From 407a9202082e92a0161f46d6a3405c50aef89ed7 Mon Sep 17 00:00:00 2001 From: Elijah Duffy Date: Fri, 27 Mar 2026 17:28:37 -0700 Subject: [PATCH] separate S3 use SSL controls for internal & public clients --- .env.example | 2 ++ .../packages/server/src/officeconvert_server/app.py | 1 + .../server/src/officeconvert_server/config.py | 11 ++++++++++- .../server/src/officeconvert_server/storage.py | 3 ++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index d552729..0ac3f74 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,8 @@ S3_ENDPOINT=seaweedfs:8333 S3_PUBLIC_ENDPOINT=localhost:8333 S3_USE_SSL=false +# Presigned URLs; omit to match S3_USE_SSL (internal client uses S3_ENDPOINT). +S3_PUBLIC_USE_SSL=false S3_ACCESS_KEY=minioadmin S3_SECRET_KEY=minioadmin S3_SESSION_TTL_SECONDS=3600 diff --git a/python/packages/server/src/officeconvert_server/app.py b/python/packages/server/src/officeconvert_server/app.py index bbc6cec..d6f745a 100644 --- a/python/packages/server/src/officeconvert_server/app.py +++ b/python/packages/server/src/officeconvert_server/app.py @@ -48,6 +48,7 @@ def create_app() -> ConversionServiceASGIApplication: secret_key=config.s3_secret_key, secure=config.s3_secure, public_endpoint=config.s3_public_endpoint, + public_secure=config.s3_public_secure, ) service = ConversionServiceImpl(config=config, store=store) return ConversionServiceASGIApplication(service) diff --git a/python/packages/server/src/officeconvert_server/config.py b/python/packages/server/src/officeconvert_server/config.py index bf3643e..fbafc71 100644 --- a/python/packages/server/src/officeconvert_server/config.py +++ b/python/packages/server/src/officeconvert_server/config.py @@ -15,6 +15,7 @@ class ServerConfig: s3_secret_key: str s3_secure: bool s3_public_endpoint: str + s3_public_secure: bool s3_session_ttl_seconds: int conversion_pptx_to_pdf_timeout_seconds: int conversion_pdf_to_images_timeout_seconds: int @@ -27,12 +28,20 @@ class ServerConfig: def load_server_config() -> ServerConfig: """Load server configuration from environment variables.""" + s3_secure = os.getenv("S3_USE_SSL", "false").lower() == "true" + public_ssl_env = os.getenv("S3_PUBLIC_USE_SSL") + s3_public_secure = ( + public_ssl_env.lower() == "true" + if public_ssl_env is not None + else s3_secure + ) return ServerConfig( s3_endpoint=os.getenv("S3_ENDPOINT", "localhost:8333"), s3_access_key=os.getenv("S3_ACCESS_KEY", "minioadmin"), s3_secret_key=os.getenv("S3_SECRET_KEY", "minioadmin"), - s3_secure=os.getenv("S3_USE_SSL", "false").lower() == "true", + s3_secure=s3_secure, s3_public_endpoint=os.getenv("S3_PUBLIC_ENDPOINT", "localhost:8333"), + s3_public_secure=s3_public_secure, s3_session_ttl_seconds=int(os.getenv("S3_SESSION_TTL_SECONDS", "3600")), conversion_pptx_to_pdf_timeout_seconds=int( os.getenv("CONVERSION_PPTX_TO_PDF_TIMEOUT_SECONDS", "180") diff --git a/python/packages/server/src/officeconvert_server/storage.py b/python/packages/server/src/officeconvert_server/storage.py index 49c5740..20f1d94 100644 --- a/python/packages/server/src/officeconvert_server/storage.py +++ b/python/packages/server/src/officeconvert_server/storage.py @@ -22,6 +22,7 @@ class S3Store: secret_key: str, secure: bool, public_endpoint: str, + public_secure: bool, ) -> None: """Initialize S3 clients for internal and public URL generation.""" self._client = Minio( @@ -34,7 +35,7 @@ class S3Store: public_endpoint, access_key=access_key, secret_key=secret_key, - secure=secure, + secure=public_secure, ) def ensure_bucket(self, bucket_name: str) -> None: