# Reverse proxy in front of Puter — mirrors what the prod ALB does: # accepts every Host header, forwards to the Puter container, and lets # the Puter app handle subdomain-based routing internally (api.*, # site.*, app.*, etc). # # To enable TLS: # 1. Drop your fullchain.pem + privkey.pem into ./puter/tls/. # 2. Uncomment the 443 server{} block below. # 3. Update server_name to your domain (and wildcard subdomains). worker_processes auto; events { worker_connections 4096; } http { # Required for Puter's WebSocket / socket.io upgrades. map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Rough size cap that mirrors prod ALB defaults; tune for your # uploads. Puter chunks large uploads, so 1 GiB per request is plenty. client_max_body_size 1024m; proxy_read_timeout 600s; proxy_send_timeout 600s; proxy_buffering off; server_tokens off; upstream puter_backend { server puter:4100; keepalive 32; } upstream s3_backend { # RustFS — see `s3` service in docker-compose.full.yml. Browsers # PUT/GET here for presigned-URL uploads / downloads. Routed via # the `s3.` subdomain so signature verification works # (Host header preserved end-to-end) and so HTTPS stays clean # (no mixed-content from a port-9000 host publish). server s3:9000; keepalive 32; } # ── HTTP (port 80) ───────────────────────────────────────────── server { listen 80; listen [::]:80; server_name ~^s3\.; location / { proxy_pass http://s3_backend; proxy_http_version 1.1; # Critical: preserve the original Host so RustFS validates # the request against the same host the URL was signed for. proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80 default_server; listen [::]:80 default_server; server_name _; # Note: when you enable TLS, replace this block with a redirect: # return 301 https://$host$request_uri; location / { proxy_pass http://puter_backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } # ── HTTPS (port 443) — uncomment after dropping certs in ./puter/tls/ ─ # server { # listen 443 ssl; # listen [::]:443 ssl; # http2 on; # server_name ~^s3\.; # # ssl_certificate /etc/nginx/tls/fullchain.pem; # ssl_certificate_key /etc/nginx/tls/privkey.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_session_cache shared:SSL:10m; # ssl_session_timeout 10m; # # location / { # proxy_pass http://s3_backend; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # } # } # # server { # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # http2 on; # server_name _; # # ssl_certificate /etc/nginx/tls/fullchain.pem; # ssl_certificate_key /etc/nginx/tls/privkey.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_session_cache shared:SSL:10m; # ssl_session_timeout 10m; # # location / { # proxy_pass http://puter_backend; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Port $server_port; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $connection_upgrade; # } # } }