Minio console cannot be exposed trough k8s ingress and NGINX gateway

[hshmilo]

I am using the latest minio release (RELEASE.2022-04-26T01-20-24Z) that introduces MINIO_BROWSER_REDIRECT_URL env variable (minio/minio#14761).

Since we deploy the minio console on the k8s cluster behind the ingress and NGINX reverse proxy I have to rewrite the NGINX config in the following way:

        location ~* ^/console {
            proxy_pass http://localhost:9001;
        }

When I try to get minio console I see the following:

How to reproduce:

Run MinIO Like

MINIO_BROWSER_REDIRECT_URL="http://localhost:8000/console" CI=true ./minio server /tmp/dskx{1...4} --address :9000 --console-address :9001

start nginx with the following config:

events { worker_connections 1024; }

http {

server {
    listen 8000;

    location ~* ^/console {
        proxy_pass http://localhost:9001;
    }
}

}

Visit http://localhost:8000/console

[FeryET]

I am experiencing the same problem via docker-compose and putting minio behind nginx. The only solution so far is to expose minio at / location.
Does rolling back to previous versions fix this issue? If so, can anyone point out which version (or docker image) I should use?

[m3th0d3f]

Issue reproduced with the Helm chart and an Ingress using path: /minio(/|$)(.*) and the nginx.ingress.kubernetes.io/rewrite-target: /$2 annotation.
Works as expected when using path: /

[gcalmettes]

I was able to successfully serve the UI on a subpath (k8s ingress) using:

extraEnvVars:
    - name: MINIO_CONSOLE_SUBPATH
      value: "/minio/"
    - name: MINIO_BROWSER_REDIRECT_URL
      value: "https://your-minio-dns.com/minio/"

(note the second MINIO_CONSOLE_SUBPATH environment variable, in addition to the MINIO_BROWSER_REDIRECT_URL, see #1854)

and setting the ingress with:

path: /minio/(.*)
annotations:
  nginx.ingress.kubernetes.io/rewrite-target: /$1

[harshavardhana]

You should only need one environment variable here @dvaldivia why do we need two?

[gcalmettes]

Update:

With image RELEASE.2022-04-29T01-27-09Z, only MINIO_BROWSER_REDIRECT_URL seems necessary.

However, to access the UI, the full login path (http://minio-dns.com/subpath/login) has to be explicitely entered (only entering http://minio-dns.com/subpath/ redirects to http://minio-dns.something/subpath/subpath/login. The same doubling of the subpath occurs after clicking on the logout button in the UI which redirects to the login url.

[dvaldivia]

I removed MINIO_CONSOLE_SUBPATH in favor of MINIO_BROWSER_REDIRECT_URL @harshavardhana

The redirect you are seeing @gcalmettes sounds to me like a bug on our end, I'll investigate

[FeryET]

Any update on this issue?

[gcalmettes]

@dvaldivia If that helps, below is a local docker-compose setup with which you can easily reproduce the redirection issue:

• docker-compose.yml

version: '3.9'
services:
  nginx:
    image: nginx
    networks:
      - minio-local
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
    ports:
      - 80:80
    depends_on:
      - minio

  minio:
    image: minio/minio:RELEASE.2022-05-04T07-45-27Z
    networks:
      - minio-local
    command: server /data --console-address ":9001"
    ports:
      - 9000:9000
      - 9001:9001
    environment:
      MINIO_ROOT_USER: minio
      MINIO_ROOT_PASSWORD: minio123
      MINIO_BROWSER_REDIRECT_URL: "http://localhost/console"
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
      interval: 30s
      timeout: 10s
      retries: 5

networks:
  minio-local:
    driver: bridge

• nginx.conf (to be placed in the same folder than the docker-compose.yml)

events {}
http {
  server {
    listen 80;
    listen [::]:80;
    location / {
       rewrite /console(/|$)(.*) /$2  break;
       proxy_pass         http://minio:9001/;
       proxy_redirect     off;
    }
  }
}

• If you go to http://localhost/console/login 👉 everything works fine
• If you click on logout after having logged-in 👉 you're redirected to http://localhost/console/console/login
• If you go to http://localhost/console (without the login full path) 👉 you're redirected to http://localhost/console/console/login

[faan11]

I also have the same issue, Are there any updates?

