easily examined. It's
 not very large (~3.2K), and minifying would reduce it by just ~1K so you're not
@@ -83,7 +84,7 @@ as the path:
     {{template "code" .}}
 
 A few more advanced examples are listed in [Change data before it's sent to
-GoatCounter](/code/modify).
+GoatCounter]({{.Base}}/code/modify).
 
 Methods
 -------
@@ -133,7 +134,7 @@ Bind a click event to every element with `data-goatcounter-click`. Called on
 page load unless `no_onload` or `no_events` is set. You may need to call this
 manually if you insert elements after the page loads.
 
-See [Events](/code/events) for more details about events.
+See [Events]({{.Base}}/code/events) for more details about events.
 
 ### `get_query(name)`
 Get a single query parameter from the current page’s URL; returns `undefined` if
diff --git a/tpl/help/modify.md b/tpl/help/modify.md
index 6349a1ac5..2f51630d0 100644
--- a/tpl/help/modify.md
+++ b/tpl/help/modify.md
@@ -1,6 +1,6 @@
 A few examples on how to modify various parameters in the [JavaScript
-API](/code/js). Also see [Control the path that's sent to
-GoatCounter](/code/path).
+API]({{.Base}}/code/js). Also see [Control the path that's sent to
+GoatCounter]({{.Base}}/code/path).
 
 Custom path and referrer
 ------------------------
diff --git a/tpl/help/path.md b/tpl/help/path.md
index fede21d0c..f135b66ba 100644
--- a/tpl/help/path.md
+++ b/tpl/help/path.md
@@ -63,4 +63,4 @@ individual query parameters with `goatcounter.get_query()`:
 Note this example uses a callback, since `goatcounter.get_query()` won't be
 defined yet if we just used an object.
 
-See the [JavaScript API](/code/js) page for more details JS API.
+See the [JavaScript API]({{.Base}}/code/js) page for more details JS API.
diff --git a/tpl/help/pixel.md b/tpl/help/pixel.md
index 00f044a53..63617f152 100644
--- a/tpl/help/pixel.md
+++ b/tpl/help/pixel.md
@@ -12,8 +12,8 @@ Or with CSS:
     </style>
 
 Or you can build your own JavaScript integration if you want. Use the
-[API](/code/backend) if you want to send data from the backend; `/count` is only
-intended to be loaded by the visitor's browser.
+[API]({{.Base}}/code/backend) if you want to send data from the backend;
+`/count` is only intended to be loaded by the visitor's browser.
 
 The tracking pixel won’t allow recording the referrer or screen size, and may
 also increase the number of bot requests (it's harder to filter them out with
diff --git a/tpl/help/start.md b/tpl/help/start.md
index e4a4e63c4..93a4331be 100644
--- a/tpl/help/start.md
+++ b/tpl/help/start.md
@@ -54,8 +54,8 @@ After setup
 
 Here are some things you may want to look at after setting up the above:
 
-- Make sure GoatCounter is allowed in the [Content-Security-Policy](/code/csp)
-  if you're using it.
+- Make sure GoatCounter is allowed in the
+  [Content-Security-Policy]({{.Base}}/code/csp) if you're using it.
 
 - If you're not seeing any pageviews then chances are your browser's adblocker
   is blocking it. Disable it and check again. It can take about 10 seconds for
@@ -65,7 +65,8 @@ Here are some things you may want to look at after setting up the above:
 
         <link rel="canonical" href="https://example.com/path.html">
 
-    See [Control the path that's sent to GoatCounter](/code/path) for more details.
+    See [Control the path that's sent to GoatCounter]({{.Base}}/code/path) for
+    more details.
 
-- [Prevent tracking my own pageviews?](/code/skip-dev) documents some ways you
-  can ignore your own pageviews from showing up in the dashboard.
+- [Prevent tracking my own pageviews?]({{.Base}}/code/skip-dev) documents some
+  ways you can ignore your own pageviews from showing up in the dashboard.

From ac1f4dba266a7ad268206f8b2f2d79e1d6774de9 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 17:26:39 -0700
Subject: [PATCH 04/16] Rely on arp242/zhttp#6, and use base path in router

- Remove redirect.go. Instead rely on https://github.com/arp242/zhttp/pull/6.
- Use -bath-path in the router so that it's actually served under
  that path rather than needing the reverse proxy to strip it.
---
 cmd/goatcounter/saas.go   |  4 +--
 cmd/goatcounter/serve.go  |  6 ++--
 handlers/backend.go       | 14 ++++++---
 handlers/bosmang.go       |  4 +--
 handlers/handlers.go      |  7 +++--
 handlers/i18n.go          |  6 ++--
 handlers/mw.go            |  2 +-
 handlers/redirect.go      | 27 ----------------
 handlers/settings.go      | 38 +++++++++++-----------
 handlers/settings_user.go |  8 ++---
 handlers/user.go          | 66 +++++++++++++++++++--------------------
 handlers/website.go       | 20 ++++++------
 tpl/error.gohtml          |  3 +-
 13 files changed, 94 insertions(+), 111 deletions(-)
 delete mode 100644 handlers/redirect.go

diff --git a/cmd/goatcounter/saas.go b/cmd/goatcounter/saas.go
index 5475420e4..5a6092049 100644
--- a/cmd/goatcounter/saas.go
+++ b/cmd/goatcounter/saas.go
@@ -80,10 +80,10 @@ func cmdSaas(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 		hosts := map[string]http.Handler{
 			d:          zhttp.RedirectHost("//www." + domain),
 			"www." + d: handlers.NewWebsite(db, dev),
-			"*":        handlers.NewBackend(db, acmeh, dev, c.GoatcounterCom, websocket, c.DomainStatic, 15, apiMax),
+			"*":        handlers.NewBackend(db, acmeh, dev, c.GoatcounterCom, websocket, c.DomainStatic, c.BasePath, 15, apiMax),
 		}
 		if dev {
-			hosts[znet.RemovePort(domainStatic)] = handlers.NewStatic(chi.NewRouter(), dev, true)
+			hosts[znet.RemovePort(domainStatic)] = handlers.NewStatic(chi.NewRouter(), dev, true, c.BasePath)
 		}
 
 		return doServe(ctx, db, listen, listenTLS, tlsc, hosts, stop, func() {
diff --git a/cmd/goatcounter/serve.go b/cmd/goatcounter/serve.go
index 35c4c2e22..8f7afd5f2 100644
--- a/cmd/goatcounter/serve.go
+++ b/cmd/goatcounter/serve.go
@@ -184,6 +184,8 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 		}
 
 		basePath = "/" + strings.Trim(basePath, "/")
+		zhttp.BasePath = basePath
+
 		var domainCount, urlStatic string
 		if domainStatic != "" {
 			if p := strings.Index(domainStatic, ":"); p > -1 {
@@ -222,12 +224,12 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 
 		// Set up HTTP handler and servers.
 		hosts := map[string]http.Handler{
-			"*": handlers.NewBackend(db, acmeh, dev, c.GoatcounterCom, websocket, c.DomainStatic, 60, apiMax),
+			"*": handlers.NewBackend(db, acmeh, dev, c.GoatcounterCom, websocket, c.DomainStatic, c.BasePath, 60, apiMax),
 		}
 		if domainStatic != "" {
 			// May not be needed, but just in case the DomainStatic isn't an
 			// external CDN.
-			hosts[znet.RemovePort(domainStatic)] = handlers.NewStatic(chi.NewRouter(), dev, false)
+			hosts[znet.RemovePort(domainStatic)] = handlers.NewStatic(chi.NewRouter(), dev, false, c.BasePath)
 		}
 
 		cnames, err := lsSites(ctx)
diff --git a/handlers/backend.go b/handlers/backend.go
index 3466eae1e..dd66616dc 100644
--- a/handlers/backend.go
+++ b/handlers/backend.go
@@ -19,8 +19,14 @@ import (
 	"zgo.at/zstd/zfs"
 )
 
