preface
Write it down while it’s hot for your future self
Recently, in order to ensure that the pre-production environment is consistent with the future production environment, the access protocol needs to be changed from HTTP to HTTPS compared with the development environment. However, the existing MinIO deployment still provides services through HTTP (default). This causes HTTP based MinIO data to be unavailable in HTTPS pages. MinIO needs to be modified to support HTTPS access.
There are two ideas:
- Nginx reverse proxy to configure HTTPS on the Nginx side, internal MinIO still uses HTTP;
- The MinIO server is directly set to HTTPS.
After determining the possibility of the general direction, I also searched the Internet (link), as expected, basically nginx reverse proxy and MinIO configured to HTTPS two ways. In the first way, there are ready-made plans on the Internet, which can be used as a last-ditch plan. The second method, which is generally reported according to the tutorial on the official website, cannot achieve HTTPS access. But since the official documentation explicitly states that HTTPS is supported, the solution must work. Therefore, the plan is to start from the second plan, if it does not go, and then use the bottom of the scheme.
Environment:
- Centos 8.3
- Docker 20.1
On the pit process
Choose the second plan, which means the beginning of the pit.
{{HOME}}/.minio/certs: {{HOME}}/.minio/certs: {{HOME}}/.minio/certs: {{HOME}}/.minio/certs
Note:
- The private key must be named private.key
- The public key must be named public. CRT. (If the public key ends in pem format, you can change it to CRT format.)
Start MinIO container:
docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address ":39000" --console-address ":39001"Copy the code
Successful startup:
You can see that the access protocol has been changed to HTTPS.
Description:
address
: Address + port of the Minio API call. The address can be IP or hostconsole-address
: IP address + port number of the MinIO Web management page/mnt/data/minio/config
Key and publich. CRT files are stored in the certs folder of the MinIO configuration file directory/mnt/data/minio/data
: Data directory on the host. All bucket data in MinIO is stored in this directoryMINIO_ACCESS_KEY
: Indicates the administrator user nameMINIO_SECRET_KEY
: Administrator password
The first pit
After startup, found:
“Not secure” is displayed when the public and private key of TLS is put in the corresponding location.
The reason is that the public and private key pair of TLS is for the domain name abc.com, and the access mode is IP+port. Therefore, the problem is Not secure. Change the request to domain name +port to resolve the first pit:
The second pit
On the login page, after entering the user name and password, the following information appears:
X509: Cannot validate certificate for XXX.xxx.xxx. XXX because it doesn’t contain any IP SANs
A similar problem cannot be found (cannot login to MinIO console #12646) and the solution:
Run minio server –address “minio.ourdomain.com:443” –certs-dir /etc/minio/certs /mnt/disk{1… 4}/data and it shall work fine – or add your IP to your certs.
In other words, when starting the MinIO service, you need to specify its domain name + port number in the address field, so modify the docker startup configuration as follows:
docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address "open.abc.com:39000" --console-address ":39001"Copy the code
Log back in, thinking it would solve the problem, but instead, fall into a third hole.
The third pit
[root@localhost] docker [root@localhost]
The problem then arises with the configuration of the address field. MinIO automatically assigns the access URL to the address address.
Address 172.17.0.2:39000 = 172.17.0.2:39000
docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address "172.17.0.2:39000" --console-address ":39001"
Copy the code
Restart and find that the API URL has changed to https://172.17.0.2:39000:
In other words, the address configuration can change the URL corresponding to the API. Why not access configured to open.hws.com :39000?
If the address configuration is set to a URL, you need to check whether the URL is connected to the network. So I tested it, and as expected:
Why can’t Open.abc.com be pinged? This involves the network environment of Ali Cloud ECS:
First, the domain name is mapped to a public IP address. Then, the IP address is an elastic IP address bound to the ECS machine. However, the elastic IP address cannot be pinged in the ECS by default, that is, the ping open.abc.com cannot be pinged.
Once you figure out what the problem is, the solution is simple: Add a local hosts mapping to the ECS:
Echo "172.31.0.171 open.abc.com" >> /etc/hostsCopy the code
Description:
172.31.0.171
It is the internal IP address of the ECS eth0 network adapter
Then start the container and add –network=host (docker container uses host network) :
docker run --network=host -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address "open.abc.com:39000" --console-address ":39001"Copy the code
Startup success:
Login successful:
This (before) is (is) dry (waste) goods
Check whether the domain name to be configured can be pinged from the current ECS. If the ping fails, manually add the domain name to /etc/hosts
Echo "{{Intranet IP address of eth0}} {{set domain name}}" >> /etc/hostsCopy the code
Start with Docker:
docker run --network=host -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address "open.abc.com:39000" --console-address ":39001"Copy the code
Docker-compose: docker-compose. Yml: docker-compose
version: '3' services: minio: image: minio/minio command: server --address "open.abc.com:39000" --console-address ":39001" /data ports: - "399:39000" - "39001:39001" EXTRA_hosts: - "DNS_1 :172.17.0.1" environment: MINIO_ACCESS_KEY: "username" MINIO_SECRET_KEY: "password" volumes: - /mnt/data/miniotest/data:/data - /mnt/data/miniotest/config:/root/.minio network_mode: hostCopy the code