[WatsongRB]

#1908 (comment)
""gcalmettes commented [on 30 Apr]
However, to access the UI, the full login path (http://minio-dns.com/subpath/login) has to be explicitely entered (only entering http://minio-dns.com/subpath/ redirects to http://minio-dns.something/subpath/subpath/login. The same doubling of the subpath occurs after clicking on the logout button in the UI which redirects to the login url""

I also confirm the above using K8s ingress, NGINX gateway, and a subpath (/minio/).
In addition, files cannot be downloaded using the UI. This occurs, because the request does not have the subpath appended. Capturing the download request URL, adding the subpath, and then pasting it into the address bar works to download the file.

E.g.
https://(domain)/api/v1/buckets/default/objects/download?prefix=EJFIOWEFHFH2914RHFFADSODJA
should be generated by the MinIO console UI as:
https://(domain)/(subpath)/api/v1/buckets/default/objects/download?prefix=EJFIOWEFHFH2914RHFFADSODJA

[DanSalt]

@dvaldivia - any updates on this issue? Is the workaround mentioned above a valid interim solution?

[Elveon-X]

Hello,
i confirm we got same problems with latest versions:

-subpath/login is not working if not "explicitely entered" to access the web ui console (it redirects to /subpath/subpath/login).
-files cannot be downloaded using the UI, because the request ignores the subpath. This is the only api actually doing this we found, for example uploading files is working and the correct subpath is used. Adding the correct subpath on the download request will make it working, granted you do it before the token expires.

Any updates on the issues and this thread?

Thanks

[j13tw]

Not a best practice
if you want fix download API Error
when I setting up of one domain mapping to minio (s3 api | console)
in istio virtual service CRD
I add the specify URL "/api/v1/buckets/" redirect to "/api/v1/buckets/"
and the console download Object can work!

[mskyttner]

Another confirmation here, running into this issue. I have also not been able to work around the issue with some of the latest versions using nginx reverse proxy in front when attempting to expose minio console on a subpath. Any known workarounds with the latest version?

[waldo2188]

I have the same issue.

I run MinIO on a on premise Kubernetes cluster with Traefik as reverse proxy.

I have followed this documentation to install MinIO and try to set up Traefik as reverse proxy for the Operator Console and the Object Storage Console. I was unable to set up the Operator Console in a sub path like https://acme.org/minio.

Even though the env variables MINIO_BROWSER_REDIRECT_URL and CONSOLE_SUBPATH were set in the main console pod, the apis did not use either of these two env variables.

I give here the traefik configuration that “work” for me.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: minio-console-https
  namespace: default
spec:
  entryPoints:
  - https
  routes:
  ## For Minio Operator Console
  - kind: Rule
    match: Host(`minio.acme.org`)
    middlewares:
    - name: minio-secure-mid
      namespace: default
    services:
    - kind: Service
      name: console
      port: 9090
      namespace: minio-operator
  ## For Minio Object Store Console
  - kind: Rule
    match: Host(`object-storage.acme.org`) && PathPrefix(`/tenant`)
    middlewares:
    - name: minio-object-storage-tenant-mid
      namespace: default
    services:
    - kind: Service
      name: tenant-console
      port: 9090
      namespace: default
  tls:
    certResolver: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: minio-object-storage-tenant-mid
  namespace: default
spec:
  stripPrefix:
    prefixes:
    - /tenant

Dont forget to enabled the allowCrossNamespace = true in the Traefik configuration.

[xmolitann]

I was able to successfully serve the UI on a subpath (k8s ingress) using:

extraEnvVars:
    - name: MINIO_CONSOLE_SUBPATH
      value: "/minio/"
    - name: MINIO_BROWSER_REDIRECT_URL
      value: "https://your-minio-dns.com/minio/"

(note the second MINIO_CONSOLE_SUBPATH environment variable, in addition to the MINIO_BROWSER_REDIRECT_URL, see #1854)

and setting the ingress with:

path: /minio/(.*)
annotations:
  nginx.ingress.kubernetes.io/rewrite-target: /$1

Thank you so much for this, I spent half a day trying to solve this