Minio+Nginx+Docker 控制台登陆 401 问题,请问如何解决? - V2EX
首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
请不要在回答技术问题时复制粘贴 AI 生成的内容
zliea
V2EX    程序员

Minio+Nginx+Docker 控制台登陆 401 问题,请问如何解决?

  •   
  •   zliea 2022-08-18 11:42:55 +08:00 3936 次点击
    这是一个创建于 1149 天前的主题,其中的信息可能已经有所发展或是发生改变。

    部署方式

    Minio+Nginx+Docker

    问题现象与分析

    通过 NGINX 代理后无法登陆控制台,登录返回 401 "invalid Login"。

    怀疑点:minio 的证书必须包含 ip

    尝试如下的配置

    • minio 不加证书
    • minio 加自签名证书
    • 将 Nginx 证书复制到 minio 中

    但问题依旧,Nginx 证书这里都是使用的泛域名证书。

    配置文件

    1. Minio 配置 

    services: minio: image: minio/minio:RELEASE.2022-08-08T18-34-09Z container_name: minio restart: always expose: - 9000 - 9001 environment: - MINIO_ROOT_USER=[username] - MINIO_ROOT_PASSWORD=[password] - MINIO_DOMAIN=[minio domain] - MINIO_BROWSER_REDIRECT_URL=https://[minio console domain] - MINIO_SERVER_URL=https://[minio domain] volumes: - /work/minio/conf:/root/.minio - /work/minio/data:/data command: server /data --console-address ":9001"

    2. Nginx 配置( minio )
    其中*.[minio domain]是为了群晖同步使用 

    server { listen 443 ssl http2; server_name [minio domain]; charset utf-8; server_tokens off; access_log logs/[minio domain].log main; ssl_certificate ssl/[minio domain]/fullchain.pem; ssl_certificate_key ssl/[minio domain]/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ssl/[minio domain]/chain.pem; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 10m; ssl_session_tickets on; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; # add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 3s; proxy_read_timeout 15s; client_max_body_size 0; chunked_transfer_encoding off; ignore_invalid_headers off; proxy_buffering off; proxy_request_buffering off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://minios/; } } server { listen 443 ssl http2; server_name *.[minio domain]; charset utf-8; server_tokens off; access_log logs/[minio domain].log main; ssl_certificate ssl/[minio domain]/fullchain.pem; ssl_certificate_key ssl/[minio domain]/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ssl/[minio domain]/chain.pem; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 10m; ssl_session_tickets on; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; # add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 3s; proxy_read_timeout 15s; client_max_body_size 0; chunked_transfer_encoding off; ignore_invalid_headers off; proxy_buffering off; proxy_request_buffering off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://minios/; } }

    3. Nginx 配置( minio 控制台) 

    server { listen 443 ssl http2; server_name [minio console domain]; charset utf-8; server_tokens off; access_log logs/[minio console domain].log main; ssl_certificate ssl/[minio console domain]/fullchain.pem; ssl_certificate_key ssl/[minio console domain]/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate ssl/[minio console domain]/chain.pem; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 10m; ssl_session_tickets on; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; # add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 3s; proxy_read_timeout 15s; client_max_body_size 0; chunked_transfer_encoding off; ignore_invalid_headers off; proxy_buffering off; proxy_request_buffering off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-NginX-Proxy true; proxy_pass https://minioc/; } }

    如果 Minio 无法实现,请各位大佬提供支持自建其他对象存储产品,需求如下

    • 自建
    • Docker 部署
    • 兼容 S3
    • 自带控制台上传下载文件
    • Nginx 提供 HTTPS
    • 可以群晖同步(即支持 bucket.domain 方式访问与 HTTPS 访问)
    第 1 条附言    2022-11-14 09:11:37 +08:00
    非完美解决方案, 需要手动设置 bucket 域名访问

    services:
    minio:
    image: minio/minio:RELEASE.XXX
    container_name: minio
    hostname: minio.yourdomain.com
    restart: always
    expose:
    - 443
    - 9001
    environment:
    - MINIO_ROOT_USER=yourusername
    - MINIO_ROOT_PASSWORD=yourpassword
    - MINIO_DOMAIN=minio.yourdomain.com
    - MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
    - MINIO_SERVER_URL=https://minio.yourdomain.com/
    volumes:
    - /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
    - /work/minio/data:/data
    command: server /data --address ":443" --console-address ":9001"
    networks:
    net_app:
    aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
    - bucketA.minio.yourdomain.com
    - bucketB.minio.yourdomain.com
  • minio
  • add_header
  • domain
  • self'
    13 条回复    2024-01-29 17:55:51 +08:00
    photon006
        1
    photon006  
       2022-08-18 11:50:01 +08:00   1
    minio 不用证书,nginx 配证书就行了,我是这样:

    ```
    docker run \
    -d --name minio \
    --restart=always \
    -p 9000:9000 \
    -p 9001:9001 \
    -v /dev/sda1/minio:/data \
    -e TZ=Asia/Shanghai \
    -e MINIO_ROOT_USER=admin \
    -e MINIO_ROOT_PASSWORD=pwd \
    -e MINIO_SERVER_URL=https://minio-api.example.com/ \
    minio/minio server /data --address :9000 --console-address :9001
    ```
    SenLief
        2
    SenLief  
       2022-08-18 11:52:53 +08:00
    我用 docker 的

    docker run -p 9000:9000 -p 9090:9090 \
    --net=host \
    --name minio \
    -d --restart=always \
    -e "MINIO_ACCESS_KEY=admin" \
    -e "MINIO_SECRET_KEY=p8HhVAqjp" \
    -v ~/minio/data:/data \
    -v ~/minio/config:/root/.minio \
    minio/minio server \
    /data --console-address ":9090" -address ":9000"

    这个配置,前端反代用的 nginx 反代 9000 和 9090 了。
    zliea
        3
    zliea  
    OP
       2022-08-18 11:58:55 +08:00
    @photon006 那使用 Nginx 反代后控制台分享是否可以分享公网的连接?
    zliea
        4
    zliea  
    OP
       2022-08-18 12:05:52 +08:00
    @photon006 MINIO_SERVER_URL 加上这个之后控制台反代就无法登录了。
    photon006
        5
    photon006  
       2022-08-18 13:48:50 +08:00
    @zliea nginx 使用 2 个二级域名,分别反代 api 和后台管理界面,比如:

    # 后台管理界面
    server_name minio.example.com;
    location / {

    proxy_pass http://10.13.1.27:9001;
    }


    # 程序调用 api 及分享的链接
    server_name minio-api.example.com;
    location / {

    proxy_pass http://10.13.1.27:9000;
    }


    你本身就是泛域名证书,配起来很容易。
    fuxinya
        6
    fuxinya  
       2022-08-18 13:58:03 +08:00
    启动:(建议使用 bitnami rootless 镜像)
    ```
    docker run --network app -hminio -d --name minio --restart=unless-stopped \
    -p 9000:9000 -p 9001:9001 \
    -e "MINIO_ROOT_USER=minio" \
    -e "MINIO_ROOT_PASSWORD=xxxx" \
    -e "MINIO_API_PORT_NUMBER=9000" \
    -e "MINIO_CONSOLE_PORT_NUMBER=9001" \
    -v /path/to/minio/data:/data \
    bitnami/minio:2022.5.8
    ```
    Nginx 配置:(证书是在 nginx 上配)
    ```
    location / {
    proxy_pass http://127.0.0.1:9001;
    }
    ```
    yimiaoxiehou
        7
    yimiaoxiehou  
       2022-08-18 17:29:29 +08:00
    用 bitnami 的镜像吧,然后把 MINIO_SERVER_HOST 改下应该就行
    docker run --rm --name minio-client \
    --env MINIO_SERVER_HOST="my.minio.domain" \
    --env MINIO_SERVER_ACCESS_KEY="minio-access-key" \
    --env MINIO_SERVER_SECRET_KEY="minio-secret-key" \
    bitnami/minio-client \
    mb minio/my-bucket
    yimiaoxiehou
        8
    yimiaoxiehou  
       2022-08-18 17:29:47 +08:00
    @yimiaoxiehou 然后再套一层 nginx https
    loveyu
        9
    loveyu  
       2022-08-18 18:22:30 +08:00
    最近遇到一模一样的问题,invalid Login 是 minio 内部无法访问 MINIO_SERVER_URL=https://[minio domain] 导致的,保证 docker 内部可以直接访问就行了
    blankmiss
        10
    blankmiss  
       2022-11-12 21:57:53 +08:00
    我和你遭遇到了一样的问题 有解决方案了吗
    zliea
        11
    zliea  
    OP
       2022-11-14 09:12:09 +08:00
    @blankmiss

    ```
    services:
    minio:
    image: minio/minio:RELEASE.XXX
    container_name: minio
    hostname: minio.yourdomain.com
    restart: always
    expose:
    - 443
    - 9001
    environment:
    - MINIO_ROOT_USER=yourusername
    - MINIO_ROOT_PASSWORD=yourpassword
    - MINIO_DOMAIN=minio.yourdomain.com
    - MINIO_BROWSER_REDIRECT_URL=https://minio-console.yourdomain.com/
    - MINIO_SERVER_URL=https://minio.yourdomain.com/
    volumes:
    - /work/minio/conf:/root/.minio # https 证书, 需要包含 minio.yourdomain.com, minio-console.yourdomain.com, *.minio.yourdomain.com
    - /work/minio/data:/data
    command: server /data --address ":443" --console-address ":9001"
    networks:
    net_app:
    aliases: # 为了支持 bucket 域名访问, 暂时仅查到手动添加, 可以使用私网 dns.
    - bucketA.minio.yourdomain.com
    - bucketB.minio.yourdomain.com
    ```
    blankmiss
        12
    blankmiss  
       2022-11-15 19:56:49 +08:00
    @zliea 反向代理的时候 请求文件链接会报错
    后台查看图片和预览文件也一样会 Access Denied
    ```
    {"code":500,"detailedMessage":"Access Denied.","message":"an error occurred, please try again"}

    ```


    ```


    location ^~ /
    {
    proxy_pass http://127.0.0.1:9000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    add_header X-Cache $upstream_cache_status;
    proxy_connect_timeout 300;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    chunked_transfer_encoding off;
    }

    ```
    这是我的反向代理配置 按照官网来写的
    wangbin11
        13
    wangbin11  
       2024-01-29 17:55:51 +08:00
    我是内网自签名证书,minio 有办法信任吗,容器内是可以访问的,{"message":"invalid Login"}
    关于     帮助文档     自助推广系统     博客     API     FAQ     Solana     3440 人在线   最高记录 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 27ms UTC 04:23 PVG 12:23 LAX 21:23 JFK 00:23
    Do have faith in what you're doing.
    ubao snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86