-func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocket bool, domainStatic string, dashTimeout, apiMax int) chi.Router {
-	r := chi.NewRouter()
+func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocket bool, domainStatic string, basePath string, dashTimeout, apiMax int) chi.Router {
+	root := chi.NewRouter()
+	r := root
+	if basePath != "" {
+		r = chi.NewRouter()
+		root.Mount(basePath+"/", r)
+	}
+
 	backend{dashTimeout, websocket}.Mount(r, db, dev, domainStatic, dashTimeout, apiMax)
 
 	if acmeh != nil {
@@ -28,10 +34,10 @@ func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocke
 	}
 
 	if !goatcounterCom {
-		NewStatic(r, dev, goatcounterCom)
+		NewStatic(r, dev, goatcounterCom, basePath)
 	}
 
-	return r
+	return root
 }
 
 type backend struct {
diff --git a/handlers/bosmang.go b/handlers/bosmang.go
index 8263f7928..36930f0e0 100644
--- a/handlers/bosmang.go
+++ b/handlers/bosmang.go
@@ -32,7 +32,7 @@ func (h bosmang) mount(r chi.Router, db zdb.DB) {
 	a := r.With(mware.RequestLog(nil), requireAccess(goatcounter.AccessSuperuser))
 
 	r.Get("/bosmang", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/settings/server")
+		return zhttp.MovedPermanently(w, "/settings/server")
 	}))
 
 	a.Get("/bosmang/cache", zhttp.Wrap(h.cache))
@@ -98,7 +98,7 @@ func (h bosmang) runTask(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, "Task %q started", id)
-	return SeeOther(w, r, "/bosmang/bgrun")
+	return zhttp.SeeOther(w, "/bosmang/bgrun")
 }
 
 func (h bosmang) metrics(w http.ResponseWriter, r *http.Request) error {
diff --git a/handlers/handlers.go b/handlers/handlers.go
index 4756e1677..51b45aa7f 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -126,7 +126,7 @@ func newGlobals(w http.ResponseWriter, r *http.Request) Globals {
 	return g
 }
 
-func NewStatic(r chi.Router, dev, goatcounterCom bool) chi.Router {
+func NewStatic(r chi.Router, dev, goatcounterCom bool, basePath string) chi.Router {
 	var cache map[string]int
 	if !dev {
 		cache = map[string]int{
@@ -143,6 +143,9 @@ func NewStatic(r chi.Router, dev, goatcounterCom bool) chi.Router {
 	s.Header("/count.js", map[string]string{
 		"Cross-Origin-Resource-Policy": "cross-origin",
 	})
-	r.Get("/*", s.ServeHTTP)
+	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+		r.URL.Path = strings.TrimPrefix(r.URL.Path, basePath)
+		s.ServeHTTP(w, r)
+	})
 	return r
 }
diff --git a/handlers/i18n.go b/handlers/i18n.go
index 3c097f89b..e14c68022 100644
--- a/handlers/i18n.go
+++ b/handlers/i18n.go
@@ -187,7 +187,7 @@ func (h i18n) new(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "%q added", args.Language)
-	return SeeOther(w, r, "/i18n")
+	return zhttp.SeeOther(w, "/i18n")
 }
 
 func (h i18n) save(w http.ResponseWriter, r *http.Request) error {
@@ -266,7 +266,7 @@ func (h i18n) set(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "language set to %q", lang)
-	return SeeOther(w, r, "/i18n")
+	return zhttp.SeeOther(w, "/i18n")
 }
 
 func (h i18n) submit(w http.ResponseWriter, r *http.Request) error {
@@ -294,5 +294,5 @@ func (h i18n) submit(w http.ResponseWriter, r *http.Request) error {
 	}()
 
 	zhttp.Flash(w, "email sent to support@goatcounter.com; I'll take a look as soon as possible.")
-	return SeeOther(w, r, "/i18n/"+file)
+	return zhttp.SeeOther(w, "/i18n/"+file)
 }
diff --git a/handlers/mw.go b/handlers/mw.go
index a855f7022..2fa9c326f 100644
--- a/handlers/mw.go
+++ b/handlers/mw.go
@@ -290,7 +290,7 @@ func noSites(db zdb.DB, w http.ResponseWriter, r *http.Request) {
 			tplErr = errors.Unwrap(tplErr) // Remove "zdb.TX fn: "
 		}
 		if tplErr == nil && !v.HasErrors() {
-			SeeOther(w, r, "/")
+			zhttp.SeeOther(w, "/")
 		}
 	}
 
diff --git a/handlers/redirect.go b/handlers/redirect.go
deleted file mode 100644
index 229a43b54..000000000
--- a/handlers/redirect.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright © Martin Tournoij – This file is part of GoatCounter and published
-// under the terms of a slightly modified EUPL v1.2 license, which can be found
-// in the LICENSE file or at https://license.goatcounter.com
-
-package handlers
-
-import (
-	"fmt"
-	"net/http"
-
-	"zgo.at/goatcounter/v2"
-	"zgo.at/zhttp"
-)
-
-func MovedPermanently(w http.ResponseWriter, r *http.Request, path string) error {
-	if path == "" || path[0] != '/' {
-		panic(fmt.Sprintf("handlers.MovedPermantly: %q does not start with slash", path))
-	}
-	return zhttp.MovedPermanently(w, goatcounter.Config(r.Context()).BasePath+path)
-}
-
-func SeeOther(w http.ResponseWriter, r *http.Request, path string) error {
-	if path == "" || path[0] != '/' {
-		panic(fmt.Sprintf("handlers.SeeOther: %q does not start with slash", path))
-	}
-	return zhttp.SeeOther(w, goatcounter.Config(r.Context()).BasePath+path)
-}
diff --git a/handlers/settings.go b/handlers/settings.go
index a82a995d2..5737b54c3 100644
--- a/handlers/settings.go
+++ b/handlers/settings.go
@@ -42,7 +42,7 @@ type settings struct{}
 func (h settings) mount(r chi.Router) {
 	{ // User settings.
 		r.Get("/user", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			SeeOther(w, r, "/user/pref")
+			zhttp.SeeOther(w, "/user/pref")
 		}))
 
 		r.Get("/user/pref", zhttp.Wrap(h.userPref(nil)))
@@ -63,7 +63,7 @@ func (h settings) mount(r chi.Router) {
 		set := r.With(requireAccess(goatcounter.AccessSettings))
 
 		set.Get("/settings", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			SeeOther(w, r, "/settings/main")
+			zhttp.SeeOther(w, "/settings/main")
 		}))
 		set.Get("/settings/main", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
 			return h.main(nil)(w, r)
@@ -209,7 +209,7 @@ func (h settings) mainSave(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/saved|Saved!"))
-	return SeeOther(w, r, "/settings")
+	return zhttp.SeeOther(w, "/settings")
 }
 
 func (h settings) changeCode(w http.ResponseWriter, r *http.Request) error {
@@ -299,7 +299,7 @@ func (h settings) sitesAdd(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		zhttp.Flash(w, T(r.Context(), "notify/restored-previously-deleted-site|Site ‘%(url)’ was previously deleted; restored site with all data.", newSite.URL(r.Context())))
-		return SeeOther(w, r, "/settings/sites")
+		return zhttp.SeeOther(w, "/settings/sites")
 	}
 
