puter/nginx/nginx.conf

# Reverse proxy in front of Puter — mirrors what the prod ALB does:
# accepts every Host header, forwards to the Puter container, and lets
# the Puter app handle subdomain-based routing internally (api.*,
# site.*, app.*, etc).
#
# To enable TLS:
#   1. Drop your fullchain.pem + privkey.pem into ./puter/tls/.
#   2. Uncomment the 443 server{} block below.
#   3. Update server_name to your domain (and wildcard subdomains).

worker_processes auto;
events {
    worker_connections 4096;
}

http {
    # Required for Puter's WebSocket / socket.io upgrades.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    # Rough size cap that mirrors prod ALB defaults; tune for your
    # uploads. Puter chunks large uploads, so 1 GiB per request is plenty.
    client_max_body_size 1024m;
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    proxy_buffering off;
    server_tokens off;

    upstream puter_backend {
        server puter:4100;
        keepalive 32;
    }

    upstream s3_backend {
        # RustFS — see `s3` service in docker-compose.full.yml. Browsers
        # PUT/GET here for presigned-URL uploads / downloads. Routed via
        # the `s3.<domain>` subdomain so signature verification works
        # (Host header preserved end-to-end) and so HTTPS stays clean
        # (no mixed-content from a port-9000 host publish).
        server s3:9000;
        keepalive 32;
    }

    # ── HTTP (port 80) ─────────────────────────────────────────────
    server {
        listen 80;
        listen [::]:80;
        server_name ~^s3\.;

        location / {
            proxy_pass http://s3_backend;
            proxy_http_version 1.1;
            # Critical: preserve the original Host so RustFS validates
            # the request against the same host the URL was signed for.
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;

        # Note: when you enable TLS, replace this block with a redirect:
        #   return 301 https://$host$request_uri;
        location / {
            proxy_pass http://puter_backend;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

    # ── HTTPS (port 443) — uncomment after dropping certs in ./puter/tls/ ─
    # server {
    #     listen 443 ssl;
    #     listen [::]:443 ssl;
    #     http2 on;
    #     server_name ~^s3\.;
    #
    #     ssl_certificate     /etc/nginx/tls/fullchain.pem;
    #     ssl_certificate_key /etc/nginx/tls/privkey.pem;
    #     ssl_protocols       TLSv1.2 TLSv1.3;
    #     ssl_ciphers         HIGH:!aNULL:!MD5;
    #     ssl_session_cache   shared:SSL:10m;
    #     ssl_session_timeout 10m;
    #
    #     location / {
    #         proxy_pass http://s3_backend;
    #         proxy_http_version 1.1;
    #         proxy_set_header Host $host;
    #         proxy_set_header X-Real-IP $remote_addr;
    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #         proxy_set_header X-Forwarded-Proto $scheme;
    #     }
    # }
    #
    # server {
    #     listen 443 ssl default_server;
    #     listen [::]:443 ssl default_server;
    #     http2 on;
    #     server_name _;
    #
    #     ssl_certificate     /etc/nginx/tls/fullchain.pem;
    #     ssl_certificate_key /etc/nginx/tls/privkey.pem;
    #     ssl_protocols       TLSv1.2 TLSv1.3;
    #     ssl_ciphers         HIGH:!aNULL:!MD5;
    #     ssl_session_cache   shared:SSL:10m;
    #     ssl_session_timeout 10m;
    #
    #     location / {
    #         proxy_pass http://puter_backend;
    #         proxy_http_version 1.1;
    #         proxy_set_header Host $host;
    #         proxy_set_header X-Real-IP $remote_addr;
    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #         proxy_set_header X-Forwarded-Proto $scheme;
    #         proxy_set_header X-Forwarded-Host $host;
    #         proxy_set_header X-Forwarded-Port $server_port;
    #         proxy_set_header Upgrade $http_upgrade;
    #         proxy_set_header Connection $connection_upgrade;
    #     }
    # }
}