Configuring HTTPs for Minio through nginx

din14970 · 4 May 2023 09:00

I use nginx to redirect easy to remember domains to services on the raspberry pi, for example filebrowser.rpi4.home.local, gitea.rpi4.home.local, nextcloud.rpi4.home.local, etc. I also have a self-signed certificate for the *.rpi4.home.local and rpi4.home.local names, which I use on all these services to set up an https connection. A typical configuration block might look like:

server {
    server_name gitea.rpi4.home.local;

    location / {
        proxy_pass       http://127.0.0.1:3000;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen [::]:443 ssl;
    listen 443 ssl;
    include snippets/self-signed.conf;
}

I have to modify this a bit depending on how the service is typically accessed; e.g. for nextcloud it looks a bit different.

I’m trying to do a similar thing for minio, but run into the issue that accessing the service on port 9000 actually redirects to some random port >30000 after a 307 internal redirect. The 307 redirect actually brings me back to using http. I’ve tried using this “real” port in the nginx configuration for proxy_pass instead of 9000 which works to keep my https connection. However it seems this port changes periodically so the configuration stops working after a while.

Is there a way to set up nginx so that I can access minio through https with minio.rpi4.home.local, i.e. deal with the 307 redirect? I’ve looked into this obcure post: How to make Nginx redirect 301 302 307 to new URL on same server - Server Fault and tried something similar myself:

server {
    server_name minio.rpi4.home.local;

    listen [::]:443 ssl;
    listen 443 ssl;
    include snippets/self-signed.conf;

    location / {
        proxy_pass http://127.0.0.1:9000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_intercept_errors on;
        error_page 301 302 307 = @handle_redirects;
    }

    location @handle_redirects {
        set $minio_port 38991;
        proxy_pass http://127.0.0.1:$minio_port;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Then the idea would be to try to capture the port from the Location header somehow in the first request and use it in the handle_redirect but I haven’t figured out how to do that yet. Still, just hardcoding the current port doesn’t work and I get a black page with some broken links. If I check the console, a bunch of 403 errors.

Anyways, any ideas on what could be done? Maybe there is just a way to fix the port for the minio web page? Thanks in advance.

Joulinar · 4 May 2023 09:18

did you checked MinIO docs? Configure NGINX Proxy for MinIO Server — MinIO Object Storage for Linux

Maybe better to ask this kind of question to MinIO on how to setup revers proxy for their application.

din14970 · 4 May 2023 11:41

Yes, I looked at the Minio docs but unfortunately what they propose doesn’t work for my case. I’ve also deployed minio on other systems with docker and have never noticed such a port switch. My gut feeling, which is of course not much to go off of, is that this is something specific to the way minio is deployed on dietpi, which is why I posed the question here.

din14970 · 4 May 2023 12:12

I think this is the relevant bit of documentation: MinIO Console — MinIO Object Storage for Linux. The console itself is assigned a random port on each startup. So probably on each update, the services are killed and restarted, meaning that a new port is selected. An easy solution would be if the console would always start on a fixed port.

Joulinar · 4 May 2023 12:22

yes seems to be a behavior of Minio. You would need to add following to /etc/default/minio

MINIO_OPTS="--console-address :9001"

This should fix console access to port 9001

Jappe · 4 May 2023 12:23

From your link:

MinIO by default selects a random port for the MinIO Console on each server startup

and:

You can select an explicit static port by passing the minio server --console-address commandline option when starting each MinIO Server in the deployment.

din14970 · 4 May 2023 12:38

Yep I found the answer in the source code:DietPi/dietpi-software at 9c701dd8e3349694d7d83a6aa8c62cb9fb303b6a · MichaIng/DietPi · GitHub but also @Joulinar confirms it. Basically editing /etc/default/minio allows me to fix the port to one value after restarting the service, which makes it easy to configure nginx. Thanks a lot all!

Joulinar · 4 May 2023 13:36

Just to avoid a missunderstanding. This is a behavoir of MinIO themself and not something related to DietPi. But maybe we should setup a fixed console port 9001 be default

Not sure what the benefit of the random port should be.

Joulinar · 4 May 2023 18:46

PR up to have it included on next release DietPi-Software | MinIO: Use fixed web UI port and solve conflict with LMS by Joulinar · Pull Request #6364 · MichaIng/DietPi · GitHub