- modified minio config to be compatible with ente-desktop connections

5 files changed, 102 insertions, 14 deletions

diff --git a/.SRCINFO b/.SRCINFO
index f63b43b70c0d..05b2d08479c1 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = ente-server-git
 	pkgdesc = Self hosted server for Ente (mobile) clients
-	pkgver = r1.7490199
-	pkgrel = 5
+	pkgver = r1.c5aa536
+	pkgrel = 6
 	url = https://github.com/ente-io
 	arch = x86_64
 	license = AGPL-3.0-only
@@ -29,17 +29,19 @@ pkgbase = ente-server-git
 	source = ente-server.yaml
 	source = http_security_headers.conf
 	source = https_security_headers.conf
+	source = minio-server-nginx.conf
 	source = usr.bin.ente-server
 	sha256sums = 0d96a4ff68ad6d4b6f1f30f713b18d5184912ba8dd389f86aa7710db079abcb0
 	sha256sums = f3624560a2c332724967e1e64689f8549a936fb85fc557ccc4bcbb7e57e373e8
-	sha256sums = 9151cd1072cf33f88c355761ce931346a58555da49cb6241e9498b4c1dd0b87b
+	sha256sums = 513de8be26c5e2e1fca7ff9562bddd6a1740ce1622c14edfe766287556385cf6
 	sha256sums = 2d5221aaa83f32bbc8c75c2d7c70f9ff8021d451b544f230c99fe29b84fcba75
 	sha256sums = 72c23c4ba9d3468a1b089d182917123cb15b8bf8b52b3955b98a0357d29b5cbd
 	sha256sums = 6ba953245f2a285dbd82ce65635d19410eab1dcd92821c398bdf7ffba9451a9b
 	sha256sums = f5ae64093463a66fa66ecc4627f603ff0f9e17841e1d681dbcc68b1bad95100e
-	sha256sums = c3e54eacff7f6b4a406dff4b871120c6a97dc5dca179347055514a19d10cfb72
+	sha256sums = 77b1b7aa5057e8ee8756bcc3a8415ce801f7b935b8f60c4934d4f4648dc5a92c
 	sha256sums = 405365bd47efa25b8bcefc93a5c0535fd50cce22b5d8dcea070098aa432ff87e
 	sha256sums = a1149c57e233f7be2f12668f5ef0f03409bd5ad37b1a223bb56d2ae865cf6358
+	sha256sums = 863d111071bb32c8b5f8baa34731a94861940d2d276ffadf9426d3fc492588b6
 	sha256sums = 297bc7d90c473758c9054aaaa6155b4e7232d0dfea761a4e55ed8b743f289f86
 
 pkgname = ente-server-git
diff --git a/PKGBUILD b/PKGBUILD
index c56f8d725fb7..ecbbde4d87ae 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,8 +2,8 @@
 pkgname=ente-server-git
 _pkgname_alt=museum
 _pkg_git_src=https://github.com/ente-io/ente.git
-pkgver=r1.7490199
-pkgrel=5
+pkgver=r1.c5aa536
+pkgrel=6
 pkgdesc="Self hosted server for Ente (mobile) clients"
 arch=(x86_64)
 url="https://github.com/ente-io"
@@ -28,19 +28,21 @@ source=(
     "${pkgname%-git}.yaml"
     "http_security_headers.conf"
     "https_security_headers.conf"
+    "minio-server-nginx.conf"
     "usr.bin.${pkgname%-git}"
 )
 sha256sums=(
     "0d96a4ff68ad6d4b6f1f30f713b18d5184912ba8dd389f86aa7710db079abcb0"
     "f3624560a2c332724967e1e64689f8549a936fb85fc557ccc4bcbb7e57e373e8"
-    "9151cd1072cf33f88c355761ce931346a58555da49cb6241e9498b4c1dd0b87b"
+    "513de8be26c5e2e1fca7ff9562bddd6a1740ce1622c14edfe766287556385cf6"
     "2d5221aaa83f32bbc8c75c2d7c70f9ff8021d451b544f230c99fe29b84fcba75"
     "72c23c4ba9d3468a1b089d182917123cb15b8bf8b52b3955b98a0357d29b5cbd"
     "6ba953245f2a285dbd82ce65635d19410eab1dcd92821c398bdf7ffba9451a9b"
     "f5ae64093463a66fa66ecc4627f603ff0f9e17841e1d681dbcc68b1bad95100e"
-    "c3e54eacff7f6b4a406dff4b871120c6a97dc5dca179347055514a19d10cfb72"
+    "77b1b7aa5057e8ee8756bcc3a8415ce801f7b935b8f60c4934d4f4648dc5a92c"
     "405365bd47efa25b8bcefc93a5c0535fd50cce22b5d8dcea070098aa432ff87e"
     "a1149c57e233f7be2f12668f5ef0f03409bd5ad37b1a223bb56d2ae865cf6358"
+    "863d111071bb32c8b5f8baa34731a94861940d2d276ffadf9426d3fc492588b6"
     "297bc7d90c473758c9054aaaa6155b4e7232d0dfea761a4e55ed8b743f289f86"
 )
 