 	// Create new site.
@@ -317,11 +317,11 @@ func (h settings) sitesAdd(w http.ResponseWriter, r *http.Request) error {
 	})
 	if err != nil {
 		zhttp.FlashError(w, err.Error())
-		return SeeOther(w, r, "/settings/sites")
+		return zhttp.SeeOther(w, "/settings/sites")
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/site-added|Site ‘%(url)’ added.", newSite.URL(r.Context())))
-	return SeeOther(w, r, "/settings/sites")
+	return zhttp.SeeOther(w, "/settings/sites")
 }
 
 func (h settings) getSite(ctx context.Context, id int64) (*goatcounter.Site, error) {
@@ -388,11 +388,11 @@ func (h settings) sitesRemove(w http.ResponseWriter, r *http.Request) error {
 		err = parent.ByID(r.Context(), *s.Parent)
 		if err != nil {
 			zlog.Error(err)
-			return SeeOther(w, r, "/")
+			return zhttp.SeeOther(w, "/")
 		}
-		return SeeOther(w, r, parent.URL(r.Context()))
+		return zhttp.SeeOther(w, parent.URL(r.Context()))
 	}
-	return SeeOther(w, r, "/settings/sites")
+	return zhttp.SeeOther(w, "/settings/sites")
 }
 
 func (h settings) sitesCopySettings(w http.ResponseWriter, r *http.Request) error {
@@ -436,7 +436,7 @@ func (h settings) sitesCopySettings(w http.ResponseWriter, r *http.Request) erro
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/settings-copied-to-site|Settings copied to the selected sites."))
-	return SeeOther(w, r, "/settings/sites")
+	return zhttp.SeeOther(w, "/settings/sites")
 }
 
 func (h settings) purge(w http.ResponseWriter, r *http.Request) error {
@@ -486,7 +486,7 @@ func (h settings) purgeDo(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/started-background-process|Started in the background; may take about 10-20 seconds to fully process."))
-	return SeeOther(w, r, "/settings/purge")
+	return zhttp.SeeOther(w, "/settings/purge")
 }
 
 func (h settings) merge(w http.ResponseWriter, r *http.Request) error {
@@ -512,7 +512,7 @@ func (h settings) merge(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/started-background-process|Started in the background; may take about 10-20 seconds to fully process."))
-	return SeeOther(w, r, "/settings/purge")
+	return zhttp.SeeOther(w, "/settings/purge")
 }
 
 func (h settings) export(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -548,7 +548,7 @@ func (h settings) exportDownload(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if os.IsNotExist(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/export-expired|It looks like there is no export yet or the export has expired."))
-			return SeeOther(w, r, "/settings/export")
+			return zhttp.SeeOther(w, "/settings/export")
 		}
 
 		return err
@@ -633,7 +633,7 @@ func (h settings) exportImport(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/import-started-in-background|Import started in the background; you’ll get an email when it’s done."))
-	return SeeOther(w, r, "/settings/export")
+	return zhttp.SeeOther(w, "/settings/export")
 }
 
 func (h settings) exportStart(w http.ResponseWriter, r *http.Request) error {
@@ -656,7 +656,7 @@ func (h settings) exportStart(w http.ResponseWriter, r *http.Request) error {
 		func() { export.Run(ctx, fp, true) })
 
 	zhttp.Flash(w, T(r.Context(), "notify/export-started-in-background|Export started in the background; you’ll get an email with a download link when it’s done."))
-	return SeeOther(w, r, "/settings/export")
+	return zhttp.SeeOther(w, "/settings/export")
 }
 
 func (h settings) delete(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -713,7 +713,7 @@ func (h settings) deleteDo(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		return err
 	}
-	return SeeOther(w, r, "https://"+goatcounter.Config(r.Context()).Domain)
+	return zhttp.SeeOther(w, "https://"+goatcounter.Config(r.Context()).Domain)
 }
 
 func (h settings) users(verr *zvalidate.Validator) zhttp.HandlerFunc {
@@ -829,7 +829,7 @@ func (h settings) usersAdd(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/user-added|User ‘%(email)’ added.", newUser.Email))
-	return SeeOther(w, r, "/settings/users")
+	return zhttp.SeeOther(w, "/settings/users")
 }
 
 func (h settings) usersEdit(w http.ResponseWriter, r *http.Request) error {
@@ -887,7 +887,7 @@ func (h settings) usersEdit(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/users-edited|User ‘%(email)’ edited.", editUser.Email))
-	return SeeOther(w, r, "/settings/users")
+	return zhttp.SeeOther(w, "/settings/users")
 }
 
 func (h settings) usersRemove(w http.ResponseWriter, r *http.Request) error {
@@ -915,7 +915,7 @@ func (h settings) usersRemove(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/user-removed|User ‘%(email)’ removed.", user.Email))
-	return SeeOther(w, r, "/settings/users")
+	return zhttp.SeeOther(w, "/settings/users")
 }
 
 func (h settings) bosmang(w http.ResponseWriter, r *http.Request) error {
diff --git a/handlers/settings_user.go b/handlers/settings_user.go
index 77160431a..647bfb1a2 100644
--- a/handlers/settings_user.go
+++ b/handlers/settings_user.go
@@ -55,7 +55,7 @@ func (h settings) userPrefSave(w http.ResponseWriter, r *http.Request) error {
 
 	if oldFewerNums && !args.User.Settings.FewerNumbers && args.User.Settings.FewerNumbersLockUntil.After(ztime.Now()) {
 		zhttp.FlashError(w, "Nice try")
-		return SeeOther(w, r, "/user/pref")
+		return zhttp.SeeOther(w, "/user/pref")
 	}
 
 	if args.FewerNumbersLock != "" {
@@ -99,7 +99,7 @@ func (h settings) userPrefSave(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/saved|Saved!"))
-	return SeeOther(w, r, "/user/pref")
+	return zhttp.SeeOther(w, "/user/pref")
 }
 
 func (h settings) userDashboardWidget(w http.ResponseWriter, r *http.Request) error {
@@ -213,7 +213,7 @@ func (h settings) userDashboardSave(w http.ResponseWriter, r *http.Request) erro
 			return err
 		}
 		zhttp.Flash(w, T(r.Context(), "notify/reset-to-default|Reset to defaults!"))
-		return SeeOther(w, r, "/user/dashboard")
+		return zhttp.SeeOther(w, "/user/dashboard")
 	}
 
 	if len(args.Widgets) == 0 {
@@ -257,7 +257,7 @@ func (h settings) userDashboardSave(w http.ResponseWriter, r *http.Request) erro
 	}
 
 	zhttp.Flash(w, "Saved!")
-	return SeeOther(w, r, "/user/dashboard")
+	return zhttp.SeeOther(w, "/user/dashboard")
 }
 
