Minio console gives "Invalid login" if internal CA cert is not imported when using reverse proxying inside docker

[pitastrudl]

NOTE

I deployed Minio in Docker swarm and was battling getting the console work for several hours. Minio gave no indication of errors and nginx was only saying '401 unahtorized'. In the end what solved it was to include the CA certificate of our internal CA being used to access our services (including minio console) into the default path /root/.minio/certs/CAs/internal.crt.

Expected Behavior

With the correct proxying settings for nginx and minio config - console is supposed to open.

Current Behavior

With the correct proxying settings for nginx and minio config - console says 'invalid login' even with correct credentials. Minio container should warn if a certificate is missing.

Possible Solution

• Warn in Minio container if an error occurs that would cause 'invalid login'. I am not sure where it fails.
• Note in document https://min.io/docs/minio/linux/operations/network-encryption.html or here https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html that TLS is needed if it's behind a proxy with TLS.

Steps to Reproduce (for bugs)

1. Setup a default minio deployment without a custom certificate in Docker
2. Setup nginx loadbalancer with TLS termination endpoint, reverse proxying console to Minio docker deployment
3. Access console via browser
4. Receive 'invalid login'

Context

Trying to setup minio to be used within services of the Docker swarm deployment. All services are exposed via HTTPs endpoints which Minio supports. Custom internal CA is used for issuing SSL certificates for secure communication. Additional documentation for this could be done.

I only managed to solve this after finding this issue ( minio/minio#19096 ) and translating the (google translate said Chinese) and seeing that they had issues with certificates.

• The issue was impossible to find due to not having any logs, noted here How to set different log levels for minio? minio#14213.
• Similar issue here but unsure what solved it for them Login error when using TLS minio#12883.

On an unrelated note, https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html should note that the console does need access to the API as its defined in the environment variables. This is referenced in the README.md.

Regression

Unknown

Your Environment

• MinIO version used: RELEASE.2024-04-18T19-09-19Z
• Server setup and configuration: Nginx 1.25.3-alpine
• Operating System and version (uname -a): In Docker version 24.0.9

Nginx proxy conf (double $$ due to jinja2 escaping):

    set $$upstream_minio_console http://minio:9001;
    proxy_buffering off;
    location /minioconsole/ {
        rewrite ^/minioconsole/(.*)$$ /$$1 break;
        chunked_transfer_encoding off;
        proxy_pass $$upstream_minio_console;

        proxy_set_header Host $$http_host;
        proxy_set_header X-Real-IP $$remote_addr;
        proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $$scheme;
        proxy_set_header X-NginX-Proxy true;

        #real_ip_header X-Real-IP;

        proxy_connect_timeout 300;
        proxy_set_header Upgrade $$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        # proxy_set_header Connection keep-alive;
        proxy_set_header X-Forwarded-Proto $$http_x_forwarded_proto;
        proxy_cache_bypass $$http_upgrade;
        proxy_set_header Origin 'null';

        proxy_request_buffering off;
    }

    set $$upstream_minio_api http://minio:9000;
    location /{

        proxy_set_header Host $$http_host;
        proxy_set_header X-Real-IP $$remote_addr;
        proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $$scheme;
        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "null";
        chunked_transfer_encoding off;
        proxy_pass $$upstream_minio_api;

    }

Docker command: command: 'server /data --console-address ":9001"'

Minio environmental settings:

  MINIO_ROOT_USER: examplekey
  MINIO_ROOT_PASSWORD: examplekeypass
  MINIO_SERVER_URL: 'https://example.local/'
  MINIO_BROWSER_REDIRECT_URL: 'https://example.local/minioconsole/'

[arodriguezd]

I have the same problem when implementing it with Nginx Proxy with SSL.
In the documentation I only see that they use http and not https.
https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html

[pitastrudl]

Hmm, I actually see Im using http to proxypass to minio, wonder if that had any affect. It seems in the docs they use https for frontend and https for proxypass. Sadly cant test untill a week from now. What exactly were you referring to?

[pjuarezd]

Hmm, I actually see Im using http to proxypass to minio, wonder if that had any affect. It seems in the docs they use https for frontend and https for proxypass. Sadly cant test untill a week from now. What exactly were you referring to?

Hello, noticed you have http in example nginx config for upstream servers, this should be https if sending TLS traffic from load balacer to minio Console or MinIO API servers.

set $$upstream_minio_console http://minio:9001;
set $$upstream_minio_api http://minio:9000;

[pjuarezd]

With the correct proxying settings for nginx and minio config - console says 'invalid login' even with correct credentials. Minio container should warn if a certificate is missing.

Mmm not sure it should be warned in the web browser client, think about it MinIO Console running in browser has no way to know the TLS Certificate is not truted from Nginx invoking MinIO Console. Browse is only going to receive a valid https reponse, with a non-satisfactory message. This specific case should be monitored on Nginx, and probably add the trusted TLS CA with ssl_trusted_certificate

sequenceDiagram
    Browser->>+Nginx: https (trusted certificate)
    Nginx->>-MinIO Console Server : https (non trusted certificate)

Loading

[pjuarezd]

Sending this ticket to ducumentation team for the outstanding items cc @ravindk89 @feorlen @djwfyi

[djwfyi]

I notice that you are using Docker while referencing the Linux docs.
I wonder if the TLS docs for containers better address your questions?
https://min.io/docs/minio/container/operations/network-encryption.html#enabling-tls