From 75ef11ec22cf1de3d2a44bdcbdd1c4ef157b4740 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Sat, 7 Mar 2026 02:20:16 -0800
Subject: [PATCH] fix(admin-service): use extra_hosts to route MinIO via
 gateway Nginx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Container maps oss.gogenex.com → 192.168.1.200 (LAN IP) so it
connects to Nginx:443 which proxies to localhost:9100 (MinIO).
Port 443 is already open in UFW; avoids hairpin NAT and raw iptables
drop rules that block direct access to 192.168.1.200:9100.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/docker-compose.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
index d3a8405..f2a29d1 100644
--- a/backend/docker-compose.yml
+++ b/backend/docker-compose.yml
@@ -353,14 +353,16 @@ services:
       - DB_USERNAME=genex
       - DB_PASSWORD=${DB_PASSWORD}
       - DB_NAME=genex
-      - MINIO_ENDPOINT=192.168.1.200  # MinIO on gateway server — internal IP (hairpin NAT: public IP unreachable from LAN)
-      - MINIO_PORT=9100
-      - MINIO_USE_SSL=false
+      - MINIO_ENDPOINT=oss.gogenex.com  # Use domain; extra_hosts maps it to 192.168.1.200 (gateway LAN IP) inside container
+      - MINIO_PORT=443
+      - MINIO_USE_SSL=true
       - MINIO_ACCESS_KEY=genex-admin
       - MINIO_SECRET_KEY=genex-minio-secret
       - MINIO_BUCKET=app-releases
       - OSS_BASE_URL=https://oss.gogenex.com  # Public download base URL for app packages
       - JWT_ACCESS_SECRET=dev-access-secret-change-in-production
+    extra_hosts:
+      - "oss.gogenex.com:192.168.1.200"  # Bypass public DNS; route MinIO via gateway LAN IP (port 443 Nginx → localhost:9100)
     depends_on:
       postgres:
         condition: service_healthy