SignatureDoesNotMatch Error When Uploading to Self-Hosted MinIO #5116
Description
Describe the bug
I am encountering a persistent SignatureDoesNotMatch error when trying to upload attachments to a self-hosted MinIO S3 storage backend. The setup involves running Memos and MinIO in Docker containers, with Traefik as a reverse proxy and Cloudflare handling DNS and acting as a proxy.
Direct uploads to MinIO using its local IP address and port (http://192.168.1.50:9000) work perfectly. Uploads using Postman with AWS Signature v4 authentication to the public domain (https://s3.zenkiet.dev) also work successfully. The issue only occurs within the Memos application when the S3 endpoint is set to the public, proxied domain.
This indicates the issue lies in how the Memos S3 client constructs or sends its request when operating behind this specific proxy chain.
Error Message:
failed to save attachment blob: Failed to upload via s3 client: operation error S3: PutObject, https response error StatusCode: 403, RequestID: 18675BDF732176A7, HostID: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
Steps to reproduce
System Configuration:
- Memos: Running in Docker.
- Storage: MinIO, self-hosted in Docker.
- Reverse Proxy: Traefik, configured with wildcard rules for virtual-host style buckets (Host(...) || HostRegexp(...)) and passHostHeader: true.
Cloudflare:
- Cloudflare, proxying traffic to Traefik.
- Cloudflare SSL/TLS Mode: Set to Full (Strict).
- DNS: Configured A records for the base domains (s3.zenkiet.dev, minio.zenkiet.dev) and a wildcard CNAME record (*.s3.zenkiet.dev). All are proxied through Cloudflare.
MinIO Configuration:
- Set MINIO_SERVER_URL to the public API endpoint (https://s3.zenkiet.dev).
Memos Configuration:
The version of Memos you're using
0.25.1
Screenshots or additional context
No response