Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating Nginx Reverse Proxy documentation #743

Merged
merged 2 commits into from
Mar 6, 2023
Merged

Updating Nginx Reverse Proxy documentation #743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc8c234
Updating Nginx Reverse Proxy Documentation
ravindk89 Feb 24, 2023
0af9b24
CR Fixes
ravindk89 Mar 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/integrations/integrations.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ All provided guides assume familiarity with the third-party integration software
/integrations/using-minio-with-veeam.md
/integrations/disaggregated-spark-and-hadoop-hive-with-minio.md
/integrations/aws-cli-with-minio.md
/integrations/setup-nginx-proxy-with-minio.md
/integrations/setup-nginx-proxy-with-minio
/integrations/presigned-put-upload-via-browser.md
/integrations/generate-lets-encrypt-certificate-using-certbot-for-minio.md
113 changes: 0 additions & 113 deletions source/integrations/setup-nginx-proxy-with-minio.md
View file
Open in desktop

This file was deleted.

197 changes: 197 additions & 0 deletions source/integrations/setup-nginx-proxy-with-minio.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
.. _integrations-nginx-proxy:

======================================
Configure NGINX Proxy for MinIO Server
======================================

.. default-domain:: minio

.. contents:: Table of Contents
:local:
:depth: 2

The following documentation covers the minimum settings required to configure NGINX to proxy requests to MinIO.

This documentation assumes the following:

- An existing `NGINX <http://nginx.org/en/download.html>`__ deployment
- An existing :ref:`MinIO <minio-installation>` deployment
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This didn't resolve to a link. Is the reference correct?

Copy link
Collaborator Author

@ravindk89 ravindk89 Feb 27, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. I think I needed to re-update staging

- A DNS hostname which uniquely identifies the MinIO deployment

There are two models for proxying requests to the MinIO Server API and the MinIO Console:

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choosing to not deal with :443 or https here. Not sure if that makes a difference.

.. tab-set::

.. tab-item:: Dedicated DNS

Create or configure a dedicated DNS name for the MinIO service.

For the MinIO Server S3 API, proxy requests to the root of that domain.
For the MinIO Console Web GUI, proxy requests to the ``/minio`` subpath.

For example, given the hostname ``minio.example.net``:

- Proxy requests to the root ``https://minio.example.net`` to the MinIO Server listening on ``https://minio.local:9000``.

- Proxy requests to the subpath ``https://minio.example.net/minio`` to the MinIO Console listening on ``https://minio.local:9001``.

The following location blocks provide a template for further customization in your unique environment:

.. code-block:: nginx
:class: copyable

upstream minio {
least_conn;
server minio-01.internal-domain.com;
server minio-02.internal-domain.com;
server minio-03.internal-domain.com;
server minio-04.internal-domain.com;
}

server {
listen 80;
listen [::]:80;
server_name minio.example.net;

# Allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# Disable buffering
proxy_buffering off;
proxy_request_buffering off;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;

proxy_pass https://minio:9000/; # This uses the upstream directive definition to load balance
}

location /minio {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;

# This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP;

proxy_connect_timeout 300;

# To support websockets in MinIO versions released after January 2023
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

chunked_transfer_encoding off;

proxy_pass https://minio:9001/; # This uses the upstream directive definition to load balance and assumes a static Console port of 9001
}
}

The S3 API signature calculation algorithm does *not* support proxy schemes where you host either the MinIO Server API or Console GUI on a subpath, such as ``example.net/s3/`` or ``example.net/console/``.

.. tab-item:: Subdomain

Create or configure separate, unique subdomains for the MinIO Server S3 API and for the MinIO Console Web GUI.

For example, given the root domain of ``example.net``:

- Proxy request to the subdomain ``minio.example.net`` to the MinIO Server listening on ``https://minio.local:9000``

- Proxy requests to the subdomain ``console.example.net`` to the MinIO Console listening on ``https://minio.local:9001``

The following location blocks provide a template for further customization in your unique environment:

.. code-block:: nginx
:class: copyable

upstream minio {
least_conn;
server minio-01.internal-domain.com;
server minio-02.internal-domain.com;
server minio-03.internal-domain.com;
server minio-04.internal-domain.com;
}

server {
listen 80;
listen [::]:80;
server_name minio.example.net;

# Allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# Disable buffering
proxy_buffering off;
proxy_request_buffering off;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;

proxy_pass http://minio:9000/; # This uses the upstream directive definition to load balance
}
}

server {

listen 80;
listen [::]:80;
server_name console.example.net;

# Allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# Disable buffering
proxy_buffering off;
proxy_request_buffering off;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;

# This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP;

proxy_connect_timeout 300;

# To support websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

chunked_transfer_encoding off;

proxy_pass http://minio:9001/; # This uses the upstream directive definition to load balance and assumes a static Console port of 9001
}
}

The S3 API signature calculation algorithm does *not* support proxy schemes where you host either the MinIO Server API or Console GUI on a subpath, such as ``minio.example.net/s3/`` or ``console.example.net/gui``.

1 change: 1 addition & 0 deletions source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ The following load balancers are known to work well with MinIO:

Configuring firewalls or load balancers to support MinIO is out of scope for
this procedure.
The :ref:`integrations-nginx-proxy` reference provides a baseline configuration for using NGINX as a reverse proxy with basic load balancing configured.

Sequential Hostnames
~~~~~~~~~~~~~~~~~~~~
Expand Down
1 change: 1 addition & 0 deletions source/operations/install-deploy-manage/expand-minio-deployment.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ The following load balancers are known to work well with MinIO:

Configuring firewalls or load balancers to support MinIO is out of scope for
this procedure.
The :ref:`integrations-nginx-proxy` reference provides a baseline configuration for using NGINX as a reverse proxy with basic load balancing configured.

Sequential Hostnames
~~~~~~~~~~~~~~~~~~~~
Expand Down