 func (h settings) userAuth(verr *zvalidate.Validator) zhttp.HandlerFunc {
diff --git a/handlers/user.go b/handlers/user.go
index cfe0186ea..64346ee05 100644
--- a/handlers/user.go
+++ b/handlers/user.go
@@ -54,7 +54,7 @@ func (h user) mount(r chi.Router) {
 	rate.Post("/user/requestlogin", zhttp.Wrap(h.requestLogin))
 	r.Get("/user/requestlogin", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Redirect, as panic()s and such can end up here.
-		SeeOther(w, r, "/user/new")
+		zhttp.SeeOther(w, "/user/new")
 	}))
 	rate.Post("/user/totplogin", zhttp.Wrap(h.totpLogin))
 	rate.Get("/user/reset/{key}", zhttp.Wrap(h.reset))
@@ -76,7 +76,7 @@ func (h user) mount(r chi.Router) {
 func (h user) login(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	return zhttp.Template(w, "user.gohtml", struct {
@@ -88,7 +88,7 @@ func (h user) login(w http.ResponseWriter, r *http.Request) error {
 func (h user) forgot(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	return zhttp.Template(w, "user_forgot_pw.gohtml", struct {
@@ -102,7 +102,7 @@ func (h user) forgot(w http.ResponseWriter, r *http.Request) error {
 func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 {
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	// Legacy email flow.
@@ -118,7 +118,7 @@ func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if zdb.ErrNoRows(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/reset-user-no-account|Not an account on this site: %(email)", args.Email))
-			return SeeOther(w, r, fmt.Sprintf("/user/new?email=%s", url.QueryEscape(args.Email)))
+			return zhttp.SeeOther(w, fmt.Sprintf("/user/new?email=%s", url.QueryEscape(args.Email)))
 		}
 		return err
 	}
@@ -142,13 +142,13 @@ func (h user) requestReset(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, T(r.Context(), "notify/reset-user-sent|Email sent to %(email)", args.Email))
-	return SeeOther(w, r, "/user/forgot")
+	return zhttp.SeeOther(w, "/user/forgot")
 }
 
 func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	u := User(r.Context())
 	if u != nil && u.ID > 0 { // Already logged in.
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	args := struct {
@@ -165,14 +165,14 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		if zdb.ErrNoRows(err) {
 			zhttp.FlashError(w, T(r.Context(), "error/login-not-found|User %(email) not found", args.Email))
-			return SeeOther(w, r, "/user/new")
+			return zhttp.SeeOther(w, "/user/new")
 		}
 		return err
 	}
 
 	if user.Password == nil || len(user.Password) == 0 {
 		zhttp.FlashError(w, T(r.Context(), "error/login-no-password|There is no password set for %(email); please reset it", args.Email))
-		return SeeOther(w, r, "/user/forgot?email="+url.QueryEscape(args.Email))
+		return zhttp.SeeOther(w, "/user/forgot?email="+url.QueryEscape(args.Email))
 	}
 
 	err = bcrypt.CompareHashAndPassword(user.Password, []byte(args.Password))
@@ -183,7 +183,7 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 			zhttp.FlashError(w, "Something went wrong :-( An error has been logged for investigation.") // TODO: should be more generic
 			zlog.FieldsRequest(r).Error(err)
 		}
-		return SeeOther(w, r, "/user/new?email="+url.QueryEscape(args.Email))
+		return zhttp.SeeOther(w, "/user/new?email="+url.QueryEscape(args.Email))
 	}
 
 	err = user.Login(r.Context())
@@ -197,7 +197,7 @@ func (h user) requestLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.SetCookie(w, *user.LoginToken, cookieDomain(Site(r.Context()), r))
-	return SeeOther(w, r, "/")
+	return zhttp.SeeOther(w, "/")
 }
 
 func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
@@ -223,7 +223,7 @@ func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 	if !valid {
 		zhttp.Flash(w, T(r.Context(), "error/login-invalid|Invalid login"))
-		return SeeOther(w, r, "/user/new")
+		return zhttp.SeeOther(w, "/user/new")
 	}
 
 	tokInt, err := strconv.ParseInt(args.Token, 10, 32)
@@ -243,7 +243,7 @@ func (h user) totpLogin(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.SetCookie(w, *u.LoginToken, cookieDomain(Site(r.Context()), r))
-	return SeeOther(w, r, "/")
+	return zhttp.SeeOther(w, "/")
 }
 
 func (h user) totpForm(w http.ResponseWriter, r *http.Request, loginToken, loginMAC string) error {
@@ -297,7 +297,7 @@ func (h user) doReset(w http.ResponseWriter, r *http.Request) error {
 
 	if args.Password != args.Password2 {
 		zhttp.FlashError(w, T(r.Context(), "error/password-does-not-match|Password confirmation doesn’t match."))
-		return SeeOther(w, r, "/user/new")
+		return zhttp.SeeOther(w, "/user/new")
 	}
 
 	err = zdb.TX(r.Context(), func(ctx context.Context) error {
@@ -317,13 +317,13 @@ func (h user) doReset(w http.ResponseWriter, r *http.Request) error {
 		var vErr *zvalidate.Validator
 		if errors.As(err, &vErr) {
 			zhttp.FlashError(w, fmt.Sprintf("%s", err))
-			return SeeOther(w, r, "/user/new")
+			return zhttp.SeeOther(w, "/user/new")
 		}
 		return err
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/login-after-password-reset|Password reset; use your new password to login."))
-	return SeeOther(w, r, "/user/new")
+	return zhttp.SeeOther(w, "/user/new")
 }
 
 func (h user) logout(w http.ResponseWriter, r *http.Request) error {
@@ -337,7 +337,7 @@ func (h user) logout(w http.ResponseWriter, r *http.Request) error {
 		}
 		if isBosmang {
 			auth.ClearCookie(w, Site(r.Context()).Domain(r.Context()))
-			return SeeOther(w, r, "https://www.goatcounter.com")
+			return zhttp.SeeOther(w, "https://www.goatcounter.com")
 		}
 	}
 
@@ -348,7 +348,7 @@ func (h user) logout(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	auth.ClearCookie(w, Site(r.Context()).Domain(r.Context()))
-	return SeeOther(w, r, "/")
+	return zhttp.SeeOther(w, "/")
 }
 
 func (h user) disableTOTP(w http.ResponseWriter, r *http.Request) error {
@@ -359,7 +359,7 @@ func (h user) disableTOTP(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/disabled-multi-factor-auth|Multi-factor authentication disabled."))
-	return SeeOther(w, r, "/user/auth")
+	return zhttp.SeeOther(w, "/user/auth")
 }
 
 func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
@@ -385,7 +385,7 @@ func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
 		tokGen(-1, nil) != int32(tokInt) &&
 		tokGen(1, nil) != int32(tokInt) {
 		zhttp.FlashError(w, mfaError)
-		return SeeOther(w, r, "/user/auth")
+		return zhttp.SeeOther(w, "/user/auth")
 	}
 
 	err = u.EnableTOTP(r.Context())
@@ -394,7 +394,7 @@ func (h user) enableTOTP(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/multi-factor-auth-enabled|Multi-factor authentication enabled."))
-	return SeeOther(w, r, "/user/auth")
+	return zhttp.SeeOther(w, "/user/auth")
 }
 
 func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
@@ -416,13 +416,13 @@ func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
 		}
 		if !ok {
 			zhttp.FlashError(w, T(r.Context(), "error/incorrect-password|Current password is incorrect."))
-			return SeeOther(w, r, "/user/auth")
+			return zhttp.SeeOther(w, "/user/auth")
 		}
 	}
 
