separate S3 use SSL controls for internal & public clients

.env.example

@@ -1,6 +1,8 @@
 S3_ENDPOINT=seaweedfs:8333
 S3_PUBLIC_ENDPOINT=localhost:8333
 S3_USE_SSL=false
+# Presigned URLs; omit to match S3_USE_SSL (internal client uses S3_ENDPOINT).
+S3_PUBLIC_USE_SSL=false
 S3_ACCESS_KEY=minioadmin
 S3_SECRET_KEY=minioadmin
 S3_SESSION_TTL_SECONDS=3600

python/packages/server/src/officeconvert_server/app.py

@@ -48,6 +48,7 @@ def create_app() -> ConversionServiceASGIApplication:
         secret_key=config.s3_secret_key,
         secure=config.s3_secure,
         public_endpoint=config.s3_public_endpoint,
+        public_secure=config.s3_public_secure,
     )
     service = ConversionServiceImpl(config=config, store=store)
     return ConversionServiceASGIApplication(service)

python/packages/server/src/officeconvert_server/config.py

@@ -15,6 +15,7 @@ class ServerConfig:
     s3_secret_key: str
     s3_secure: bool
     s3_public_endpoint: str
+    s3_public_secure: bool
     s3_session_ttl_seconds: int
     conversion_pptx_to_pdf_timeout_seconds: int
     conversion_pdf_to_images_timeout_seconds: int
@@ -27,12 +28,20 @@ class ServerConfig:
 
 def load_server_config() -> ServerConfig:
     """Load server configuration from environment variables."""
+    s3_secure = os.getenv("S3_USE_SSL", "false").lower() == "true"
+    public_ssl_env = os.getenv("S3_PUBLIC_USE_SSL")
+    s3_public_secure = (
+        public_ssl_env.lower() == "true"
+        if public_ssl_env is not None
+        else s3_secure
+    )
     return ServerConfig(
         s3_endpoint=os.getenv("S3_ENDPOINT", "localhost:8333"),
         s3_access_key=os.getenv("S3_ACCESS_KEY", "minioadmin"),
         s3_secret_key=os.getenv("S3_SECRET_KEY", "minioadmin"),
-        s3_secure=os.getenv("S3_USE_SSL", "false").lower() == "true",
+        s3_secure=s3_secure,
         s3_public_endpoint=os.getenv("S3_PUBLIC_ENDPOINT", "localhost:8333"),
+        s3_public_secure=s3_public_secure,
         s3_session_ttl_seconds=int(os.getenv("S3_SESSION_TTL_SECONDS", "3600")),
         conversion_pptx_to_pdf_timeout_seconds=int(
             os.getenv("CONVERSION_PPTX_TO_PDF_TIMEOUT_SECONDS", "180")

python/packages/server/src/officeconvert_server/storage.py

@@ -22,6 +22,7 @@ class S3Store:
         secret_key: str,
         secure: bool,
         public_endpoint: str,
+        public_secure: bool,
     ) -> None:
         """Initialize S3 clients for internal and public URL generation."""
         self._client = Minio(
@@ -34,7 +35,7 @@ class S3Store:
             public_endpoint,
             access_key=access_key,
             secret_key=secret_key,
-            secure=secure,
+            secure=public_secure,
         )
 
     def ensure_bucket(self, bucket_name: str) -> None: