V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
zliea
V2EX  ›  程序员

Minio+Nginx+Docker 控制台登陆 401 问题,请问如何解决?

  •  
  •   zliea · 109 天前 · 1130 次点击
    这是一个创建于 109 天前的主题,其中的信息可能已经有所发展或是发生改变。

    部署方式

    Minio+Nginx+Docker

    问题现象与分析

    通过 NGINX 代理后无法登陆控制台,登录返回 401 "invalid Login"。

    怀疑点:minio 的证书必须包含 ip

    尝试如下的配置

    • minio 不加证书
    • minio 加自签名证书
    • 将 Nginx 证书复制到 minio 中

    但问题依旧,Nginx 证书这里都是使用的泛域名证书。

    配置文件

    1. Minio 配置

    services:
      minio:
        image: minio/minio:RELEASE.2022-08-08T18-34-09Z
        container_name: minio
        restart: always
        expose:
        - 9000
        - 9001
        environment:
        - MINIO_ROOT_USER=[username]
        - MINIO_ROOT_PASSWORD=[password]
        - MINIO_DOMAIN=[minio domain]
        - MINIO_BROWSER_REDIRECT_URL=https://[minio console domain]
        - MINIO_SERVER_URL=https://[minio domain]
        volumes:
        - /work/minio/conf:/root/.minio
        - /work/minio/data:/data
        command: server /data --console-address ":9001"
    

    2. Nginx 配置( minio )
    其中*.[minio domain]是为了群晖同步使用

    server {
        listen       443  ssl  http2;
        server_name  [minio domain];
    
        charset       utf-8;
        server_tokens off;
    
        access_log    logs/[minio domain].log  main;
    
        ssl_certificate            ssl/[minio domain]/fullchain.pem;
        ssl_certificate_key        ssl/[minio domain]/privkey.pem;
    
        ssl_protocols              TLSv1.2 TLSv1.3;
        ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
        ssl_prefer_server_ciphers  on;
    
        ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    ssl/[minio domain]/chain.pem;
    
        ssl_session_cache          shared:le_nginx_SSL:1m;
        ssl_session_timeout        10m;
    
        ssl_session_tickets        on;
    
        add_header  X-Frame-Options "DENY";
        add_header  X-Content-Type-Options nosniff;
        # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
        add_header  X-XSS-Protection "1; mode=block";
        add_header  Referrer-Policy "origin";
        add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
        proxy_set_header  Host                $http_host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  X-Forwarded-Proto   $scheme;
        proxy_set_header  X-Forwarded-Server  $host;
        proxy_set_header  X-Forwarded-Host    $host:$server_port;
        proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
    
        proxy_connect_timeout  3s;
        proxy_read_timeout     15s;
    
        client_max_body_size       0;
        chunked_transfer_encoding  off;
    
        ignore_invalid_headers off;
    
        proxy_buffering off;
        proxy_request_buffering off;
    
        location / {
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
            proxy_pass  https://minios/;
        }
    
    }
    
    server {
        listen       443  ssl  http2;
        server_name  *.[minio domain];
    
        charset       utf-8;
        server_tokens off;
    
        access_log    logs/[minio domain].log  main;
    
        ssl_certificate            ssl/[minio domain]/fullchain.pem;
        ssl_certificate_key        ssl/[minio domain]/privkey.pem;
    
        ssl_protocols              TLSv1.2 TLSv1.3;
        ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
        ssl_prefer_server_ciphers  on;
    
        ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    ssl/[minio domain]/chain.pem;
    
        ssl_session_cache          shared:le_nginx_SSL:1m;
        ssl_session_timeout        10m;
    
        ssl_session_tickets        on;
    
        add_header  X-Frame-Options "DENY";
        add_header  X-Content-Type-Options nosniff;
        # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
        add_header  X-XSS-Protection "1; mode=block";
        add_header  Referrer-Policy "origin";
        add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
        proxy_set_header  Host                $http_host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  X-Forwarded-Proto   $scheme;
        proxy_set_header  X-Forwarded-Server  $host;
        proxy_set_header  X-Forwarded-Host    $host:$server_port;
        proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
    
        proxy_connect_timeout  3s;
        proxy_read_timeout     15s;
    
        client_max_body_size       0;
        chunked_transfer_encoding  off;
    
        ignore_invalid_headers off;
    
        proxy_buffering off;
        proxy_request_buffering off;
    
        location / {
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
            proxy_pass  https://minios/;
        }
    
