My configuration file works if I'm logging to both volto proxied by Nginx and the Plone on 8080, but as soon as I sign out of 8080. I get unauthorized on the @@download file in the proxied content (the files are not met to be public).
Looking at the network activity, the proxy serves the files if the __AC cookie exists in that domain, but volto does not set a __ac cookie when logging in.
Any advice on how to get volto and Plone to play nice?
So Volto proxies the request for you and return the data from Plone (using the token, thus authenticated).
Don't know the source where you encounter your problem, but I bet that if you are getting the file from the backend by a custom component, you should use flattenToAppUrl helper:
import {
flattenToAppURL
} from '@plone/volto/helpers';
and use it in your code. It does transform an API response using Plone URL to the Volto one, see how it is used in Volto core:
However, in seamless mode that should not be a problem. Did the responses that you get from the API has the same URL than where Volto is hosted?
We created a custom content type and custom views in volto to list the items, which works when developing but when we are testing out deployment (nginx, volto, plone) the files downloaded from volto only if you are logged in to both volto and plone.
So as far as I can understand, for private images while accessing anonymously, the redirect brings you to directly to Plone, that since it sees the image private, then it asks you for login.
For the use case when you are authenticated via Volto auth I think the problem should not be present if you use latest plone.restapi and latest Volto.
While developing, the problem is not there, since the development proxy is present, then it redirects to the backend properly. For me it has nothing to do with the __ac cookie.
The solution is not straightforward, and probably we should add more logic to the Volto SSR server to be able to handle this in seamless mode adequately.
I will create an issue noting this problem and try to tackle asap. Seamless mode is in "experimental" mode and further should be done in the subject, specially refine production deployments. The idea behind seamless mode was the "Zero configuration" for this mode, so the builds do not depend on any build-time config. Any feedback like this one from you is very much appreciated!
If you need to work this out in short, I recommend you to switch to a "traditional" Volto/Plone deployment where the API is under a directory (eg. /api).