#Tailscale + TSDProxy migration broke uploads and streaming on existing Ente self‑host

Hi, I’m self‑hosting Ente Photos and recently migrated my existing instance from a plain localhost/MinIO setup to the official Tailscale + TSDProxy guide. After this change, I can still log in and see my items listed, but new uploads fail, videos don’t stream, and now even thumbnails no longer load at all.
Environment

• Existing Ente instance with a large library already uploaded
• OS: Alpine Linux
• Runtime: Docker + docker‑compose (rootful)
• Networking:
  • Tailscale running on the host
  • TSDProxy as per Ente’s “Self‑hosting with Tailscale” guide
• Services:
  • museum (Ente backend)
  • minio (local S3)
• Clients:
  • Ente Photos Desktop 1.7.21 on macOS
  • Ente Photos Android client
    What I changed (migration steps)

1. Set up TSDProxy and joined it to my Tailnet.
2. Updated my existing Ente compose file instead of starting from scratch:
   • Added a proxy network and attached:
     • museum with labels:
tsdproxy.enable: "true"
tsdproxy.name: "ente"
     • minio with labels:
tsdproxy.enable: "true"
tsdproxy.name: "minio"
3. Initially configured Ente’s S3 endpoints in credentials.yaml to use the Tailnet MinIO URL:
   • endpoint: https://minio.<tailnet>.ts.net
This caused errors inside museum like:
   • dial tcp: lookup minio.<tailnet>.ts.net on 127.0.0.11:53: no such host
meaning the museum container could not resolve the Tailnet hostname for MinIO.

Analyzing your question, please wait...

4. Switched to “Option A” (internal Docker connectivity):
   • All MinIO‑backed S3 endpoints in credentials.yaml now use:
endpoint: http://minio:3200
   • Verified from inside the museum container:
curl -v http://minio:3200/minio/health/ready → returns HTTP 200 OK.
   • Kept MINIO_SERVER_URL in the MinIO service pointing to the Tailnet URL (for external use only):
MINIO_SERVER_URL= https://minio.<tailnet>.ts.net
     Current behavior

• Backend/API:
  • https://ente.<tailnet>.ts.net/ping returns {"message":"pong"}.
  • API calls like /collections/v2, /trash/v2/diff, /user-entity/entity/diff, /remote-store, /users/session-validity/v2 all return HTTP 200.
  • POST /files/upload-url returns HTTP 200 when I attempt an upload.
  • GET /files/preview/<id> returns HTTP 307 redirects (expected behavior).
  • There are no current S3 errors or HTTP 5xx in museum logs after switching to http://minio:3200.
• MinIO:
  • Healthy and reachable from within museum at http://minio:3200.
• Clients (the broken part):
  • I can log in from the desktop app using https://ente.<tailnet>.ts.net.
  • The grid shows items, but:
    • Thumbnails do not load at all — I see placeholders and can’t click/open them.
    • Video streaming does not work.
    • New uploads fail after several retries.
  • Desktop client logs repeatedly show:
    • TypeError Failed to fetch
    • NetworkDownloadError Failed to fetch
both when trying to download thumbnails and when uploading files.
  • These client errors appear while the server side continues to respond with 200/307 and shows no obvious errors.

What I’ve already tried

• Fixed museum → MinIO DNS by switching S3 endpoints from https://minio.<tailnet>.ts.net to http://minio:3200 for all local buckets and restarting museum.
• Confirmed TSDProxy sees both ente and minio containers in the Tailnet, and that https://ente.<tailnet>.ts.net/ping works from my Mac.
• In the desktop app:
  • Set the custom server to https://ente.<tailnet>.ts.net and fully restarted the app.
  • Also temporarily tried http://ente.<tailnet>.ts.net (which correctly 301 redirects to HTTPS when tested with curl).
  • Cleared and retried uploads with single small images.
• After these changes, the situation actually got worse from a user perspective:
  • Previously I could at least view existing photos and only new uploads were failing.
  • Now thumbnails don’t load at all, videos don’t stream, and new uploads still fail, despite the backend and MinIO appearing healthy and returning 200s.
    What I’m looking for
• Is there any Ente‑specific config I need to adjust after changing the S3 endpoints from a Tailnet URL to http://minio:3200?
• Could presigned URLs for thumbnails and uploads still be using the old Tailnet MinIO URL or some other base URL that I should update?
• Are there known issues or special considerations when using Ente with Tailscale + TSDProxy for an existing instance, especially around the desktop client showing TypeError Failed to fetch even when the backend returns only 200/307?
  I can share my docker-compose.yml (museum and MinIO services) and credentials.yaml with secrets removed if that helps to diagnose.