这是一个创建于 610 天前的主题,其中的信息可能已经有所发展或是发生改变。
部署方式
Minio+Nginx+Docker
问题现象与分析
通过 NGINX 代理后无法登陆控制台,登录返回 401 "invalid Login"。
怀疑点:minio 的证书必须包含 ip
尝试如下的配置
- minio 不加证书
- minio 加自签名证书
- 将 Nginx 证书复制到 minio 中
但问题依旧,Nginx 证书这里都是使用的泛域名证书。
配置文件
1. Minio 配置
services:
minio:
image: minio/minio:RELEASE.2022-08-08T18-34-09Z
container_name: minio
restart: always
expose:
- 9000
- 9001
environment:
- MINIO_ROOT_USER=[username]
- MINIO_ROOT_PASSWORD=[password]
- MINIO_DOMAIN=[minio domain]
- MINIO_BROWSER_REDIRECT_URL=https://[minio console domain]
- MINIO_SERVER_URL=https://[minio domain]
volumes:
- /work/minio/conf:/root/.minio
- /work/minio/data:/data
command: server /data --console-address ":9001"
2. Nginx 配置( minio )
其中*.[minio domain]是为了群晖同步使用
server {
listen 443 ssl http2;
server_name [minio domain];
charset utf-8;
server_tokens off;
access_log logs/[minio domain].log main;
ssl_certificate ssl/[minio domain]/fullchain.pem;
ssl_certificate_key ssl/[minio domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://minios/;
}
}
server {
listen 443 ssl http2;
server_name *.[minio domain];
charset utf-8;
server_tokens off;
access_log logs/[minio domain].log main;
ssl_certificate ssl/[minio domain]/fullchain.pem;
ssl_certificate_key ssl/[minio domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://minios/;
}
}
3. Nginx 配置( minio 控制台)
server {
listen 443 ssl http2;
server_name [minio console domain];
charset utf-8;
server_tokens off;
access_log logs/[minio console domain].log main;
ssl_certificate ssl/[minio console domain]/fullchain.pem;
ssl_certificate_key ssl/[minio console domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio console domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-NginX-Proxy true;
proxy_pass https://minioc/;
}
}
如果 Minio 无法实现,请各位大佬提供支持自建其他对象存储产品,需求如下
- 自建
- Docker 部署
- 兼容 S3
- 自带控制台上传下载文件
- Nginx 提供 HTTPS
- 可以群晖同步(即支持 bucket.domain 方式访问与 HTTPS 访问)
第 1 条附言 · 2022-11-14 09:11:37 +08:00
非完美解决方案, 需要手动设置 bucket 域名访问
services:
minio:
image: minio/minio:RELEASE.XXX
container_name: minio
hostname: minio.yourdomain.com
restart: always
expose:
- 443
- 9001
environment:
- MINIO_ROOT_USER=yourusername
- MINIO_ROOT_PASSWORD=yourpassword
- MINIO_DOMAIN=minio.yourdomain.com
- MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
- MINIO_SERVER_URL=https://minio.yourdomain.com/
volumes:
- /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
- /work/minio/data:/data
command: server /data --address ":443" --console-address ":9001"
networks:
net_app:
aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
- bucketA.minio.yourdomain.com
- bucketB.minio.yourdomain.com
services:
minio:
image: minio/minio:RELEASE.XXX
container_name: minio
hostname: minio.yourdomain.com
restart: always
expose:
- 443
- 9001
environment:
- MINIO_ROOT_USER=yourusername
- MINIO_ROOT_PASSWORD=yourpassword
- MINIO_DOMAIN=minio.yourdomain.com
- MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
- MINIO_SERVER_URL=https://minio.yourdomain.com/
volumes:
- /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
- /work/minio/data:/data
command: server /data --address ":443" --console-address ":9001"
networks:
net_app:
aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
- bucketA.minio.yourdomain.com
- bucketB.minio.yourdomain.com
13 条回复 • 2024-01-29 17:55:51 +08:00
 |
1
photon006 2022-08-18 11:50:01 +08:00  1
minio 不用证书,nginx 配证书就行了,我是这样:
``` docker run \ -d --name minio \ --restart=always \ -p 9000:9000 \ -p 9001:9001 \ -v /dev/sda1/minio:/data \ -e TZ=Asia/Shanghai \ -e MINIO_ROOT_USER=admin \ -e MINIO_ROOT_PASSWORD=pwd \ -e MINIO_SERVER_URL=https://minio-api.example.com/ \ minio/minio server /data --address :9000 --console-address :9001 ``` |
 |
2
SenLief 2022-08-18 11:52:53 +08:00
我用 docker 的
docker run -p 9000:9000 -p 9090:9090 \ --net=host \ --name minio \ -d --restart=always \ -e "MINIO_ACCESS_KEY=admin" \ -e "MINIO_SECRET_KEY=p8HhVAqjp" \ -v ~/minio/data:/data \ -v ~/minio/config:/root/.minio \ minio/minio server \ /data --console-address ":9090" -address ":9000" 这个配置,前端反代用的 nginx 反代 9000 和 9090 了。 |
|
5
photon006 2022-08-18 13:48:50 +08:00
@zliea nginx 使用 2 个二级域名,分别反代 api 和后台管理界面,比如:
# 后台管理界面 server_name minio.example.com; location / { proxy_pass http://10.13.1.27:9001; } # 程序调用 api 及分享的链接 server_name minio-api.example.com; location / { proxy_pass http://10.13.1.27:9000; } 你本身就是泛域名证书,配起来很容易。 |
 |
6
fuxinya 2022-08-18 13:58:03 +08:00
启动:(建议使用 bitnami rootless 镜像)
``` docker run --network app -hminio -d --name minio --restart=unless-stopped \ -p 9000:9000 -p 9001:9001 \ -e "MINIO_ROOT_USER=minio" \ -e "MINIO_ROOT_PASSWORD=xxxx" \ -e "MINIO_API_PORT_NUMBER=9000" \ -e "MINIO_CONSOLE_PORT_NUMBER=9001" \ -v /path/to/minio/data:/data \ bitnami/minio:2022.5.8 ``` Nginx 配置:(证书是在 nginx 上配) ``` location / { proxy_pass http://127.0.0.1:9001; } ``` |
 |
7
yimiaoxiehou 2022-08-18 17:29:29 +08:00
用 bitnami 的镜像吧,然后把 MINIO_SERVER_HOST 改下应该就行
docker run --rm --name minio-client \ --env MINIO_SERVER_HOST="my.minio.domain" \ --env MINIO_SERVER_ACCESS_KEY="minio-access-key" \ --env MINIO_SERVER_SECRET_KEY="minio-secret-key" \ bitnami/minio-client \ mb minio/my-bucket |
|
8
yimiaoxiehou 2022-08-18 17:29:47 +08:00
@yimiaoxiehou 然后再套一层 nginx https
|
 |
9
loveyu 2022-08-18 18:22:30 +08:00
最近遇到一模一样的问题,invalid Login 是 minio 内部无法访问 MINIO_SERVER_URL=https://[minio domain] 导致的,保证 docker 内部可以直接访问就行了
|
 |
10
blankmiss 2022-11-12 21:57:53 +08:00
我和你遭遇到了一样的问题 有解决方案了吗
|
 |
11
zliea OP @blankmiss
``` services: minio: image: minio/minio:RELEASE.XXX container_name: minio hostname: minio.yourdomain.com restart: always expose: - 443 - 9001 environment: - MINIO_ROOT_USER=yourusername - MINIO_ROOT_PASSWORD=yourpassword - MINIO_DOMAIN=minio.yourdomain.com - MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/ - MINIO_SERVER_URL=https://minio.yourdomain.com/ volumes: - /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com - /work/minio/data:/data command: server /data --address ":443" --console-address ":9001" networks: net_app: aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns. - bucketA.minio.yourdomain.com - bucketB.minio.yourdomain.com ``` |
|
12
blankmiss 2022-11-15 19:56:49 +08:00
@zliea 反向代理的时候 请求文件链接会报错
后台查看图片和预览文件也一样会 Access Denied ``` {"code":500,"detailedMessage":"Access Denied.","message":"an error occurred, please try again"} ``` ``` location ^~ / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; add_header X-Cache $upstream_cache_status; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; } ``` 这是我的反向代理配置 按照官网来写的 |
 |
13
wangbin11 80 天前
我是内网自签名证书,minio 有办法信任吗,容器内是可以访问的,{"message":"invalid Login"}
|
Select Language