minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-28 19:42:10 +03:00
Code Activity

Document security header envvars and config items (#1122)

Browse Source 
New settings to configure security headers for requests returned from
MinIO Console.

- `Content-Security-Policy`
- `Strict-Transport-Security`
- `Referrer-Policy`

Staged

http://192.241.195.202:9000/staging/DOCS-1102/linux/reference/minio-server/settings/console.html#content-security-policy

Partially addresses https://github.com/minio/docs/issues/1102

---------

Co-authored-by: Ravind Kumar <ravind@min.io>
This commit is contained in:
Andrea Longo
2024-02-09 11:12:37 -07:00
committed by GitHub
parent 56661b54c2
commit 431675e429
1 changed files with 226 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

244
source/reference/minio-server/settings/console.rst
View File

@ -24,14 +24,14 @@ The following settings control behavior for the embedded MinIO Console.
MinIO Console MinIO Console
~~~~~~~~~~~~~ ~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_BROWSER .. envvar:: MINIO_BROWSER
*Optional*
Specify ``off`` to disable the embedded MinIO Console. Specify ``off`` to disable the embedded MinIO Console.
.. tab-item:: Configuration Setting .. tab-item:: Configuration Setting
@ -42,14 +42,14 @@ MinIO Console
Animation Animation
~~~~~~~~~ ~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_BROWSER_LOGIN_ANIMATION .. envvar:: MINIO_BROWSER_LOGIN_ANIMATION
*Optional*
.. versionadded:: MinIO Server RELEASE.2023-05-04T21-44-30Z .. versionadded:: MinIO Server RELEASE.2023-05-04T21-44-30Z
Specify ``off`` to disable the animated login screen for the MinIO Console. Specify ``off`` to disable the animated login screen for the MinIO Console.
@ -62,6 +62,8 @@ Animation
Browser Redirect Browser Redirect
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
@ -81,14 +83,14 @@ Browser Redirect
Browser Redirect URL Browser Redirect URL
~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_BROWSER_REDIRECT_URL .. envvar:: MINIO_BROWSER_REDIRECT_URL
*Optional*
Specify the Fully Qualified Domain Name (FQDN) the MinIO Console listens for incoming connections on. Specify the Fully Qualified Domain Name (FQDN) the MinIO Console listens for incoming connections on.
If you want to host the MinIO Console exclusively from a reverse-proxy service, you must specify the hostname managed by that service. If you want to host the MinIO Console exclusively from a reverse-proxy service, you must specify the hostname managed by that service.
@ -106,14 +108,14 @@ Browser Redirect URL
Session Duration Session Duration
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_BROWSER_SESSION_DURATION .. envvar:: MINIO_BROWSER_SESSION_DURATION
*Optional*
.. versionadded:: MinIO Server RELEASE.2023-08-23T10-07-06Z .. versionadded:: MinIO Server RELEASE.2023-08-23T10-07-06Z
Specify the duration of a browser session for working with the MinIO Console. Specify the duration of a browser session for working with the MinIO Console.
@ -135,14 +137,14 @@ Session Duration
Server URL Server URL
~~~~~~~~~~ ~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_SERVER_URL .. envvar:: MINIO_SERVER_URL
*Optional*
Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server. Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server.
The Console also uses this value for setting the root hostname when generating presigned URLs. The Console also uses this value for setting the root hostname when generating presigned URLs.
@ -160,14 +162,14 @@ Server URL
Log Query URL Log Query URL
~~~~~~~~~~~~~ ~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_LOG_QUERY_URL .. envvar:: MINIO_LOG_QUERY_URL
*Optional*
Specify the URL of a PostgreSQL service to which MinIO writes :ref:`Audit logs <minio-logging-publish-audit-logs>`. Specify the URL of a PostgreSQL service to which MinIO writes :ref:`Audit logs <minio-logging-publish-audit-logs>`.
The embedded MinIO Console provides a Log Search tool that allows querying the PostgreSQL service for collected logs. The embedded MinIO Console provides a Log Search tool that allows querying the PostgreSQL service for collected logs.
@ -176,6 +178,212 @@ Log Query URL
This setting does not have a configuration variable setting. This setting does not have a configuration variable setting.
Use the Environment Variable instead. Use the Environment Variable instead.
Content Security Policy
~~~~~~~~~~~~~~~~~~~~~~~
*Optional*
Configure MinIO Console to generate a `Content-Security-Policy <https://en.wikipedia.org/wiki/Content_Security_Policy>`__ header in HTTP responses.
Defaults to ``default-src 'self' 'unsafe-eval' 'unsafe-inline';``
.. tab-set::
.. tab-item:: Environment Variable
:sync: envvar
.. envvar:: MINIO_BROWSER_CONTENT_SECURITY_POLICY
.. code-block:: shell
:class: copyable
set MINIO_BROWSER_CONTENT_SECURITY_POLICY="default-src 'self' 'unsafe-eval' 'unsafe-inline';"
.. tab-item:: Configuration Setting
:sync: config
.. mc-conf:: browser csp_policy
:delimiter: " "
.. code-block:: shell
:class: copyable
mc admin config set browser \
csp_policy="default-src 'self' 'unsafe-eval' 'unsafe-inline';" \
[ARGUMENT=VALUE ...]
Strict Transport Security
~~~~~~~~~~~~~~~~~~~~~~~~~
*Optional*
Configure MinIO console to generate a `Strict-Transport-Security <https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security>`__ header in HTTP responses.
To generate the header, you **must** set a duration using either :envvar:`MINIO_BROWSER_HSTS_SECONDS` or :mc-conf:`~browser.hsts_seconds`.
Other HSTS settings are optional.
.. tab-set::
.. tab-item:: Environment Variables
:sync: envvar
.. envvar:: MINIO_BROWSER_HSTS_SECONDS
The ``max_age`` the configured policy remains in effect, in seconds.
Defaults to ``0``, disabled.
You **must** configure a *non-zero* duration to enable the ``Strict-Transport-Security`` header.
.. code-block:: shell
:class: copyable
set MINIO_BROWSER_HSTS_SECONDS=31536000
.. envvar:: MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS
Set to ``on`` to also apply the configured HSTS policy to all MinIO Console subdomains.
Defaults to ``off``.
.. code-block:: shell
:class: copyable
set MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS="on"
.. envvar:: MINIO_BROWSER_HSTS_PRELOAD
Set to ``on`` to direct the client browser to add the MinIO Console domain to its HSTS preload list.
Defaults to ``off``.
.. code-block:: shell
:class: copyable
set MINIO_BROWSER_HSTS_INCLUDE_SUB_DOMAINS="on"
.. tab-item:: Configuration Settings
:sync: config
The following configuration settings require a service restart to take effect.
To restart the service, use :mc-cmd:`mc admin service restart`.
.. mc-conf:: browser hsts_seconds
:delimiter: " "
The ``max_age`` the configured policy remains in effect, in seconds.
Defaults to ``0``, disabled.
You **must** configure a *non-zero* duration to enable the ``Strict-Transport-Security`` header.
.. code-block:: shell
:class: copyable
mc admin config set browser \
hsts_seconds="31536000" \
[ARGUMENT=VALUE ...]
.. mc-conf:: browser hsts_include_subdomains
:delimiter: " "
Set to ``on`` to also apply the configured HSTS policy to all MinIO Console subdomains.
Defaults to ``off``.
.. code-block:: shell
:class: copyable
mc admin config set browser \
hsts_include_subdomains="on" \
hsts_seconds="31536000" \
[ARGUMENT=VALUE ...]
.. mc-conf:: browser hsts_preload
:delimiter: " "
Set to ``on`` to direct the client browser to add the MinIO Console domain to its HSTS preload list.
Defaults to ``off``.
.. code-block:: shell
:class: copyable
