From 6c6b9b076b508fe1ad12a8e8ef38f901160b520e Mon Sep 17 00:00:00 2001
From: Jason Yang <git@jasony.org>
Date: Sun, 1 Jun 2025 19:30:47 -0700
Subject: [PATCH 1/3] fix: using full distro to include ca-certificate
 supporting https connection

---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 27bed14..01c9aef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,8 +19,10 @@ COPY backend/ ./
 COPY --from=frontend /app/dist ./ui/dist
 RUN make
 
-FROM scratch
+FROM debian:bookworm-slim
 
 COPY --from=backend /app/main /bin/main
 
+RUN apt update && apt install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+
 CMD [ "/bin/main" ]

From ff39a6cd825174639d21d9680d0363c750e2e96c Mon Sep 17 00:00:00 2001
From: Jason Yang <git@jasony.org>
Date: Tue, 3 Jun 2025 21:57:58 -0700
Subject: [PATCH 2/3] feat: using scratch image w/ copy binary from other
 distro, and included healthcheck

---
 Dockerfile | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 01c9aef..f3cfd5e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,10 +19,14 @@ COPY backend/ ./
 COPY --from=frontend /app/dist ./ui/dist
 RUN make
 
-FROM debian:bookworm-slim
+FROM scratch
 
+COPY --from=alpine /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=ghcr.io/tarampampam/curl:8.6.0 /bin/curl /bin/curl
 COPY --from=backend /app/main /bin/main
 
-RUN apt update && apt install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+HEALTHCHECK --interval=5m --timeout=2s --retries=3 --start-period=15s CMD [ \
+    "curl", "--fail", "http://127.0.0.1:3909" \
+]
 
-CMD [ "/bin/main" ]
+ENTRYPOINT [ "main" ]
\ No newline at end of file

From 5f0f200c035acf29ec3e11a35b03aabd587d30be Mon Sep 17 00:00:00 2001
From: Jason Yang <git@jasony.org>
Date: Tue, 3 Jun 2025 23:20:00 -0700
Subject: [PATCH 3/3] fix: browser for bucket handle https connection using new
 resolver

---
 backend/router/browse.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/backend/router/browse.go b/backend/router/browse.go
index 1f0f80d..6434b13 100644
--- a/backend/router/browse.go
+++ b/backend/router/browse.go
@@ -331,15 +331,26 @@ func getS3Client(bucket string) (*s3.Client, error) {
 		return nil, fmt.Errorf("cannot get credentials for bucket %s: %w", bucket, err)
 	}
 
+	// Determine endpoint and whether to disable HTTPS
+	endpoint := utils.Garage.GetS3Endpoint()
+	disableHTTPS := !strings.HasPrefix(endpoint, "https://")
+
+	// AWS config without BaseEndpoint
 	awsConfig := aws.Config{
-		Credentials:  creds,
-		Region:       utils.Garage.GetS3Region(),
-		BaseEndpoint: aws.String(utils.Garage.GetS3Endpoint()),
+		Credentials: creds,
+		Region:      utils.Garage.GetS3Region(),
 	}
 
+	// Build S3 client with custom endpoint resolver for proper signing
 	client := s3.NewFromConfig(awsConfig, func(o *s3.Options) {
 		o.UsePathStyle = true
-		o.EndpointOptions.DisableHTTPS = true
+		o.EndpointOptions.DisableHTTPS = disableHTTPS
+		o.EndpointResolver = s3.EndpointResolverFunc(func(region string, opts s3.EndpointResolverOptions) (aws.Endpoint, error) {
+			return aws.Endpoint{
+				URL:           endpoint,
+				SigningRegion: utils.Garage.GetS3Region(),
+			}, nil
+		})
 	})
 
 	return client, nil