48 lines
1.5 KiB
Plaintext
48 lines
1.5 KiB
Plaintext
# Example: expose MinIO S3 API on HTTPS for presigned URLs (fixes mixed content vs https://your-app).
|
||
#
|
||
# 1. DNS: A/AAAA record for MINIO_API_HOST → your VPS.
|
||
# 2. TLS: obtain cert for MINIO_API_HOST (e.g. certbot --nginx).
|
||
# 3. Replace MINIO_API_HOST and adjust upstream port if MINIO_API_PORT ≠ 19000.
|
||
# 4. Set in .env (same hostname and scheme — no trailing slash):
|
||
# S3_PUBLIC_ENDPOINT_URL=https://MINIO_API_HOST
|
||
# MINIO_SERVER_URL=https://MINIO_API_HOST
|
||
# 5. Recreate/be0 restart so presign matches this host.
|
||
#
|
||
# Optionally bind Docker’s MinIO publish to localhost only:
|
||
# "127.0.0.1:19000:9000"
|
||
|
||
upstream minio_s3_api {
|
||
server 127.0.0.1:19000;
|
||
keepalive 32;
|
||
}
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
server_name MINIO_API_HOST;
|
||
|
||
ssl_certificate /fullchain.pem;
|
||
ssl_certificate_key /privkey.pem;
|
||
|
||
# Large evidence PDF uploads go through be0, not nginx→MinIO, but PUT via presign can be big.
|
||
client_max_body_size 50m;
|
||
|
||
# Disable buffering for streamed GETs if needed upstream.
|
||
proxy_buffering off;
|
||
proxy_request_buffering off;
|
||
|
||
location / {
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Host $http_host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header Connection "";
|
||
|
||
proxy_connect_timeout 300;
|
||
proxy_send_timeout 300;
|
||
proxy_read_timeout 300;
|
||
|
||
proxy_pass http://minio_s3_api;
|
||
}
|
||
}
|