@@ -121,6 +123,7 @@ package() {
   install -Dvm644 'configurations/local.yaml' -t "${pkgdir}/usr/lib/${pkgname%-git}/"
   install -Dvm640 "$srcdir/${pkgname%-git}.yaml" "${pkgdir}/etc/${pkgname%-git}/local.yaml"
   install -Dvm644 "$srcdir/${pkgname%-git}-nginx.conf" -t "${pkgdir}/usr/lib/${pkgname%-git}/"
+  install -Dvm644 "$srcdir/minio-server-nginx.conf" -t "${pkgdir}/usr/lib/${pkgname%-git}/"
   install -Dvm644 "$srcdir/usr.bin.${pkgname%-git}" -t "${pkgdir}/usr/lib/${pkgname%-git}/"
 
   # systemd
diff --git a/ente-server-man.1.md b/ente-server-man.1.md
index e719b4bab29a..29a52c8b6a9d 100644
--- a/ente-server-man.1.md
+++ b/ente-server-man.1.md
@@ -41,7 +41,7 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje
         MINIO_VOLUMES="/srv/minio/data"
         MINIO_ROOT_USER=minio
         MINIO_ROOT_PASSWORD='<YOUR-STRONG-MINIO-ROOT-PASSWORD>'
-        MINIO_OPTS="--address <your_public_domain.tld>:3200 --console-address 127.0.0.1:3201"
+        MINIO_OPTS="--address 127.0.0.1:43200 --console-address 127.0.0.1:43201"
     ```
 - Start on boot and right now:
     ```
@@ -92,7 +92,7 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje
        b2-eu-cen:
            key: minio
            secret: "<YOUR-STRONG-MINIO-ROOT-PASSWORD>"
-           endpoint: <your_public_domain.tld>:3200
+           endpoint: https://<your_public_domain.tld>:3200
            region: eu-central-2
            bucket: ente-server
     ```
@@ -123,10 +123,11 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje
 
 **Configuring Nginx proxy**:
 
-- Copy the example Nginx config and the accompanying  HTTP(S) security header config files to the Nginx configuration directory:
+- Copy the example the MinIO and Ente server Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory:
     ```
         sudo cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/
         sudo cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/
+        sudo cp -v /usr/lib/ente-server/minio-server-nginx.conf /etc/nginx/
     ```
 - Edit this example config, and replace <your_public_domain.tld> with your actual public domain name
 - Request a letsencrypt ceritifacte (or a SSL ceritifacte from another provider) if not already done so:
@@ -224,8 +225,8 @@ An AppArmor profile has been provided for those that wish to limit the access th
 If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed:
 
 - Traffic on localhost
-- Traffic from your Ente (mobile) client to TCP port 443 to reach Nginx
-- Traffic from your Ente (mobile) client to TCP port 3200 to reach the MinIO API port
+- Traffic from your Ente (mobile) client to TCP port 443 to reach the Ente server via Nginx
+- Traffic from your Ente (mobile) client to TCP port 3200 to reach the MinIO server via Nginx
 
 FILES
 -----
diff --git a/ente-server.yaml b/ente-server.yaml
index aeb47b340471..202b545a0bbc 100644
--- a/ente-server.yaml
+++ b/ente-server.yaml
@@ -46,7 +46,7 @@ s3:
     b2-eu-cen:
         key: minio
         secret: "<YOUR-STRONG-MINIO-ROOT-PASSWORD>"
-        endpoint: <your_public_domain.tld>:3200
+        endpoint: https://<your_public_domain.tld>:3200
         region: eu-central-2
         bucket: ente-server
 
diff --git a/minio-server-nginx.conf b/minio-server-nginx.conf
new file mode 100644
index 000000000000..4c413960430e
--- /dev/null
+++ b/minio-server-nginx.conf
@@ -0,0 +1,82 @@
+# configuration based on:
+#   <https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html>
+upstream minio-api {
+    server 127.0.0.1:43200;
+}
+
+upstream minio-console {
+    server 127.0.0.1:43201;
+}
+
+server {
+    listen 3200 ssl;
+    listen [::]:3200 ssl;
+    server_name <your_public_domain.tld>;
+    include https_security_headers.conf;
+    http2  on;
+
+    # SSL settings
+    ssl_certificate /etc/letsencrypt/live/<your_public_domain.tld>/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/<your_public_domain.tld>/privkey.pem;
+    ssl_dhparam ssl_dhparam_gen5_4096.pem;
+
+    # Global SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:le_nginx_SSL_minio_server:1m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # Allow special characters in headers
+    ignore_invalid_headers off;
+    # Allow any size file to be uploaded.
+    # Set to a value such as 1000m; to restrict file size to a specific value
+    client_max_body_size 0;
+    # Disable buffering
+    proxy_buffering off;
+    proxy_request_buffering off;
+ 
+    location / {
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+ 
+       proxy_connect_timeout 300;
+       # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+       proxy_http_version 1.1;
+       proxy_set_header Connection "";
+       chunked_transfer_encoding off;
+ 
+       proxy_pass http://minio-api; # This uses the upstream directive definition to load balance
+    }
+ 
+    location /minio/ui/ {
+       rewrite ^/minio/ui/(.*) /$1 break;
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-NginX-Proxy true;
+ 
+       # This is necessary to pass the correct IP to be hashed
+       real_ip_header X-Real-IP;
+ 
+       proxy_connect_timeout 300;
+ 
+       # To support websockets in MinIO versions released after January 2023
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress)
+       # Uncomment the following line to set the Origin request to an empty string
+       # proxy_set_header Origin '';
+ 
+       chunked_transfer_encoding off;
+ 
+       proxy_pass http://minio-console; # This uses the upstream directive definition to load balance
+    }
+}