diff --git a/Dockerfile b/Dockerfile
index 27bed14..f3cfd5e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,12 @@ RUN make
 
 FROM scratch
 
+COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=ghcr.io/tarampampam/curl:8.6.0 /bin/curl /bin/curl
 COPY --from=backend /app/main /bin/main
 
-CMD [ "/bin/main" ]
+HEALTHCHECK --interval=5m --timeout=2s --retries=3 --start-period=15s CMD [ \
+    "curl", "--fail", "http://127.0.0.1:3909" \
+]
+
+ENTRYPOINT [ "main" ]
\ No newline at end of file
diff --git a/backend/router/browse.go b/backend/router/browse.go
index 1f0f80d..6434b13 100644
--- a/backend/router/browse.go
+++ b/backend/router/browse.go
@@ -331,15 +331,26 @@ func getS3Client(bucket string) (*s3.Client, error) {
 		return nil, fmt.Errorf("cannot get credentials for bucket %s: %w", bucket, err)
 	}
 
+	// Determine endpoint and whether to disable HTTPS
+	endpoint := utils.Garage.GetS3Endpoint()
+	disableHTTPS := !strings.HasPrefix(endpoint, "https://")
+
+	// AWS config without BaseEndpoint
 	awsConfig := aws.Config{
-		Credentials:  creds,
-		Region:       utils.Garage.GetS3Region(),
-		BaseEndpoint: aws.String(utils.Garage.GetS3Endpoint()),
+		Credentials: creds,
+		Region:      utils.Garage.GetS3Region(),
 	}
 
+	// Build S3 client with custom endpoint resolver for proper signing
 	client := s3.NewFromConfig(awsConfig, func(o *s3.Options) {
 		o.UsePathStyle = true
-		o.EndpointOptions.DisableHTTPS = true
+		o.EndpointOptions.DisableHTTPS = disableHTTPS
+		o.EndpointResolver = s3.EndpointResolverFunc(func(region string, opts s3.EndpointResolverOptions) (aws.Endpoint, error) {
+			return aws.Endpoint{
+				URL:           endpoint,
+				SigningRegion: utils.Garage.GetS3Region(),
+			}, nil
+		})
 	})
 
 	return client, nil