sciagent code + Gitea Actions CI/CD
CI/CD / backend (push) Failing after 2m8s
CI/CD / frontend (push) Failing after 1m40s
CI/CD / deploy (push) Has been skipped

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Thinh Lam
2026-06-30 09:38:30 +07:00
commit 688fac73e9
1167 changed files with 158244 additions and 0 deletions
+43
View File
@@ -0,0 +1,43 @@
# HTTPS for MinIO (presigned URLs and mixed content)
If the SPA is served over **`https://`**, the browser blocks embedding or opening **`http://…:19000`** presigned MinIO URLs (mixed active content).
The built-in evidence viewer proxies through **`GET /api/v1/application-drafts/…/evidence/content`** so previews work without exposing MinIO to HTTPS.
To restore **working direct presigned URLs** (new-tab open, integrations, downloads that bypass the API):
1. **Terminate TLS on a hostname that points at MinIOs S3 port** (`MINIO_API_PORT`, default **19000**), e.g. `https://minio-api.example.com` → nginx → `127.0.0.1:19000`.
2. **Set the same public base URL** in `.env` (no trailing slash), then restart Compose so **`be0`** and **`minio`** pick it up:
| Variable | Role |
|---------|------|
| **`S3_PUBLIC_ENDPOINT_URL`** | Host used when **`be0`** signs presigned GET/PUT URLs (must match what the browser uses). |
| **`MINIO_SERVER_URL`** | MinIO server URL advertised to clients (console / redirects). Should match **`S3_PUBLIC_ENDPOINT_URL`** for the S3 API host. |
| **`MINIO_BROWSER_REDIRECT_URL`** | Optional HTTPS URL for the **console** if you terminate TLS separately (default remains `http://${PUBLIC_HOST}:${MINIO_CONSOLE_PORT}`). |
`docker-compose.prod.yml` wires:
- **`S3_PUBLIC_ENDPOINT_URL=${S3_PUBLIC_ENDPOINT_URL:-http://${PUBLIC_HOST}:${MINIO_API_PORT}}`**
- **`MINIO_SERVER_URL=${MINIO_SERVER_URL:-http://${PUBLIC_HOST}:${MINIO_API_PORT}}`**
Example `.env` after nginx + certificate:
```bash
S3_PUBLIC_ENDPOINT_URL=https://minio-api.example.com
MINIO_SERVER_URL=https://minio-api.example.com
```
3. **`proxy_set_header Host $http_host`** on nginx must preserve the **`Host`** the client sent — AWS Signature V4 on presigned URLs is bound to host + path.
4. **Operational hardening**: after nginx fronts MinIO publicly, bind the Docker publish to **`127.0.0.1:${MINIO_API_PORT}:9000`** so only nginx can reach bare HTTP on that port from outside.
5. **CORS**: on **community MinIO**, configure **`MINIO_API_CORS_ALLOW_ORIGIN`** on the **`minio`** service (comma-separated origins, or `*` for dev). Per-bucket **`mc cors set`** is **AiStor-only** and will fail with “not implemented” on the OSS image.
## Example nginx config
See **[deploy/nginx/minio-s3-proxy.conf.example](../deploy/nginx/minio-s3-proxy.conf.example)**.
## Stack diagram (prod)
- **Browser** → `https://minio-api…`**nginx (TLS)**`http://127.0.0.1:19000`**MinIO**
- **be0** → `http://minio:9000` (Compose network) unchanged for server-side uploads and streaming.