    }
    

    3. Nginx 配置( minio 控制台)

    server {
        listen       443  ssl  http2;
        server_name  [minio console domain];
    
        charset       utf-8;
        server_tokens off;
    
        access_log    logs/[minio console domain].log  main;
    
        ssl_certificate            ssl/[minio console domain]/fullchain.pem;
        ssl_certificate_key        ssl/[minio console domain]/privkey.pem;
    
        ssl_protocols              TLSv1.2 TLSv1.3;
        ssl_ciphers                "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
        ssl_prefer_server_ciphers  on;
    
        ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    ssl/[minio console domain]/chain.pem;
    
        ssl_session_cache          shared:le_nginx_SSL:1m;
        ssl_session_timeout        10m;
    
        ssl_session_tickets        on;
    
        add_header  X-Frame-Options "DENY";
        add_header  X-Content-Type-Options nosniff;
        # add_header  Content-Security-Policy    "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'";
        add_header  X-XSS-Protection "1; mode=block";
        add_header  Referrer-Policy "origin";
        add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
        proxy_set_header  Host                $http_host;
        proxy_set_header  X-Real-IP           $remote_addr;
        proxy_set_header  X-Forwarded-Proto   $scheme;
        proxy_set_header  X-Forwarded-Server  $host;
        proxy_set_header  X-Forwarded-Host    $host:$server_port;
        proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
    
        proxy_connect_timeout  3s;
        proxy_read_timeout     15s;
    
        client_max_body_size       0;
        chunked_transfer_encoding  off;
    
        ignore_invalid_headers off;
    
        proxy_buffering off;
        proxy_request_buffering off;
    
        location / {
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
            proxy_set_header X-NginX-Proxy true;
    
            proxy_pass  https://minioc/;
        }
    
    }
    

    如果 Minio 无法实现,请各位大佬提供支持自建其他对象存储产品,需求如下

    • 自建
    • Docker 部署
    • 兼容 S3
    • 自带控制台上传下载文件
    • Nginx 提供 HTTPS
    • 可以群晖同步(即支持 bucket.domain 方式访问与 HTTPS 访问)
    第 1 条附言  ·  21 天前
    非完美解决方案, 需要手动设置 bucket 域名访问

    services:
    minio:
    image: minio/minio:RELEASE.XXX
    container_name: minio
    hostname: minio.yourdomain.com
    restart: always
    expose:
    - 443
    - 9001
    environment:
    - MINIO_ROOT_USER=yourusername
    - MINIO_ROOT_PASSWORD=yourpassword
    - MINIO_DOMAIN=minio.yourdomain.com
    - MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
    - MINIO_SERVER_URL=https://minio.yourdomain.com/
    volumes:
    - /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
    - /work/minio/data:/data
    command: server /data --address ":443" --console-address ":9001"
    networks:
    net_app:
    aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
    - bucketA.minio.yourdomain.com
    - bucketB.minio.yourdomain.com
    12 条回复    2022-11-15 19:56:49 +08:00
    photon006
        1
    photon006  
       109 天前   ❤️ 1
    minio 不用证书,nginx 配证书就行了,我是这样:

    ```
    docker run \
    -d --name minio \
    --restart=always \
    -p 9000:9000 \
    -p 9001:9001 \
    -v /dev/sda1/minio:/data \
    -e TZ=Asia/Shanghai \
    -e MINIO_ROOT_USER=admin \
    -e MINIO_ROOT_PASSWORD=pwd \
    -e MINIO_SERVER_URL=https://minio-api.example.com/ \
    minio/minio server /data --address :9000 --console-address :9001
    ```
    SenLief
        2
    SenLief  
       109 天前
    我用 docker 的

    docker run -p 9000:9000 -p 9090:9090 \
    --net=host \
    --name minio \
    -d --restart=always \
    -e "MINIO_ACCESS_KEY=admin" \
    -e "MINIO_SECRET_KEY=p8HhVAqjp" \
    -v ~/minio/data:/data \
    -v ~/minio/config:/root/.minio \
    minio/minio server \
    /data --console-address ":9090" -address ":9000"