mc admin config set browser \
hsts_preload="on" \
hsts_seconds="31536000" \
[ARGUMENT=VALUE ...]
Examples
++++++++
The following examples show the rendered header for the given configuration settings.
The equivalent environment variables generate the same result.
All examples use a value of ``31536000``, which is the number of seconds in a calendar year (365 days).
``hsts_seconds``
.. code-block:: shell
:class: copyable
mc admin config set ALIAS browser hsts_seconds=31536000
.. code-block:: shell
:class: copyable
Strict-Transport-Security: max-age=31536000
``hsts_include_subdomains``
.. code-block:: shell
:class: copyable
mc admin config set ALIAS browser hsts_seconds=31536000 hsts_include_subdomains=on
.. code-block:: shell
:class: copyable
Strict-Transport-Security: max-age=31536000; includeSubDomains
``hsts_preload``
.. code-block:: shell
:class: copyable
mc admin config set ALIAS browser hsts_seconds=31536000 hsts_include_subdomains=on hsts_preload=on
.. code-block:: shell
:class: copyable
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer Policy
~~~~~~~~~~~~~~~
*Optional*
Configure MinIO Console to generate a `Referrer-Policy <https://www.w3.org/TR/referrer-policy/>`__ header in HTTP responses.
Defaults to ``strict-origin-when-cross-origin``.
.. tab-set::
.. tab-item:: Environment Variable
:sync: envvar
.. envvar:: MINIO_BROWSER_REFERRER_POLICY
.. code-block:: shell
:class: copyable
set MINIO_BROWSER_REFERRER_POLICY="strict-origin-when-cross-origin"
.. tab-item:: Configuration Setting
:sync: config
.. mc-conf:: browser referrer_policy
:delimiter: " "
.. code-block:: shell
mc admin config set browser \
referrer_policy="strict-origin-when-cross-origin" \
[ARGUMENT=VALUE ...]
Prometheus Settings Prometheus Settings
------------------- -------------------
@ -184,14 +392,14 @@ The following settings manage how MinIO interacts with your Prometheus service.
Prometheus URL Prometheus URL
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_PROMETHEUS_URL .. envvar:: MINIO_PROMETHEUS_URL
*Optional*
Specify the URL for a Prometheus service configured to :ref:`scrape MinIO metrics <minio-metrics-collect-using-prometheus>`. Specify the URL for a Prometheus service configured to :ref:`scrape MinIO metrics <minio-metrics-collect-using-prometheus>`.
The MinIO Console populates the :guilabel:`Dashboard` with cluster metrics using the ``minio-job`` Prometheus scraping job. The MinIO Console populates the :guilabel:`Dashboard` with cluster metrics using the ``minio-job`` Prometheus scraping job.
@ -206,14 +414,14 @@ Prometheus URL
Prometheus Job ID Prometheus Job ID
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_PROMETHEUS_JOB_ID .. envvar:: MINIO_PROMETHEUS_JOB_ID
*Optional*
Specify the custom Prometheus job ID used for :ref:`scraping MinIO metrics <minio-metrics-collect-using-prometheus>`. Specify the custom Prometheus job ID used for :ref:`scraping MinIO metrics <minio-metrics-collect-using-prometheus>`.
MinIO defaults to ``minio-job``. MinIO defaults to ``minio-job``.
@ -228,14 +436,14 @@ Prometheus Job ID
Prometheus Auth Token Prometheus Auth Token
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
*Optional*
.. tab-set:: .. tab-set::
.. tab-item:: Environment Variable .. tab-item:: Environment Variable
.. envvar:: MINIO_PROMETHEUS_AUTH_TOKEN .. envvar:: MINIO_PROMETHEUS_AUTH_TOKEN
*Optional*
Specify the :prometheus-docs:`basic auth token <guides/basic-auth/>` the Console should use to connect to a Prometheus service. Specify the :prometheus-docs:`basic auth token <guides/basic-auth/>` the Console should use to connect to a Prometheus service.
For example, a basic auth token you might use could resemble the following: For example, a basic auth token you might use could resemble the following: