Files
sciagent/docs/minio-behind-https.md
T
Thinh Lam 688fac73e9
CI/CD / backend (push) Failing after 2m8s
CI/CD / frontend (push) Failing after 1m40s
CI/CD / deploy (push) Has been skipped
sciagent code + Gitea Actions CI/CD
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 09:38:30 +07:00

44 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# HTTPS for MinIO (presigned URLs and mixed content)
If the SPA is served over **`https://`**, the browser blocks embedding or opening **`http://…:19000`** presigned MinIO URLs (mixed active content).
The built-in evidence viewer proxies through **`GET /api/v1/application-drafts/…/evidence/content`** so previews work without exposing MinIO to HTTPS.
To restore **working direct presigned URLs** (new-tab open, integrations, downloads that bypass the API):
1. **Terminate TLS on a hostname that points at MinIOs S3 port** (`MINIO_API_PORT`, default **19000**), e.g. `https://minio-api.example.com` → nginx → `127.0.0.1:19000`.
2. **Set the same public base URL** in `.env` (no trailing slash), then restart Compose so **`be0`** and **`minio`** pick it up:
| Variable | Role |
|---------|------|
| **`S3_PUBLIC_ENDPOINT_URL`** | Host used when **`be0`** signs presigned GET/PUT URLs (must match what the browser uses). |
| **`MINIO_SERVER_URL`** | MinIO server URL advertised to clients (console / redirects). Should match **`S3_PUBLIC_ENDPOINT_URL`** for the S3 API host. |
| **`MINIO_BROWSER_REDIRECT_URL`** | Optional HTTPS URL for the **console** if you terminate TLS separately (default remains `http://${PUBLIC_HOST}:${MINIO_CONSOLE_PORT}`). |
`docker-compose.prod.yml` wires:
- **`S3_PUBLIC_ENDPOINT_URL=${S3_PUBLIC_ENDPOINT_URL:-http://${PUBLIC_HOST}:${MINIO_API_PORT}}`**
- **`MINIO_SERVER_URL=${MINIO_SERVER_URL:-http://${PUBLIC_HOST}:${MINIO_API_PORT}}`**
Example `.env` after nginx + certificate:
```bash
S3_PUBLIC_ENDPOINT_URL=https://minio-api.example.com
MINIO_SERVER_URL=https://minio-api.example.com
```
3. **`proxy_set_header Host $http_host`** on nginx must preserve the **`Host`** the client sent — AWS Signature V4 on presigned URLs is bound to host + path.
4. **Operational hardening**: after nginx fronts MinIO publicly, bind the Docker publish to **`127.0.0.1:${MINIO_API_PORT}:9000`** so only nginx can reach bare HTTP on that port from outside.
5. **CORS**: on **community MinIO**, configure **`MINIO_API_CORS_ALLOW_ORIGIN`** on the **`minio`** service (comma-separated origins, or `*` for dev). Per-bucket **`mc cors set`** is **AiStor-only** and will fail with “not implemented” on the OSS image.
## Example nginx config
See **[deploy/nginx/minio-s3-proxy.conf.example](../deploy/nginx/minio-s3-proxy.conf.example)**.
## Stack diagram (prod)
- **Browser** → `https://minio-api…`**nginx (TLS)**`http://127.0.0.1:19000`**MinIO**
- **be0** → `http://minio:9000` (Compose network) unchanged for server-side uploads and streaming.