I checked https://mathis.art/
– your Yesod web app returns HTML files with http links to CSS (instead of https links).
proxy_set_header X-Forwarded-Proto https;
is correct in your nginx config.
But your Yesod app either ignores that header or the header is set back to http by keter (AFAIK keter is just another proxy).
Maybe you can change the appRoot of your app in one of the ways described here:
But I guess it's normally better to serve based on the request (default) instead of hard-code the appRoot. So I would look in keter documentation and check if keter changes the X-Forwarded-Proto header. You could also try without keter if you just want to have it working...