From 0741f570139a7d2bb9ac8b0da70cfdf533848818 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Tue, 21 Nov 2023 14:16:58 -0500 Subject: [PATCH] Quickfix: Guidance on firewall + port access --- source/administration/minio-console.rst | 10 +++++++--- source/operations/checklists/security.rst | 6 ++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/source/administration/minio-console.rst b/source/administration/minio-console.rst index 638df984..94a499eb 100644 --- a/source/administration/minio-console.rst +++ b/source/administration/minio-console.rst @@ -109,6 +109,8 @@ the MinIO Console: public internet. Specify an externally reachable hostname that resolves to the MinIO Console. +.. _minio-console-port-assignment: + Static vs Dynamic Port Assignment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -124,21 +126,23 @@ You can select an explicit static port by passing the each MinIO Server in the deployment. For example, the following command starts a distributed MinIO deployment using -a static port assignment of ``9001`` for the MinIO Console. This deployment +a static port assignment of ``9090`` for the MinIO Console. This deployment would respond to S3 API operations on the default MinIO server port ``:9000`` -and browser access on the MinIO Console port ``:9001``. +and browser access on the MinIO Console port ``:9090``. .. code-block:: shell :class: copyable minio server https://minio-{1...4}.example.net/mnt/drive-{1...4} \ - --console-address ":9001" + --console-address ":9090" Deployments behind network routing components which require static ports for routing rules may require setting a static MinIO Console port. For example, load balancers, reverse proxies, or Kubernetes ingress may by default block or exhibit unexpected behavior with the the dynamic redirection behavior. +You must also ensure that the host system firewall grants access to the configured Console port. + .. _minio-console-play-login: Logging In diff --git a/source/operations/checklists/security.rst b/source/operations/checklists/security.rst index cf7f0ceb..4296123f 100644 --- a/source/operations/checklists/security.rst +++ b/source/operations/checklists/security.rst @@ -28,6 +28,12 @@ Required Steps * - :octicon:`circle` - (For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider + * - :octicon:`circle` + - Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default: ``9000``). + + * - :octicon:`circle` + - Grant firewall access for TCP traffic to the :ref:`MinIO Server Console Listen Port ` (Recommended Default: ``9090``). + :ref:`Encryption-at-Rest ` -------------------------------------