Fix Mixed Content on file uploads: presigned URLs now use public domain

The backend was generating presigned S3 URLs pointing to the internal MinIO endpoint (http://minio:9000), which browsers block on HTTPS pages. - Add a second S3 client in upload.service.ts configured with FRONTEND_URL for generating browser-facing presigned URLs (both upload and download) - Add nginx proxy location for /indeedhub-private/ and /indeedhub-public/ paths that forwards to MinIO without rewriting (preserves S3v4 signatures) - Keep internal S3 client for server-side operations (copy, delete, etc.) Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-13 20:30:49 +00:00
parent abb83fe164
commit fc20c625fa
3 changed files with 55 additions and 11 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -84,6 +84,29 @@ server {
        add_header Cache-Control "no-store";
    }

+    # ── MinIO direct proxy (for presigned URL uploads/downloads) ──
+    # The backend generates presigned URLs pointing to the public domain.
+    # This location proxies those requests to MinIO WITHOUT rewriting the
+    # path, so the S3v4 signature (which includes the path) stays valid.
+    location ~ ^/(indeedhub-private|indeedhub-public)/ {
+        resolver 127.0.0.11 valid=30s ipv6=off;
+        set $minio_upstream http://minio:9000;
+
+        proxy_pass $minio_upstream;
+        proxy_http_version 1.1;
+        # Pass the original Host so MinIO's signature verification matches
+        # the host the presigned URL was generated for.
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # Allow large file uploads (up to 5GB per chunk)
+        client_max_body_size 5g;
+
+        # No caching for upload responses
+        add_header Cache-Control "no-store";
+    }
+
    # ── WebSocket proxy to Nostr relay (Docker service) ────────
    location /relay {
        resolver 127.0.0.11 valid=30s ipv6=off;