Minio+Nginx+Docker 控制台登陆 401 问题,请问如何解决?

2022-08-18 11:42:55 +08:00
 zliea

部署方式

Minio+Nginx+Docker

问题现象与分析

通过 NGINX 代理后无法登陆控制台,登录返回 401 "invalid Login"。

怀疑点:minio 的证书必须包含 ip

尝试如下的配置

但问题依旧,Nginx 证书这里都是使用的泛域名证书。

配置文件

1. Minio 配置

services:
  minio:
    image: minio/minio:RELEASE.2022-08-08T18-34-09Z
    container_name: minio
    restart: always
    expose:
    - 9000
    - 9001
    environment:
    - MINIO_ROOT_USER=[username]
    - MINIO_ROOT_PASSWORD=[password]
    - MINIO_DOMAIN=[minio domain]
    - MINIO_BROWSER_REDIRECT_URL=https://[minio console domain]
    - MINIO_SERVER_URL=https://[minio domain]
    volumes:
    - /work/minio/conf:/root/.minio
    - /work/minio/data:/data
    command: server /data --console-address ":9001"

2. Nginx 配置( minio )
其中*.[minio domain]是为了群晖同步使用

server {
    listen       443  ssl  http2;
    server_name  [minio domain];

    charset       utf-8;
    server_tokens off;

    access_log    logs/[minio domain].log  main;

    ssl_certificate            ssl/[minio domain]/fullchain.pem;
    ssl_certificate_key        ssl/[minio domain]/privkey.pem;

    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
    ssl_prefer_server_ciphers  on;

    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    ssl/[minio domain]/chain.pem;

    ssl_session_cache          shared:le_nginx_SSL:1m;
    ssl_session_timeout        10m;

    ssl_session_tickets        on;

    add_header  X-Frame-Options "DENY";
    add_header  X-Content-Type-Options nosniff;
    # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
    add_header  X-XSS-Protection "1; mode=block";
    add_header  Referrer-Policy "origin";
    add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    proxy_set_header  Host                $http_host;
    proxy_set_header  X-Real-IP           $remote_addr;
    proxy_set_header  X-Forwarded-Proto   $scheme;
    proxy_set_header  X-Forwarded-Server  $host;
    proxy_set_header  X-Forwarded-Host    $host:$server_port;
    proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;

    proxy_connect_timeout  3s;
    proxy_read_timeout     15s;

    client_max_body_size       0;
    chunked_transfer_encoding  off;

    ignore_invalid_headers off;

    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass  https://minios/;
    }

}

server {
    listen       443  ssl  http2;
    server_name  *.[minio domain];

    charset       utf-8;
    server_tokens off;

    access_log    logs/[minio domain].log  main;

    ssl_certificate            ssl/[minio domain]/fullchain.pem;
    ssl_certificate_key        ssl/[minio domain]/privkey.pem;

    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
    ssl_prefer_server_ciphers  on;

    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    ssl/[minio domain]/chain.pem;

    ssl_session_cache          shared:le_nginx_SSL:1m;
    ssl_session_timeout        10m;

    ssl_session_tickets        on;

    add_header  X-Frame-Options "DENY";
    add_header  X-Content-Type-Options nosniff;
    # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
    add_header  X-XSS-Protection "1; mode=block";
    add_header  Referrer-Policy "origin";
    add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    proxy_set_header  Host                $http_host;
    proxy_set_header  X-Real-IP           $remote_addr;
    proxy_set_header  X-Forwarded-Proto   $scheme;
    proxy_set_header  X-Forwarded-Server  $host;
    proxy_set_header  X-Forwarded-Host    $host:$server_port;
    proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;

    proxy_connect_timeout  3s;
    proxy_read_timeout     15s;

    client_max_body_size       0;
    chunked_transfer_encoding  off;

    ignore_invalid_headers off;

    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass  https://minios/;
    }

}

3. Nginx 配置( minio 控制台)

server {
    listen       443  ssl  http2;
    server_name  [minio console domain];

    charset       utf-8;
    server_tokens off;

    access_log    logs/[minio console domain].log  main;

    ssl_certificate            ssl/[minio console domain]/fullchain.pem;
    ssl_certificate_key        ssl/[minio console domain]/privkey.pem;

    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
    ssl_prefer_server_ciphers  on;

    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    ssl/[minio console domain]/chain.pem;

    ssl_session_cache          shared:le_nginx_SSL:1m;
    ssl_session_timeout        10m;

    ssl_session_tickets        on;

    add_header  X-Frame-Options "DENY";
    add_header  X-Content-Type-Options nosniff;
    # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
    add_header  X-XSS-Protection "1; mode=block";
    add_header  Referrer-Policy "origin";
    add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    proxy_set_header  Host                $http_host;
    proxy_set_header  X-Real-IP           $remote_addr;
    proxy_set_header  X-Forwarded-Proto   $scheme;
    proxy_set_header  X-Forwarded-Server  $host;
    proxy_set_header  X-Forwarded-Host    $host:$server_port;
    proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;

    proxy_connect_timeout  3s;
    proxy_read_timeout     15s;

    client_max_body_size       0;
    chunked_transfer_encoding  off;

    ignore_invalid_headers off;

