# Example: expose MinIO S3 API on HTTPS for presigned URLs (fixes mixed content vs https://your-app). # # 1. DNS: A/AAAA record for MINIO_API_HOST → your VPS. # 2. TLS: obtain cert for MINIO_API_HOST (e.g. certbot --nginx). # 3. Replace MINIO_API_HOST and adjust upstream port if MINIO_API_PORT ≠ 19000. # 4. Set in .env (same hostname and scheme — no trailing slash): # S3_PUBLIC_ENDPOINT_URL=https://MINIO_API_HOST # MINIO_SERVER_URL=https://MINIO_API_HOST # 5. Recreate/be0 restart so presign matches this host. # # Optionally bind Docker’s MinIO publish to localhost only: # "127.0.0.1:19000:9000" upstream minio_s3_api { server 127.0.0.1:19000; keepalive 32; } server { listen 443 ssl http2; server_name MINIO_API_HOST; ssl_certificate /fullchain.pem; ssl_certificate_key /privkey.pem; # Large evidence PDF uploads go through be0, not nginx→MinIO, but PUT via presign can be big. client_max_body_size 50m; # Disable buffering for streamed GETs if needed upstream. proxy_buffering off; proxy_request_buffering off; location / { proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; proxy_pass http://minio_s3_api; } }