From 975cbeb5ff670a0c4a0473a58bdecea1e73007e5 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Fri, 21 Jul 2023 17:41:51 -0400 Subject: [PATCH] DOCS-910: Updating proxy and console configurations (#921) --- .../setup-nginx-proxy-with-minio.rst | 64 +++++++++++++------ .../reference/minio-server/minio-server.rst | 44 +++++++------ 2 files changed, 70 insertions(+), 38 deletions(-) diff --git a/source/integrations/setup-nginx-proxy-with-minio.rst b/source/integrations/setup-nginx-proxy-with-minio.rst index a23009d2..0183dae4 100644 --- a/source/integrations/setup-nginx-proxy-with-minio.rst +++ b/source/integrations/setup-nginx-proxy-with-minio.rst @@ -33,19 +33,27 @@ There are two models for proxying requests to the MinIO Server API and the MinIO - Proxy requests to the root ``https://minio.example.net`` to the MinIO Server listening on ``https://minio.local:9000``. - - Proxy requests to the subpath ``https://minio.example.net/minio`` to the MinIO Console listening on ``https://minio.local:9001``. + - Proxy requests to the subpath ``https://minio.example.net/minio/ui`` to the MinIO Console listening on ``https://minio.local:9090``. The following location blocks provide a template for further customization in your unique environment: .. code-block:: nginx :class: copyable - upstream minio { + upstream minio_s3 { least_conn; - server minio-01.internal-domain.com; - server minio-02.internal-domain.com; - server minio-03.internal-domain.com; - server minio-04.internal-domain.com; + server minio-01.internal-domain.com:9000; + server minio-02.internal-domain.com:9000; + server minio-03.internal-domain.com:9000; + server minio-04.internal-domain.com:9000; + } + + upstream minio_console { + least_conn; + server minio-01.internal-domain.com:9090; + server minio-02.internal-domain.com:9090; + server minio-03.internal-domain.com:9090; + server minio-04.internal-domain.com:9090; } server { @@ -74,10 +82,11 @@ There are two models for proxying requests to the MinIO Server API and the MinIO proxy_set_header Connection ""; chunked_transfer_encoding off; - proxy_pass https://minio:9000/; # This uses the upstream directive definition to load balance + proxy_pass https://minio_s3; # This uses the upstream directive definition to load balance } - location /minio { + location /minio/ui { + rewrite ^/minio/ui/(.*) /$1 break; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -96,11 +105,16 @@ There are two models for proxying requests to the MinIO Server API and the MinIO chunked_transfer_encoding off; - proxy_pass https://minio:9001/; # This uses the upstream directive definition to load balance and assumes a static Console port of 9001 + proxy_pass https://minio_console; # This uses the upstream directive definition to load balance } } - The S3 API signature calculation algorithm does *not* support proxy schemes where you host either the MinIO Server API or Console GUI on a subpath, such as ``example.net/s3/`` or ``example.net/console/``. + The S3 API signature calculation algorithm does *not* support proxy schemes where you host the MinIO Server API such as ``example.net/s3/``. + + You must also set the following environment variables for the MinIO deployment: + + - Set :envvar:`MINIO_SERVER_URL` to the proxy host FQDN of the MinIO Server (``https://minio.example.net``) + - Set the :envvar:`MINIO_BROWSER_REDIRECT_URL` to the proxy host FQDN of the MinIO Console (``https://example.net/minio/ui``) .. tab-item:: Subdomain @@ -110,19 +124,27 @@ There are two models for proxying requests to the MinIO Server API and the MinIO - Proxy request to the subdomain ``minio.example.net`` to the MinIO Server listening on ``https://minio.local:9000`` - - Proxy requests to the subdomain ``console.example.net`` to the MinIO Console listening on ``https://minio.local:9001`` + - Proxy requests to the subdomain ``console.example.net`` to the MinIO Console listening on ``https://minio.local:9090`` The following location blocks provide a template for further customization in your unique environment: .. code-block:: nginx :class: copyable - upstream minio { + upstream minio_s3 { least_conn; - server minio-01.internal-domain.com; - server minio-02.internal-domain.com; - server minio-03.internal-domain.com; - server minio-04.internal-domain.com; + server minio-01.internal-domain.com:9000; + server minio-02.internal-domain.com:9000; + server minio-03.internal-domain.com:9000; + server minio-04.internal-domain.com:9000; + } + + upstream minio_console { + least_conn; + server minio-01.internal-domain.com:9090; + server minio-02.internal-domain.com:9090; + server minio-03.internal-domain.com:9090; + server minio-04.internal-domain.com:9090; } server { @@ -151,7 +173,7 @@ There are two models for proxying requests to the MinIO Server API and the MinIO proxy_set_header Connection ""; chunked_transfer_encoding off; - proxy_pass http://minio:9000/; # This uses the upstream directive definition to load balance + proxy_pass http://minio_s3; # This uses the upstream directive definition to load balance } } @@ -189,9 +211,13 @@ There are two models for proxying requests to the MinIO Server API and the MinIO chunked_transfer_encoding off; - proxy_pass http://minio:9001/; # This uses the upstream directive definition to load balance and assumes a static Console port of 9001 + proxy_pass http://minio_console/; # This uses the upstream directive definition to load balance } } - The S3 API signature calculation algorithm does *not* support proxy schemes where you host either the MinIO Server API or Console GUI on a subpath, such as ``minio.example.net/s3/`` or ``console.example.net/gui``. + The S3 API signature calculation algorithm does *not* support proxy schemes where you host the MinIO Server API on a subpath, such as ``minio.example.net/s3/``. + You must also set the following environment variables for the MinIO deployment: + + - Set :envvar:`MINIO_SERVER_URL` to the proxy host FQDN of the MinIO Server (``https://minio.example.net``) + - Set the :envvar:`MINIO_BROWSER_REDIRECT_URL` to the proxy host FQDN of the MinIO Console (``https://console.example.net/``) \ No newline at end of file diff --git a/source/reference/minio-server/minio-server.rst b/source/reference/minio-server/minio-server.rst index 852f2f72..2fa81436 100644 --- a/source/reference/minio-server/minio-server.rst +++ b/source/reference/minio-server/minio-server.rst @@ -277,12 +277,23 @@ Core Configuration .. envvar:: MINIO_CONFIG_ENV_FILE Specifies the full path to the file the MinIO server process uses for loading environment variables. + + For ``systemd``-managed files, setting this value to the environment file allows MinIO to reload changes to that file on using :mc-cmd:`mc admin service restart` to restart the deployment. .. envvar:: MINIO_ILM_EXPIRY_WORKERS Specifies the number of workers to make available to expire objects configured with ILM rules for expiration. When not set, MinIO defaults to using up to half of the available processing cores available. + +.. envvar:: MINIO_DOMAIN + + Set to the Fully Qualified Domain Name (FQDN) MinIO accepts Bucket DNS (Virtual Host)-style requests on. + + For example, setting ``MINIO_DOMAIN=minio.example.net`` directs MinIO to accept an incoming connection request the ``data`` bucket at ``data.minio.example.net``. + + If this setting is omitted, the default is to only accept path-style requests. For example, ``minio.example.net/data``. + Root Credentials ~~~~~~~~~~~~~~~~ @@ -432,32 +443,27 @@ MinIO Console: *Optional* - Specify the URL the MinIO Console provides as the redirect URL to the - configured :ref:`external identity manager - `. - - This variable may be necessary for MinIO deployments behind a reverse - proxy, load balancer, or similar technology where the internal - hostname or IP structure is not reachable from the external network. - - For example, consider a MinIO deployment behind a proxy where - ``https://minio.example.net`` redirects to the MinIO deployment on port - ``:9000`` and ``https://console.minio.example.net`` redirects to the - MinIO Console on port ``:9001``. + Specify the Fully Qualified Domain Name (FQDN) the MinIO Console listens for incoming connections on. - By default, the MinIO Console use its *internal* hostname as part of the - request. Set this variable to ``https://console.minio.example.net`` to ensure - the external identity provider has a reachable URL to which to send the - authentication response. + If you want to host the MinIO Console exclusively from a reverse-proxy service, you must specify the hostname managed by that service. + + For example, consider a reverse proxy configured to route ``https://example.net/minio/`` to the MinIO Console. + You must set this environment variable to match that hostname for the Console to both listen and respond to requests using that hostname. + + If you omit this variable, the Console listens and responds to all IP addresses or hostnames associated to the host machine on which the MinIO Server runs. .. envvar:: MINIO_SERVER_URL *Optional* - Specify the Fully Qualified Domain Name (FQDN) the MinIO Console should use for connecting to the MinIO Server. + Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server. + The Console also uses this value for setting the root hostname when generating presigned URLs. - This variable is typically only necessary when the MinIO Server TLS certificates do not contain an IP Subject Alternative Name (SAN) for the MinIO Server. - Since the Console uses the MinIO Server IP by default, the Console may fail to connect due to the TLS certificate not having the necessary IP listed as a SAN. + This setting may be required if: + + - The MinIO Server uses a TLS certificate that does not include the host local IP(s) in the certificate Subject Alternative Name (SAN) *or* + + - The Console must use a specific hostname to connect or reference the MinIO Server, e.g. due to a reverse proxy or similar configuration. Key Management Service and Encryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~