    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-NginX-Proxy true;

        proxy_pass  https://minioc/;
    }

}

如果 Minio 无法实现,请各位大佬提供支持自建其他对象存储产品,需求如下

3251 次点击
所在节点    程序员
13 条回复
photon006
2022-08-18 11:50:01 +08:00
minio 不用证书,nginx 配证书就行了,我是这样:

```
docker run \
-d --name minio \
--restart=always \
-p 9000:9000 \
-p 9001:9001 \
-v /dev/sda1/minio:/data \
-e TZ=Asia/Shanghai \
-e MINIO_ROOT_USER=admin \
-e MINIO_ROOT_PASSWORD=pwd \
-e MINIO_SERVER_URL=https://minio-api.example.com/ \
minio/minio server /data --address :9000 --console-address :9001
```
SenLief
2022-08-18 11:52:53 +08:00
我用 docker 的

docker run -p 9000:9000 -p 9090:9090 \
--net=host \
--name minio \
-d --restart=always \
-e "MINIO_ACCESS_KEY=admin" \
-e "MINIO_SECRET_KEY=p8HhVAqjp" \
-v ~/minio/data:/data \
-v ~/minio/config:/root/.minio \
minio/minio server \
/data --console-address ":9090" -address ":9000"

这个配置,前端反代用的 nginx 反代 9000 和 9090 了。
zliea
2022-08-18 11:58:55 +08:00
@photon006 那使用 Nginx 反代后控制台分享是否可以分享公网的连接?
zliea
2022-08-18 12:05:52 +08:00
@photon006 MINIO_SERVER_URL 加上这个之后控制台反代就无法登录了。
photon006
2022-08-18 13:48:50 +08:00
@zliea nginx 使用 2 个二级域名,分别反代 api 和后台管理界面,比如:

# 后台管理界面
server_name minio.example.com;
location / {

proxy_pass http://10.13.1.27:9001;
}


# 程序调用 api 及分享的链接
server_name minio-api.example.com;
location / {

proxy_pass http://10.13.1.27:9000;
}


你本身就是泛域名证书,配起来很容易。
fuxinya
2022-08-18 13:58:03 +08:00
启动:(建议使用 bitnami rootless 镜像)
```
docker run --network app -hminio -d --name minio --restart=unless-stopped \
-p 9000:9000 -p 9001:9001 \
-e "MINIO_ROOT_USER=minio" \
-e "MINIO_ROOT_PASSWORD=xxxx" \
-e "MINIO_API_PORT_NUMBER=9000" \
-e "MINIO_CONSOLE_PORT_NUMBER=9001" \
-v /path/to/minio/data:/data \
bitnami/minio:2022.5.8
```
Nginx 配置:(证书是在 nginx 上配)
```
location / {
proxy_pass http://127.0.0.1:9001;
}
```
yimiaoxiehou
2022-08-18 17:29:29 +08:00
用 bitnami 的镜像吧,然后把 MINIO_SERVER_HOST 改下应该就行
docker run --rm --name minio-client \
--env MINIO_SERVER_HOST="my.minio.domain" \
--env MINIO_SERVER_ACCESS_KEY="minio-access-key" \
--env MINIO_SERVER_SECRET_KEY="minio-secret-key" \
bitnami/minio-client \
mb minio/my-bucket
yimiaoxiehou
2022-08-18 17:29:47 +08:00
@yimiaoxiehou 然后再套一层 nginx https
loveyu
2022-08-18 18:22:30 +08:00
最近遇到一模一样的问题,invalid Login 是 minio 内部无法访问 MINIO_SERVER_URL=https://[minio domain] 导致的,保证 docker 内部可以直接访问就行了
blankmiss
2022-11-12 21:57:53 +08:00
我和你遭遇到了一样的问题 有解决方案了吗
zliea
2022-11-14 09:12:09 +08:00
@blankmiss

```
services:
minio:
image: minio/minio:RELEASE.XXX
container_name: minio
hostname: minio.yourdomain.com
restart: always
expose:
- 443
- 9001
environment:
- MINIO_ROOT_USER=yourusername
- MINIO_ROOT_PASSWORD=yourpassword
- MINIO_DOMAIN=minio.yourdomain.com
- MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
- MINIO_SERVER_URL=https://minio.yourdomain.com/
volumes:
- /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
- /work/minio/data:/data
command: server /data --address ":443" --console-address ":9001"
networks:
net_app:
aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
- bucketA.minio.yourdomain.com
- bucketB.minio.yourdomain.com
```
blankmiss
2022-11-15 19:56:49 +08:00
@zliea 反向代理的时候 请求文件链接会报错
后台查看图片和预览文件也一样会 Access Denied
```
{"code":500,"detailedMessage":"Access Denied.","message":"an error occurred, please try again"}

```


```


location ^~ /
{
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Cache $upstream_cache_status;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}

```
这是我的反向代理配置 按照官网来写的
wangbin11
327 天前
我是内网自签名证书,minio 有办法信任吗,容器内是可以访问的,{"message":"invalid Login"}

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/873692

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX