preface

Write it down while it’s hot for your future self

Recently, in order to ensure that the pre-production environment is consistent with the future production environment, the access protocol needs to be changed from HTTP to HTTPS compared with the development environment. However, the existing MinIO deployment still provides services through HTTP (default). This causes HTTP based MinIO data to be unavailable in HTTPS pages. MinIO needs to be modified to support HTTPS access.

There are two ideas:

Nginx reverse proxy to configure HTTPS on the Nginx side, internal MinIO still uses HTTP;
The MinIO server is directly set to HTTPS.

After determining the possibility of the general direction, I also searched the Internet (link), as expected, basically nginx reverse proxy and MinIO configured to HTTPS two ways. In the first way, there are ready-made plans on the Internet, which can be used as a last-ditch plan. The second method, which is generally reported according to the tutorial on the official website, cannot achieve HTTPS access. But since the official documentation explicitly states that HTTPS is supported, the solution must work. Therefore, the plan is to start from the second plan, if it does not go, and then use the bottom of the scheme.

Environment:

Centos 8.3
Docker 20.1

On the pit process

Choose the second plan, which means the beginning of the pit.

{{HOME}}/.minio/certs: {{HOME}}/.minio/certs: {{HOME}}/.minio/certs: {{HOME}}/.minio/certs

Note:

The private key must be named private.key
The public key must be named public. CRT. (If the public key ends in pem format, you can change it to CRT format.)

Start MinIO container:

docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server  /data --address ":39000" --console-address ":39001"Copy the code

Successful startup:

You can see that the access protocol has been changed to HTTPS.

Description:

address: Address + port of the Minio API call. The address can be IP or host
console-address: IP address + port number of the MinIO Web management page
/mnt/data/minio/configKey and publich. CRT files are stored in the certs folder of the MinIO configuration file directory
/mnt/data/minio/data: Data directory on the host. All bucket data in MinIO is stored in this directory
MINIO_ACCESS_KEY: Indicates the administrator user name
MINIO_SECRET_KEY: Administrator password

The first pit

After startup, found:

“Not secure” is displayed when the public and private key of TLS is put in the corresponding location.

The reason is that the public and private key pair of TLS is for the domain name abc.com, and the access mode is IP+port. Therefore, the problem is Not secure. Change the request to domain name +port to resolve the first pit:

The second pit

On the login page, after entering the user name and password, the following information appears:

X509: Cannot validate certificate for XXX.xxx.xxx. XXX because it doesn’t contain any IP SANs

A similar problem cannot be found (cannot login to MinIO console #12646) and the solution:

Run minio server –address “minio.ourdomain.com:443” –certs-dir /etc/minio/certs /mnt/disk{1… 4}/data and it shall work fine – or add your IP to your certs.

In other words, when starting the MinIO service, you need to specify its domain name + port number in the address field, so modify the docker startup configuration as follows:

docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server  /data --address "open.abc.com:39000" --console-address ":39001"Copy the code

Log back in, thinking it would solve the problem, but instead, fall into a third hole.

The third pit

[root@localhost] docker [root@localhost]

The problem then arises with the configuration of the address field. MinIO automatically assigns the access URL to the address address.

Address 172.17.0.2:39000 = 172.17.0.2:39000

docker run -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server /data --address "172.17.0.2:39000" --console-address ":39001"
Copy the code

Restart and find that the API URL has changed to https://172.17.0.2:39000:

In other words, the address configuration can change the URL corresponding to the API. Why not access configured to open.hws.com :39000?

If the address configuration is set to a URL, you need to check whether the URL is connected to the network. So I tested it, and as expected:

Why can’t Open.abc.com be pinged? This involves the network environment of Ali Cloud ECS:

First, the domain name is mapped to a public IP address. Then, the IP address is an elastic IP address bound to the ECS machine. However, the elastic IP address cannot be pinged in the ECS by default, that is, the ping open.abc.com cannot be pinged.

Once you figure out what the problem is, the solution is simple: Add a local hosts mapping to the ECS:

Echo "172.31.0.171 open.abc.com" >> /etc/hostsCopy the code

Description:

172.31.0.171It is the internal IP address of the ECS eth0 network adapter

Then start the container and add –network=host (docker container uses host network) :

docker run --network=host -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server  /data --address "open.abc.com:39000" --console-address ":39001"Copy the code

Startup success:

This (before) is (is) dry (waste) goods

Check whether the domain name to be configured can be pinged from the current ECS. If the ping fails, manually add the domain name to /etc/hosts

Echo "{{Intranet IP address of eth0}} {{set domain name}}" >> /etc/hostsCopy the code

Start with Docker:

docker run --network=host -dit -p 39000:39000 -p 39001:39001 --name minio -v /mnt/data/miniotest/data:/data -v /mnt/data/miniotest/config:/root/.minio -e "MINIO_ACCESS_KEY=username" -e "MINIO_SECRET_KEY=password" minio/minio server  /data --address "open.abc.com:39000" --console-address ":39001"Copy the code

Docker-compose: docker-compose. Yml: docker-compose

version: '3' services: minio: image: minio/minio command: server --address "open.abc.com:39000" --console-address ":39001" /data ports: - "399:39000" - "39001:39001" EXTRA_hosts: - "DNS_1 :172.17.0.1" environment: MINIO_ACCESS_KEY: "username" MINIO_SECRET_KEY: "password" volumes: - /mnt/data/miniotest/data:/data - /mnt/data/miniotest/config:/root/.minio network_mode: hostCopy the code

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Add HTTPS access to MinIO of stomp log

preface

On the pit process

The first pit

The second pit

The third pit

This (before) is (is) dry (waste) goods

Add HTTPS access to MinIO of stomp log

preface

On the pit process

The first pit

The second pit

The third pit

This (before) is (is) dry (waste) goods

Related Posts

An in-depth tutorial on the three concurrent features of the concurrent programming model

Let’s talk about flink DataStream’s split operation

Technology of dry goods | idle fish: a good platform for the Push, need to experience how all men are mortal