 	if args.Password != args.Password2 {
 		zhttp.FlashError(w, T(r.Context(), "error/password-does-not-match|Password confirmation doesn’t match."))
-		return SeeOther(w, r, "/user/auth")
+		return zhttp.SeeOther(w, "/user/auth")
 	}
 
 	err = u.UpdatePassword(r.Context(), args.Password)
@@ -430,32 +430,32 @@ func (h user) changePassword(w http.ResponseWriter, r *http.Request) error {
 		var vErr *zvalidate.Validator
 		if errors.As(err, &vErr) {
 			zhttp.FlashError(w, fmt.Sprintf("%s", err))
-			return SeeOther(w, r, "/user/auth")
+			return zhttp.SeeOther(w, "/user/auth")
 		}
 		return err
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/password-changed|Password changed."))
-	return SeeOther(w, r, "/user/auth")
+	return zhttp.SeeOther(w, "/user/auth")
 }
 
 func (h user) resendVerify(w http.ResponseWriter, r *http.Request) error {
 	user := User(r.Context())
 	if user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/email-already-verified|%(email) is already verified.", user.Email))
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	sendEmailVerify(r.Context(), Site(r.Context()), user, goatcounter.Config(r.Context()).EmailFrom)
 	zhttp.Flash(w, T(r.Context(), "notify/sent-to-email|Sent to %(email).", user.Email))
-	return SeeOther(w, r, "/")
+	return zhttp.SeeOther(w, "/")
 }
 
 func (h user) newAPIToken(w http.ResponseWriter, r *http.Request) error {
 	user := User(r.Context())
 	if !user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/need-email-verification-for-api|You need to verify your email before you can use the API."))
-		return SeeOther(w, r, "/user/auth")
+		return zhttp.SeeOther(w, "/user/auth")
 	}
 
 	var token goatcounter.APIToken
@@ -470,7 +470,7 @@ func (h user) newAPIToken(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/api-token-created|API token created."))
-	return SeeOther(w, r, "/user/api")
+	return zhttp.SeeOther(w, "/user/api")
 }
 
 func (h user) deleteAPIToken(w http.ResponseWriter, r *http.Request) error {
@@ -492,7 +492,7 @@ func (h user) deleteAPIToken(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, T(r.Context(), "notify/api-token-removed|API token removed."))
-	return SeeOther(w, r, "/user/api")
+	return zhttp.SeeOther(w, "/user/api")
 }
 
 func sendEmailVerify(ctx context.Context, site *goatcounter.Site, user *goatcounter.User, emailFrom string) {
@@ -521,12 +521,12 @@ func (h user) verify(w http.ResponseWriter, r *http.Request) error {
 
 	if user.EmailVerified {
 		zhttp.Flash(w, T(r.Context(), "notify/email-already-verified|%(email) is already verified.", user.Email))
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	if key != *user.EmailToken {
 		zhttp.FlashError(w, T(r.Context(), "error/wrong-verification-key|Wrong verification key."))
-		return SeeOther(w, r, "/")
+		return zhttp.SeeOther(w, "/")
 	}
 
 	err = user.VerifyEmail(r.Context())
@@ -535,7 +535,7 @@ func (h user) verify(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "%q verified", user.Email)
-	return SeeOther(w, r, "/")
+	return zhttp.SeeOther(w, "/")
 }
 
 // Make sure to use the correct cookie, since both "custom.example.com" and
diff --git a/handlers/website.go b/handlers/website.go
index 25859203b..03923062e 100644
--- a/handlers/website.go
+++ b/handlers/website.go
@@ -92,7 +92,7 @@ func (h website) Mount(r chi.Router, db zdb.DB, dev bool) {
 	}
 
 	r.Get("/translating", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/translating")
+		return zhttp.MovedPermanently(w, "/help/translating")
 	}))
 }
 
@@ -108,22 +108,22 @@ func (h website) MountShared(r chi.Router) {
 	r.Get("/contact", zhttp.Wrap(h.tpl))
 
 	r.Get("/terms", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/terms")
+		return zhttp.MovedPermanently(w, "/help/terms")
 	}))
 	r.Get("/privacy", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/privacy")
+		return zhttp.MovedPermanently(w, "/help/privacy")
 	}))
 	r.Get("/gdpr", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/gdpr")
+		return zhttp.MovedPermanently(w, "/help/gdpr")
 	}))
 	r.Get("/api", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/api")
+		return zhttp.MovedPermanently(w, "/help/api")
 	}))
 	r.Get("/code", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help")
+		return zhttp.MovedPermanently(w, "/help")
 	}))
 	r.Get("/code/*", zhttp.Wrap(func(w http.ResponseWriter, r *http.Request) error {
-		return MovedPermanently(w, r, "/help/"+chi.URLParam(r, "*"))
+		return zhttp.MovedPermanently(w, "/help/"+chi.URLParam(r, "*"))
 	}))
 }
 
@@ -199,7 +199,7 @@ func (h website) contact(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	zhttp.Flash(w, "Message sent!")
-	return SeeOther(w, r, args.Return)
+	return zhttp.SeeOther(w, args.Return)
 }
 
 func (h website) openAPI(w http.ResponseWriter, r *http.Request) error {
@@ -470,7 +470,7 @@ func (h website) doForgot(w http.ResponseWriter, r *http.Request) error {
 	})
 
 	zhttp.Flash(w, "List of login URLs mailed to %s", args.Email)
-	return SeeOther(w, r, "/user/forgot")
+	return zhttp.SeeOther(w, "/user/forgot")
 }
 
 func (h website) help(w http.ResponseWriter, r *http.Request) error {
@@ -486,7 +486,7 @@ func (h website) help(w http.ResponseWriter, r *http.Request) error {
 
 	cp := chi.URLParam(r, "*")
 	if cp == "" {
-		return MovedPermanently(w, r, "/help/start")
+		return zhttp.MovedPermanently(w, "/help/start")
 	}
 
 	{
diff --git a/tpl/error.gohtml b/tpl/error.gohtml
index 81401931f..d73a526ff 100644
--- a/tpl/error.gohtml
+++ b/tpl/error.gohtml
@@ -121,8 +121,7 @@ sub {
 </head>
 
 <body>
-  {{/* We should use href="{{.Base}}/" below, but it's not accessible with zhttp.DefaultErrPage. */}}
-	{{if ne .Path "/"}}<nav class="center"><strong><a href="/">← Home</a></strong></nav>{{end}}
+	{{if ne .Path (printf "%s/" .Base) }}<nav class="center"><strong><a href="{{.Base}}/">← Home</a></strong></nav>{{end}}
 	<div class="page">
 		{{if eq .Code 404}}
 			<h1>Not found</h1>

From 2009d1938ec48ffd36981298bfcb9f4f1ba39917 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 17:28:06 -0700
Subject: [PATCH 05/16] Fix typo beed -> need

---
 cmd/goatcounter/serve.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/goatcounter/serve.go b/cmd/goatcounter/serve.go
index 8f7afd5f2..12280b2b5 100644
--- a/cmd/goatcounter/serve.go
+++ b/cmd/goatcounter/serve.go
@@ -84,7 +84,7 @@ Flags:
   -base-path   Path under which GoatCounter is available. Usually GoatCounter
                runs on its own domain or subdomain ("stats.example.com"), but in
                some cases it's useful to run GoatCounter under a path
-               ("example.com/stats"), in which case you'll beed to set this to
+               ("example.com/stats"), in which case you'll need to set this to
                "/stats".
 
   -automigrate Automatically run all pending migrations on startup.