    这个配置,前端反代用的 nginx 反代 9000 和 9090 了。
    zliea
        3
    zliea  
    OP
       109 天前
    @photon006 那使用 Nginx 反代后控制台分享是否可以分享公网的连接?
    zliea
        4
    zliea  
    OP
       109 天前
    @photon006 MINIO_SERVER_URL 加上这个之后控制台反代就无法登录了。
    photon006
        5
    photon006  
       108 天前
    @zliea nginx 使用 2 个二级域名,分别反代 api 和后台管理界面,比如:

    # 后台管理界面
    server_name minio.example.com;
    location / {

    proxy_pass http://10.13.1.27:9001;
    }


    # 程序调用 api 及分享的链接
    server_name minio-api.example.com;
    location / {

    proxy_pass http://10.13.1.27:9000;
    }


    你本身就是泛域名证书,配起来很容易。
    fuxinya
        6
    fuxinya  
       108 天前
    启动:(建议使用 bitnami rootless 镜像)
    ```
    docker run --network app -hminio -d --name minio --restart=unless-stopped \
    -p 9000:9000 -p 9001:9001 \
    -e "MINIO_ROOT_USER=minio" \
    -e "MINIO_ROOT_PASSWORD=xxxx" \
    -e "MINIO_API_PORT_NUMBER=9000" \
    -e "MINIO_CONSOLE_PORT_NUMBER=9001" \
    -v /path/to/minio/data:/data \
    bitnami/minio:2022.5.8
    ```
    Nginx 配置:(证书是在 nginx 上配)
    ```
    location / {
    proxy_pass http://127.0.0.1:9001;
    }
    ```
    yimiaoxiehou
        7
    yimiaoxiehou  
       108 天前
    用 bitnami 的镜像吧,然后把 MINIO_SERVER_HOST 改下应该就行
    docker run --rm --name minio-client \
    --env MINIO_SERVER_HOST="my.minio.domain" \
    --env MINIO_SERVER_ACCESS_KEY="minio-access-key" \
    --env MINIO_SERVER_SECRET_KEY="minio-secret-key" \
    bitnami/minio-client \
    mb minio/my-bucket
    yimiaoxiehou
        8
    yimiaoxiehou  
       108 天前
    @yimiaoxiehou 然后再套一层 nginx https
    loveyu
        9
    loveyu  
       108 天前
    最近遇到一模一样的问题,invalid Login 是 minio 内部无法访问 MINIO_SERVER_URL=https://[minio domain] 导致的,保证 docker 内部可以直接访问就行了
    blankmiss
        10
    blankmiss  
       22 天前
    我和你遭遇到了一样的问题 有解决方案了吗
    zliea
        11
    zliea  
    OP
       21 天前
    @blankmiss

    ```
    services:
    minio:
    image: minio/minio:RELEASE.XXX
    container_name: minio
    hostname: minio.yourdomain.com
    restart: always
    expose:
    - 443
    - 9001
    environment:
    - MINIO_ROOT_USER=yourusername
    - MINIO_ROOT_PASSWORD=yourpassword
    - MINIO_DOMAIN=minio.yourdomain.com
    - MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
    - MINIO_SERVER_URL=https://minio.yourdomain.com/
    volumes:
    - /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
    - /work/minio/data:/data
    command: server /data --address ":443" --console-address ":9001"
    networks:
    net_app:
    aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
    - bucketA.minio.yourdomain.com
    - bucketB.minio.yourdomain.com
    ```
    blankmiss
        12
    blankmiss  
       19 天前
    @zliea 反向代理的时候 请求文件链接会报错
    后台查看图片和预览文件也一样会 Access Denied
    ```
    {"code":500,"detailedMessage":"Access Denied.","message":"an error occurred, please try again"}

    ```


    ```


    location ^~ /
    {
    proxy_pass http://127.0.0.1:9000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    add_header X-Cache $upstream_cache_status;
    proxy_connect_timeout 300;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    chunked_transfer_encoding off;
    }

    ```
    这是我的反向代理配置 按照官网来写的
    关于   ·   帮助文档   ·   API   ·   FAQ   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   3850 人在线   最高记录 5497   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 42ms · UTC 05:13 · PVG 13:13 · LAX 21:13 · JFK 00:13
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.