From 431675e429aad9505bbf9bf50335511b04896b6c Mon Sep 17 00:00:00 2001 From: Andrea Longo Date: Fri, 9 Feb 2024 11:12:37 -0700 Subject: [PATCH] Document security header envvars and config items (#1122) New settings to configure security headers for requests returned from MinIO Console. - `Content-Security-Policy` - `Strict-Transport-Security` - `Referrer-Policy` Staged http://192.241.195.202:9000/staging/DOCS-1102/linux/reference/minio-server/settings/console.html#content-security-policy Partially addresses https://github.com/minio/docs/issues/1102 --------- Co-authored-by: Ravind Kumar --- .../minio-server/settings/console.rst | 244 ++++++++++++++++-- 1 file changed, 226 insertions(+), 18 deletions(-) diff --git a/source/reference/minio-server/settings/console.rst b/source/reference/minio-server/settings/console.rst index 9cb8fdb9..089071bd 100644 --- a/source/reference/minio-server/settings/console.rst +++ b/source/reference/minio-server/settings/console.rst @@ -24,14 +24,14 @@ The following settings control behavior for the embedded MinIO Console. MinIO Console ~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_BROWSER - *Optional* - Specify ``off`` to disable the embedded MinIO Console. .. tab-item:: Configuration Setting @@ -42,14 +42,14 @@ MinIO Console Animation ~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_BROWSER_LOGIN_ANIMATION - *Optional* - .. versionadded:: MinIO Server RELEASE.2023-05-04T21-44-30Z Specify ``off`` to disable the animated login screen for the MinIO Console. @@ -62,6 +62,8 @@ Animation Browser Redirect ~~~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable @@ -81,14 +83,14 @@ Browser Redirect Browser Redirect URL ~~~~~~~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_BROWSER_REDIRECT_URL - *Optional* - Specify the Fully Qualified Domain Name (FQDN) the MinIO Console listens for incoming connections on. If you want to host the MinIO Console exclusively from a reverse-proxy service, you must specify the hostname managed by that service. @@ -106,14 +108,14 @@ Browser Redirect URL Session Duration ~~~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_BROWSER_SESSION_DURATION - *Optional* - .. versionadded:: MinIO Server RELEASE.2023-08-23T10-07-06Z Specify the duration of a browser session for working with the MinIO Console. @@ -135,14 +137,14 @@ Session Duration Server URL ~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_SERVER_URL - *Optional* - Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server. The Console also uses this value for setting the root hostname when generating presigned URLs. @@ -160,14 +162,14 @@ Server URL Log Query URL ~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_LOG_QUERY_URL - *Optional* - Specify the URL of a PostgreSQL service to which MinIO writes :ref:`Audit logs `. The embedded MinIO Console provides a Log Search tool that allows querying the PostgreSQL service for collected logs. @@ -176,6 +178,212 @@ Log Query URL This setting does not have a configuration variable setting. Use the Environment Variable instead. +Content Security Policy +~~~~~~~~~~~~~~~~~~~~~~~ + +*Optional* + +Configure MinIO Console to generate a `Content-Security-Policy `__ header in HTTP responses. +Defaults to ``default-src 'self' 'unsafe-eval' 'unsafe-inline';`` + +.. tab-set:: + + .. tab-item:: Environment Variable + :sync: envvar + + .. envvar:: MINIO_BROWSER_CONTENT_SECURITY_POLICY + + .. code-block:: shell + :class: copyable + + set MINIO_BROWSER_CONTENT_SECURITY_POLICY="default-src 'self' 'unsafe-eval' 'unsafe-inline';" + + .. tab-item:: Configuration Setting + :sync: config + + .. mc-conf:: browser csp_policy + :delimiter: " " + + .. code-block:: shell + :class: copyable + + mc admin config set browser \ + csp_policy="default-src 'self' 'unsafe-eval' 'unsafe-inline';" \ + [ARGUMENT=VALUE ...] + + +Strict Transport Security +~~~~~~~~~~~~~~~~~~~~~~~~~ + +*Optional* + +Configure MinIO console to generate a `Strict-Transport-Security `__ header in HTTP responses. + +To generate the header, you **must** set a duration using either :envvar:`MINIO_BROWSER_HSTS_SECONDS` or :mc-conf:`~browser.hsts_seconds`. +Other HSTS settings are optional. + +.. tab-set:: + + .. tab-item:: Environment Variables + :sync: envvar + + .. envvar:: MINIO_BROWSER_HSTS_SECONDS + + The ``max_age`` the configured policy remains in effect, in seconds. + Defaults to ``0``, disabled. + You **must** configure a *non-zero* duration to enable the ``Strict-Transport-Security`` header. + + .. code-block:: shell + :class: copyable + + set MINIO_BROWSER_HSTS_SECONDS=31536000 + + .. envvar:: MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS + + Set to ``on`` to also apply the configured HSTS policy to all MinIO Console subdomains. + Defaults to ``off``. + + .. code-block:: shell + :class: copyable + + set MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS="on" + + .. envvar:: MINIO_BROWSER_HSTS_PRELOAD + + Set to ``on`` to direct the client browser to add the MinIO Console domain to its HSTS preload list. + Defaults to ``off``. + + .. code-block:: shell + :class: copyable + + set MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS="on" + + .. tab-item:: Configuration Settings + :sync: config + + The following configuration settings require a service restart to take effect. + To restart the service, use :mc-cmd:`mc admin service restart`. + + .. mc-conf:: browser hsts_seconds + :delimiter: " " + + The ``max_age`` the configured policy remains in effect, in seconds. + Defaults to ``0``, disabled. + You **must** configure a *non-zero* duration to enable the ``Strict-Transport-Security`` header. + + .. code-block:: shell + :class: copyable + + mc admin config set browser \ + hsts_seconds="31536000" \ + [ARGUMENT=VALUE ...] + + .. mc-conf:: browser hsts_include_subdomains + :delimiter: " " + + Set to ``on`` to also apply the configured HSTS policy to all MinIO Console subdomains. + Defaults to ``off``. + + .. code-block:: shell + :class: copyable + + mc admin config set browser \ + hsts_include_subdomains="on" \ + hsts_seconds="31536000" \ + [ARGUMENT=VALUE ...] + + .. mc-conf:: browser hsts_preload + :delimiter: " " + + Set to ``on`` to direct the client browser to add the MinIO Console domain to its HSTS preload list. + Defaults to ``off``. + + .. code-block:: shell + :class: copyable + + mc admin config set browser \ + hsts_preload="on" \ + hsts_seconds="31536000" \ + [ARGUMENT=VALUE ...] + + +Examples +++++++++ + +The following examples show the rendered header for the given configuration settings. +The equivalent environment variables generate the same result. +All examples use a value of ``31536000``, which is the number of seconds in a calendar year (365 days). + +``hsts_seconds`` + + .. code-block:: shell + :class: copyable + + mc admin config set ALIAS browser hsts_seconds=31536000 + + .. code-block:: shell + :class: copyable + + Strict-Transport-Security: max-age=31536000 + +``hsts_include_subdomains`` + + .. code-block:: shell + :class: copyable + + mc admin config set ALIAS browser hsts_seconds=31536000 hsts_include_subdomains=on + + .. code-block:: shell + :class: copyable + + Strict-Transport-Security: max-age=31536000; includeSubDomains + +``hsts_preload`` + + .. code-block:: shell + :class: copyable + + mc admin config set ALIAS browser hsts_seconds=31536000 hsts_include_subdomains=on hsts_preload=on + + .. code-block:: shell + :class: copyable + + Strict-Transport-Security: max-age=31536000; includeSubDomains; preload + + +Referrer Policy +~~~~~~~~~~~~~~~ + +*Optional* + +Configure MinIO Console to generate a `Referrer-Policy `__ header in HTTP responses. +Defaults to ``strict-origin-when-cross-origin``. + +.. tab-set:: + + .. tab-item:: Environment Variable + :sync: envvar + + .. envvar:: MINIO_BROWSER_REFERRER_POLICY + + .. code-block:: shell + :class: copyable + + set MINIO_BROWSER_REFERRER_POLICY="strict-origin-when-cross-origin" + + .. tab-item:: Configuration Setting + :sync: config + + .. mc-conf:: browser referrer_policy + :delimiter: " " + + .. code-block:: shell + + mc admin config set browser \ + referrer_policy="strict-origin-when-cross-origin" \ + [ARGUMENT=VALUE ...] + + Prometheus Settings ------------------- @@ -184,14 +392,14 @@ The following settings manage how MinIO interacts with your Prometheus service. Prometheus URL ~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_PROMETHEUS_URL - *Optional* - Specify the URL for a Prometheus service configured to :ref:`scrape MinIO metrics `. The MinIO Console populates the :guilabel:`Dashboard` with cluster metrics using the ``minio-job`` Prometheus scraping job. @@ -206,14 +414,14 @@ Prometheus URL Prometheus Job ID ~~~~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_PROMETHEUS_JOB_ID - *Optional* - Specify the custom Prometheus job ID used for :ref:`scraping MinIO metrics `. MinIO defaults to ``minio-job``. @@ -228,14 +436,14 @@ Prometheus Job ID Prometheus Auth Token ~~~~~~~~~~~~~~~~~~~~~ +*Optional* + .. tab-set:: .. tab-item:: Environment Variable .. envvar:: MINIO_PROMETHEUS_AUTH_TOKEN - *Optional* - Specify the :prometheus-docs:`basic auth token ` the Console should use to connect to a Prometheus service. For example, a basic auth token you might use could resemble the following: