Minio+Nginx+Docker
通过 NGINX 代理后无法登陆控制台,登录返回 401 "invalid Login"。
怀疑点:minio 的证书必须包含 ip
尝试如下的配置
但问题依旧,Nginx 证书这里都是使用的泛域名证书。
1. Minio 配置
services:
minio:
image: minio/minio:RELEASE.2022-08-08T18-34-09Z
container_name: minio
restart: always
expose:
- 9000
- 9001
environment:
- MINIO_ROOT_USER=[username]
- MINIO_ROOT_PASSWORD=[password]
- MINIO_DOMAIN=[minio domain]
- MINIO_BROWSER_REDIRECT_URL=https://[minio console domain]
- MINIO_SERVER_URL=https://[minio domain]
volumes:
- /work/minio/conf:/root/.minio
- /work/minio/data:/data
command: server /data --console-address ":9001"
2. Nginx 配置( minio )
其中*.[minio domain]是为了群晖同步使用
server {
listen 443 ssl http2;
server_name [minio domain];
charset utf-8;
server_tokens off;
access_log logs/[minio domain].log main;
ssl_certificate ssl/[minio domain]/fullchain.pem;
ssl_certificate_key ssl/[minio domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://minios/;
}
}
server {
listen 443 ssl http2;
server_name *.[minio domain];
charset utf-8;
server_tokens off;
access_log logs/[minio domain].log main;
ssl_certificate ssl/[minio domain]/fullchain.pem;
ssl_certificate_key ssl/[minio domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass https://minios/;
}
}
3. Nginx 配置( minio 控制台)
server {
listen 443 ssl http2;
server_name [minio console domain];
charset utf-8;
server_tokens off;
access_log logs/[minio console domain].log main;
ssl_certificate ssl/[minio console domain]/fullchain.pem;
ssl_certificate_key ssl/[minio console domain]/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/[minio console domain]/chain.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 10m;
ssl_session_tickets on;
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
# add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3s;
proxy_read_timeout 15s;
client_max_body_size 0;
chunked_transfer_encoding off;
ignore_invalid_headers off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-NginX-Proxy true;
proxy_pass https://minioc/;
}
}
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.