From 03e76df0705d82784eaa2c7188b1c6b9d9f14980 Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 01:34:01 +0100
Subject: [PATCH 06/16] Fix tests

---
 handlers/backend_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handlers/backend_test.go b/handlers/backend_test.go
index b5111d66c..7bf0d840f 100644
--- a/handlers/backend_test.go
+++ b/handlers/backend_test.go
@@ -249,5 +249,5 @@ func BenchmarkCount(b *testing.B) {
 }
 
 func newBackend(db zdb.DB) chi.Router {
-	return NewBackend(db, nil, true, true, false, "example.com", 10, 0)
+	return NewBackend(db, nil, true, true, false, "example.com", "", 10, 0)
 }

From 3d948bbbbdc0630165cd2fd83fb6875f82dff481 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 17:52:10 -0700
Subject: [PATCH 07/16] Fix bug with -base-path parsing

Make sure it's "" for the root, not "/".
---
 cmd/goatcounter/serve.go | 5 ++++-
 handlers/backend.go      | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmd/goatcounter/serve.go b/cmd/goatcounter/serve.go
index 12280b2b5..4207023dc 100644
--- a/cmd/goatcounter/serve.go
+++ b/cmd/goatcounter/serve.go
@@ -183,7 +183,10 @@ func cmdServe(f zli.Flags, ready chan<- struct{}, stop chan struct{}) error {
 			flagTLS = map[bool]string{true: "http", false: "acme,rdr"}[dev]
 		}
 
-		basePath = "/" + strings.Trim(basePath, "/")
+		basePath = strings.Trim(basePath, "/")
+		if basePath != "" {
+			basePath = "/" + basePath
+		}
 		zhttp.BasePath = basePath
 
 		var domainCount, urlStatic string
diff --git a/handlers/backend.go b/handlers/backend.go
index dd66616dc..a4bdd31a1 100644
--- a/handlers/backend.go
+++ b/handlers/backend.go
@@ -19,7 +19,9 @@ import (
 	"zgo.at/zstd/zfs"
 )
 
-func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocket bool, domainStatic string, basePath string, dashTimeout, apiMax int) chi.Router {
+func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocket bool,
+	domainStatic string, basePath string, dashTimeout, apiMax int,
+) chi.Router {
 	root := chi.NewRouter()
 	r := root
 	if basePath != "" {

From cac93593d2e6bb819ba474e96edd96c63744d262 Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 01:52:58 +0100
Subject: [PATCH 08/16] Correct paths for fonts

While the "./fonts/..." fallback ensures the correct font is loaded, it
does give an annoying error in the console which I want to get rid of.
---
 public/shared.css       | 19 -------------------
 tpl/_backend_top.gohtml | 17 +++++++++++++++++
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/public/shared.css b/public/shared.css
index 9ca52131f..6b990dfb8 100644
--- a/public/shared.css
+++ b/public/shared.css
@@ -1,23 +1,4 @@
 /*** Fonts ***/
-@font-face {
-	font-family: 'Lato'; font-style: normal; font-weight: 400; font-display: fallback;
-	src: local('Lato'), local('Lato Regular'),
-		url('/fonts/latolatin.woff2') format('woff2'),
-		url('./fonts/latolatin.woff2') format('woff2');
-}
-@font-face {
-	font-family: 'Lato'; font-style: normal; font-weight: 700; font-display: fallback;
-	src: local('Lato Bold'), local('Lato Bold'),
-		url('/fonts/latolatin-bold.woff2') format('woff2'),
-		url('./fonts/latolatin-bold.woff2') format('woff2');
-}
-@font-face {
-	font-family: 'Lato'; font-style: italic; font-weight: 400; font-display: fallback;
-	src: local('Lato Italic'), local('Lato Italic'),
-		url('/fonts/latolatin-italic.woff2') format('woff2'),
-		url('./fonts/latolatin-italic.woff2') format('woff2');
-}
-
 html { font: 16px/150% 'Lato', sans-serif; text-size-adjust: none; -webkit-text-size-adjust: none;
        background-color: var(--backdrop); color: var(--text); tab-size: 4; }
 html, body { margin: 0; }
diff --git a/tpl/_backend_top.gohtml b/tpl/_backend_top.gohtml
index 6f125c4d6..59a1a88c5 100644
--- a/tpl/_backend_top.gohtml
+++ b/tpl/_backend_top.gohtml
@@ -15,6 +15,23 @@
 	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/pikaday.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/backend.css?v={{.Version}}">
+	<style>
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 400; font-display: fallback;
+			src: local('Lato'), local('Lato Regular'),
+				url('{{.Base}}/fonts/latolatin.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 700; font-display: fallback;
+			src: local('Lato Bold'), local('Lato Bold'),
+				url('{{.Base}}/fonts/latolatin-bold.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: italic; font-weight: 400; font-display: fallback;
+			src: local('Lato Italic'), local('Lato Italic'),
+				url('{{.Base}}/fonts/latolatin-italic.woff2') format('woff2');
+		}
+	</style>
 	<style>{{if not .User.ID}}.logged-in { display: none !important; }{{end}}</style>
 </head>
 

From 857db8b664693fef993095e4c29200d0d7625fee Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:08:02 +0100
Subject: [PATCH 09/16] Fix JS

---
 handlers/handlers.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/handlers/handlers.go b/handlers/handlers.go
index 51b45aa7f..0ae6230db 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -80,12 +80,13 @@ func (g Globals) T(msg string, data ...any) template.HTML {
 
 func newGlobals(w http.ResponseWriter, r *http.Request) Globals {
 	ctx := r.Context()
+	base := goatcounter.Config(ctx).BasePath
 	g := Globals{
 		Context:        ctx,
 		User:           goatcounter.GetUser(ctx),
 		Site:           goatcounter.GetSite(ctx),
-		Path:           r.URL.Path,
-		Base:           goatcounter.Config(ctx).BasePath,
+		Path:           strings.TrimPrefix(r.URL.Path, base),
+		Base:           base,
 		Flash:          zhttp.ReadFlash(w, r),
 		Static:         goatcounter.Config(ctx).URLStatic,
 		Domain:         goatcounter.Config(ctx).Domain,

From 411a819857d4bc30da582538d74dde1cde727382 Mon Sep 17 00:00:00 2001
From: Mitchell Kember <mk12360@gmail.com>
Date: Sun, 18 Aug 2024 18:12:21 -0700
Subject: [PATCH 10/16] Use BASE_PATH in #settings-secret change

---
 public/backend.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/backend.js b/public/backend.js
index 1e8245979..3df65611d 100644
--- a/public/backend.js
+++ b/public/backend.js
@@ -162,7 +162,7 @@
 
 		// Update redirect link.
 		$('#settings-secret').on('change', function(e) {
-			$('#secret-url').val(`${location.protocol}//${location.host}?access-token=${this.value}`)
+			$('#secret-url').val(`${location.protocol}//${location.host}${BASE_PATH}?access-token=${this.value}`)
 		}).trigger('change')
 	}
 

From 461695ffd765d530a9d9ce830f12cdd3fbdd71c4 Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:11:58 +0100
Subject: [PATCH 11/16] Make sure both "/foo" and "/foo/" work

Previously only http://localhost:9000/foo/ worked, and
http://localhost:9000/foo errored.
---
 handlers/backend.go  | 3 ++-
 handlers/handlers.go | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/handlers/backend.go b/handlers/backend.go
index a4bdd31a1..b17a21d15 100644
--- a/handlers/backend.go
+++ b/handlers/backend.go
@@ -22,11 +22,12 @@ import (
 func NewBackend(db zdb.DB, acmeh http.HandlerFunc, dev, goatcounterCom, websocket bool,
 	domainStatic string, basePath string, dashTimeout, apiMax int,
 ) chi.Router {
+
 	root := chi.NewRouter()
 	r := root
 	if basePath != "" {
 		r = chi.NewRouter()
-		root.Mount(basePath+"/", r)
+		root.Mount(basePath, r)
 	}
 
 	backend{dashTimeout, websocket}.Mount(r, db, dev, domainStatic, dashTimeout, apiMax)
diff --git a/handlers/handlers.go b/handlers/handlers.go
index 0ae6230db..6f64051b9 100644
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@@ -81,11 +81,15 @@ func (g Globals) T(msg string, data ...any) template.HTML {
 func newGlobals(w http.ResponseWriter, r *http.Request) Globals {
 	ctx := r.Context()
 	base := goatcounter.Config(ctx).BasePath
+	path := strings.TrimPrefix(r.URL.Path, base)
+	if path == "" {
+		path = "/"
+	}
 	g := Globals{
 		Context:        ctx,
 		User:           goatcounter.GetUser(ctx),
 		Site:           goatcounter.GetSite(ctx),
-		Path:           strings.TrimPrefix(r.URL.Path, base),
+		Path:           path,
 		Base:           base,
 		Flash:          zhttp.ReadFlash(w, r),
 		Static:         goatcounter.Config(ctx).URLStatic,

From 40753b006e08eb90c189d918f3a4f3f531152453 Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:21:02 +0100
Subject: [PATCH 12/16] Fix "add new user" form

---
 tpl/settings_users_form.gohtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tpl/settings_users_form.gohtml b/tpl/settings_users_form.gohtml
index 7081b6956..b7f8baff0 100644
--- a/tpl/settings_users_form.gohtml
+++ b/tpl/settings_users_form.gohtml
@@ -20,7 +20,7 @@
 <h2>{{if .Edit}}{{.T "header/edit-user|Edit user %(email)" .NewUser.Email}}{{else}}{{.T "header/add-new-user|Add a new user"}}{{end}}</h2>
 {{if .Error}}<div class="flash flash-e">{{.Error}}</div>{{end}}
 
-<form method="post" action="{{if .Edit}}/settings/users/{{.NewUser.ID}}{{else}}/settings/users/add{{end}}" id="users-form" class="vertical">
+<form method="post" action="{{.Base}}{{if .Edit}}/settings/users/{{.NewUser.ID}}{{else}}/settings/users/add{{end}}" id="users-form" class="vertical">
 	<input type="hidden" name="csrf" value="{{.User.CSRFToken}}">
 	<fieldset>
 		<legend>{{.T "header/user-information|User information"}}</legend>

From 08e7c1b03dfeca6459bc2f6610696c6ab270b49b Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:23:43 +0100
Subject: [PATCH 13/16] Update zhttp

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 79edde758..9e7fc139e 100644
--- a/go.mod
+++ b/go.mod
@@ -35,7 +35,7 @@ require (
 	zgo.at/zcache v1.2.0
 	zgo.at/zcache/v2 v2.1.0
 	zgo.at/zdb v0.0.0-20240818155550-1a862f98cab0
-	zgo.at/zhttp v0.0.0-20240812113805-6333261ded60
+	zgo.at/zhttp v0.0.0-20240819012318-b761c83c740e
 	zgo.at/zli v0.0.0-20240614180544-47534b1ce136
 	zgo.at/zlog v0.0.0-20211017235224-dd4772ddf860
 	zgo.at/zprof v0.0.0-20211217104121-c3c12596d8f0
diff --git a/go.sum b/go.sum
index 262318ad2..f37e678ee 100644
--- a/go.sum
+++ b/go.sum
@@ -135,8 +135,8 @@ zgo.at/zcache/v2 v2.1.0 h1:USo+ubK+R4vtjw4viGzTe/zjXyPw6R7SK/RL3epBBxs=
 zgo.at/zcache/v2 v2.1.0/go.mod h1:gyCeoLVo01QjDZynjime8xUGHHMbsLiPyUTBpDGd4Gk=
 zgo.at/zdb v0.0.0-20240818155550-1a862f98cab0 h1:kqQjQGkuuU4Tx1Ltsb2TYC2wTgWen1chHe9OSSq68ig=
 zgo.at/zdb v0.0.0-20240818155550-1a862f98cab0/go.mod h1:hXIbV/v/ENSl5CfzICL/jpTjYb50k/gKi2kN8UeuZcY=
-zgo.at/zhttp v0.0.0-20240812113805-6333261ded60 h1:lblPmTZwREdhxVd/3sSC+AuwuzpejRHwE1uCe3BBtN4=
-zgo.at/zhttp v0.0.0-20240812113805-6333261ded60/go.mod h1:/cHu19ZTOpAvVTntj45jy52UORMnBJh+G8Gz6oIraCs=
+zgo.at/zhttp v0.0.0-20240819012318-b761c83c740e h1:XkppPemmGbgCauiZOCUpWtvPor9yiB9611AsFUoVmho=
+zgo.at/zhttp v0.0.0-20240819012318-b761c83c740e/go.mod h1:OEB7qL85qu5BBFfdmep9TTnUUb25j3aqEYYuUnmFqX4=
 zgo.at/zli v0.0.0-20240614180544-47534b1ce136 h1:Q0j5M5+5YGNaECQmKOcznyDYX3jZUCVN+c7GKUkoV8o=
 zgo.at/zli v0.0.0-20240614180544-47534b1ce136/go.mod h1:0jjx+AGEkWOOQ0NtzbMnpko+H2G+aTg8mfCKqoc/BuA=
 zgo.at/zlog v0.0.0-20211017235224-dd4772ddf860 h1:7n74jp98CwBdqGCqJoVv2+XygJ3yD43GPUivnj/RPwo=

From 1e968d323787868d602ce87fe99d5ab1ff16e24b Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:35:03 +0100
Subject: [PATCH 14/16] Load fonts on homepage and help pages

---
 tpl/_backend_top.gohtml | 12 ++++++------
 tpl/_top.gohtml         | 17 +++++++++++++++++
 tpl/help.gohtml         | 17 +++++++++++++++++
 3 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/tpl/_backend_top.gohtml b/tpl/_backend_top.gohtml
index 59a1a88c5..76e68e2ea 100644
--- a/tpl/_backend_top.gohtml
+++ b/tpl/_backend_top.gohtml
@@ -12,26 +12,26 @@
 		<link rel="stylesheet" href="{{.Static}}/vars.css?v={{.Version}}">
 		<link rel="stylesheet" href="{{.Static}}/dark.css?v={{.Version}}" media="(prefers-color-scheme: dark)">
 	{{end}}
-	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
-	<link rel="stylesheet" href="{{.Static}}/pikaday.css?v={{.Version}}">
-	<link rel="stylesheet" href="{{.Static}}/backend.css?v={{.Version}}">
 	<style>
 		@font-face {
 			font-family: 'Lato'; font-style: normal; font-weight: 400; font-display: fallback;
 			src: local('Lato'), local('Lato Regular'),
-				url('{{.Base}}/fonts/latolatin.woff2') format('woff2');
+				url('{{.Static}}/fonts/latolatin.woff2') format('woff2');
 		}
 		@font-face {
 			font-family: 'Lato'; font-style: normal; font-weight: 700; font-display: fallback;
 			src: local('Lato Bold'), local('Lato Bold'),
-				url('{{.Base}}/fonts/latolatin-bold.woff2') format('woff2');
+				url('{{.Static}}/fonts/latolatin-bold.woff2') format('woff2');
 		}
 		@font-face {
 			font-family: 'Lato'; font-style: italic; font-weight: 400; font-display: fallback;
 			src: local('Lato Italic'), local('Lato Italic'),
-				url('{{.Base}}/fonts/latolatin-italic.woff2') format('woff2');
+				url('{{.Static}}/fonts/latolatin-italic.woff2') format('woff2');
 		}
 	</style>
+	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
+	<link rel="stylesheet" href="{{.Static}}/pikaday.css?v={{.Version}}">
+	<link rel="stylesheet" href="{{.Static}}/backend.css?v={{.Version}}">
 	<style>{{if not .User.ID}}.logged-in { display: none !important; }{{end}}</style>
 </head>
 
diff --git a/tpl/_top.gohtml b/tpl/_top.gohtml
index c142738ba..1fd2eb259 100644
--- a/tpl/_top.gohtml
+++ b/tpl/_top.gohtml
@@ -6,6 +6,23 @@
 	<meta name="description" content="{{.MetaDesc}}">
 	<title>GoatCounter – open source web analytics</title>
 	<link rel="stylesheet" href="{{.Static}}/vars.css?v={{.Version}}">
+	<style>
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 400; font-display: fallback;
+			src: local('Lato'), local('Lato Regular'),
+				url('{{.Static}}/fonts/latolatin.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 700; font-display: fallback;
+			src: local('Lato Bold'), local('Lato Bold'),
+				url('{{.Static}}/fonts/latolatin-bold.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: italic; font-weight: 400; font-display: fallback;
+			src: local('Lato Italic'), local('Lato Italic'),
+				url('{{.Static}}/fonts/latolatin-italic.woff2') format('woff2');
+		}
+	</style>
 	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/style.css?v={{.Version}}">
 	<link rel="canonical" href="https://{{.Domain}}{{.Base}}/{{if ne .Page "home"}}{{.Page}}{{end}}">
diff --git a/tpl/help.gohtml b/tpl/help.gohtml
index 6f2e736c5..edb61b98a 100644
--- a/tpl/help.gohtml
+++ b/tpl/help.gohtml
@@ -9,6 +9,23 @@
 	{{if eq .User.Settings.Theme "dark"}}
 		<link rel="stylesheet" href="{{.Static}}/dark.css?v={{.Version}}">
 	{{end}}
+	<style>
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 400; font-display: fallback;
+			src: local('Lato'), local('Lato Regular'),
+				url('{{.Static}}/fonts/latolatin.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: normal; font-weight: 700; font-display: fallback;
+			src: local('Lato Bold'), local('Lato Bold'),
+				url('{{.Static}}/fonts/latolatin-bold.woff2') format('woff2');
+		}
+		@font-face {
+			font-family: 'Lato'; font-style: italic; font-weight: 400; font-display: fallback;
+			src: local('Lato Italic'), local('Lato Italic'),
+				url('{{.Static}}/fonts/latolatin-italic.woff2') format('woff2');
+		}
+	</style>
 	<link rel="stylesheet" href="{{.Static}}/shared.css?v={{.Version}}">
 	<link rel="stylesheet" href="{{.Static}}/style.css?v={{.Version}}">
 	<link rel="canonical" href="https://{{.Domain}}/{{.Page}}/{{.CodePage}}">

From 4fab4cc4ba8d5a151aa1d25520f9b6a28a77ce05 Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:45:48 +0100
Subject: [PATCH 15/16] Add baseURL to site switcher

---
 tpl/_backend_top.gohtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tpl/_backend_top.gohtml b/tpl/_backend_top.gohtml
index 76e68e2ea..c1ae085ce 100644
--- a/tpl/_backend_top.gohtml
+++ b/tpl/_backend_top.gohtml
@@ -62,7 +62,7 @@
 								{{range $i, $s := .SubSites -}}
 									{{- if gt $i 0 -}}|{{- end -}}
 									{{if $.GoatcounterCom}} <a{{if eq $s $.Site.Code}} class="active"{{end}} href="//{{$s}}.{{$.Domain}}{{$.Port}}">{{$s}}</a>
-									{{else}} <a{{if eq $s (deref $.Site.Cname)}} class="active"{{end}} href="//{{$s}}{{$.Port}}">{{$s}}</a>
+									{{else}} <a{{if eq $s (deref $.Site.Cname)}} class="active"{{end}} href="//{{$s}}{{$.Port}}{{$.Base}}">{{$s}}</a>
 									{{end -}}
 								{{end}}
 							</span>

From 862e8c1eed06ab96c674a68f0628e153d1c676cd Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Mon, 19 Aug 2024 02:50:03 +0100
Subject: [PATCH 16/16] Add baseURL in a few more locations

---
 tpl/help/faq.md             | 6 +++---
 tpl/help/visitor-counter.md | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tpl/help/faq.md b/tpl/help/faq.md
index f9bc7aaf7..024b7efe1 100644
--- a/tpl/help/faq.md
+++ b/tpl/help/faq.md
@@ -40,7 +40,7 @@ window.goatcounter = {
 </dd>
 
 <dt id="gdpr">What about GDPR consent notices? <a href="#gdpr">§</a></dt>
-<dd>You probably don’t need them. The <a href="/gdpr">the GDPR page</a> goes in to some detail about this.</dd>
+<dd>You probably don’t need them. The <a href="{{.Base}}/gdpr">the GDPR page</a> goes in to some detail about this.</dd>
 
 <dt id="custom-domain">How do I set up a custom domain? <a href="#custom-domain">§</a></dt>
 <dd>
@@ -72,7 +72,7 @@ That said, there are some options:
 goatcounter.com or associated domains, and adblockers will not block it.</li>
 <li>Import pageviews from logfiles; GoatCounter can import pageviews
 from web server logfiles; you can send this data to
-goatcounter.com. See <a href="/help/logfile">the documentation for details</a>.</li>
+goatcounter.com. See <a href="{{.Base}}/help/logfile">the documentation for details</a>.</li>
 </ol>
 </dd>
 
@@ -86,7 +86,7 @@ title you can filter by it. Also see
 <dt id="track-email">Can I use GoatCounter to track if someone opened an email? <a href="#track-email">§</a></dt>
 <dd>
 Kind of but not really. You can include the tracking pixel in the email as an
-image <a href="/help/pixel">as described here</a>.
+image <a href="{{.Base}}/help/pixel">as described here</a>.
 
 But this doesn't really work because almost all email clients block external
 images by default exactly to prevent this sort of thing from working. All email
diff --git a/tpl/help/visitor-counter.md b/tpl/help/visitor-counter.md
index 43e257a88..899a32498 100644
--- a/tpl/help/visitor-counter.md
+++ b/tpl/help/visitor-counter.md
@@ -6,7 +6,7 @@ image.
 in your site settings; this defaults to *off* to prevent unintentional leaking of data.
 {{else}}
 **Note**: you will need to enable “Allow adding visitor counts on your website”
-in your <a href="/settings/main#section-site">site settings</a>; this defaults to
+in your <a href="{{.Base}}/settings/main#section-site">site settings</a>; this defaults to
 *off* to prevent unintentional leaking of data.
 {{end}}