# configuration based on:
#   <https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html>
upstream minio-api {
    server 127.0.0.1:43200;
}

upstream minio-console {
    server 127.0.0.1:43201;
}

server {
    listen 3200 ssl;
    listen [::]:3200 ssl;
    server_name <your_public_domain.tld>;
    include https_security_headers.conf;
    http2  on;

    # SSL settings
    ssl_certificate /etc/letsencrypt/live/<your_public_domain.tld>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<your_public_domain.tld>/privkey.pem;
    ssl_dhparam ssl_dhparam_gen5_4096.pem;

    # Global SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:le_nginx_SSL_minio_server:1m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # Disable buffering
    proxy_buffering off;
    proxy_request_buffering off;
 
    location / {
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
 
       proxy_connect_timeout 300;
       # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
       proxy_http_version 1.1;
       proxy_set_header Connection "";
       chunked_transfer_encoding off;
 
       proxy_pass http://minio-api; # This uses the upstream directive definition to load balance
    }
 
    location /minio/ui/ {
       rewrite ^/minio/ui/(.*) /$1 break;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-NginX-Proxy true;
 
       # This is necessary to pass the correct IP to be hashed
       real_ip_header X-Real-IP;
 
       proxy_connect_timeout 300;
 
       # To support websockets in MinIO versions released after January 2023
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress)
       # Uncomment the following line to set the Origin request to an empty string
       # proxy_set_header Origin '';
 
       chunked_transfer_encoding off;
 
       proxy_pass http://minio-console; # This uses the upstream directive definition to load balance
    }
}