From f02cf38e014a46ae242a39d0294d328066b9396e Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Wed, 13 Aug 2025 13:47:23 +0100
Subject: [PATCH] fix (infra): separate S3 into web and api domains

---
 proxy/nginx/conf.d/{s3.conf => s3-api.conf} | 16 ++-------
 proxy/nginx/conf.d/s3-web.conf              | 36 +++++++++++++++++++++
 2 files changed, 39 insertions(+), 13 deletions(-)
 rename proxy/nginx/conf.d/{s3.conf => s3-api.conf} (75%)
 create mode 100644 proxy/nginx/conf.d/s3-web.conf

diff --git a/proxy/nginx/conf.d/s3.conf b/proxy/nginx/conf.d/s3-api.conf
similarity index 75%
rename from proxy/nginx/conf.d/s3.conf
rename to proxy/nginx/conf.d/s3-api.conf
index 07c59d0..4b9abce 100644
--- a/proxy/nginx/conf.d/s3.conf
+++ b/proxy/nginx/conf.d/s3-api.conf
@@ -1,4 +1,5 @@
 # HTTP configuration
+
 # -- Redirect all HTTP requests to HTTPS port
 server {
 	listen 80; # HTTP port
@@ -12,7 +13,7 @@ server {
 
 server {
 	listen 443 ssl;
-	server_name *.s3.systemsobscure.net s3.systemsobscure.net;
+	server_name s3.systemsobscure.net;
 
   client_max_body_size 100M; # Allow large image uploads
 
@@ -26,7 +27,7 @@ server {
 
 	# S3 API for authenticated operations 
 	
-	location /api/ {
+	location / {
 		proxy_pass http://172.18.0.1:3900/;
 		proxy_set_header Host $host;
 	
@@ -40,15 +41,4 @@ server {
 			return 204;
     }
 	}
-
-
-	# Web endpoint for public file access 
-
-	location / {
-		proxy_pass http://172.18.0.1:3902;
-		proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-  }
 }
diff --git a/proxy/nginx/conf.d/s3-web.conf b/proxy/nginx/conf.d/s3-web.conf
new file mode 100644
index 0000000..2b0d84e
--- /dev/null
+++ b/proxy/nginx/conf.d/s3-web.conf
@@ -0,0 +1,36 @@
+
+# S3 (Garage) Web endpoint for public file access 
+
+# HTTP configuration
+# -- Redirect all HTTP requests to HTTPS port
+server {
+	listen 80; # HTTP port
+	server_name s3.systemsobscure.net;
+	location / {
+		return 301 https://$host$request_uri; # Variable is a placeholder for all requests to the server name
+	}
+}
+
+# HTTPS configuration 
+
+server {
+	listen 443 ssl;
+	server_name *.s3.systemsobscure.net;
+
+	# SSL configuration
+	ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;
+
+	# Security headers
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    
+
+
+	location / {
+		proxy_pass http://172.18.0.1:3902;
+		proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}