Skip to content

Instantly share code, notes, and snippets.

@nitisht

nitisht/Nginx_Minio_SSL_Term.md

Last active March 6, 2024 22:44
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nitisht/3555b29b30540203e15973efa896ba85 to your computer and use it in GitHub Desktop.
Save nitisht/3555b29b30540203e15973efa896ba85 to your computer and use it in GitHub Desktop.
Download ZIP
Self-signed certificate setup with Nginx proxying requests to Minio Server
Raw
Nginx_Minio_SSL_Term.md

Nginx SSL termination for Minio server load balanced setup

This document explains the steps required to set up Nginx proxy and SSL termination for Minio servers running in the backgronud.

Generate self signed certificate

Create a directory /etc/nginx/ssl/domain.abc, here domain.abc is the name of your website domain. Then use the below commands

sudo openssl genrsa -out private.key 2048
sudo openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=domain.abc"

Setup Nginx config

Navigate to the directory /etc/nginx/sites-enabled and add a new config file called domain.abc. Add the below contents to the file

upstream minio_servers {
    server 127.0.0.1:9000;
}

server {
    listen 443 ssl;
    server_name domain.abc www.domain.abc;

    ssl on;
    ssl_certificate         /etc/nginx/ssl/domain.abc/public.crt;
    ssl_certificate_key     /etc/nginx/ssl/domain.abc/private.key;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass       http://minio_servers;
    }
}

With this config, we instruct Nginx to proxy all the incoming requests to upstream minio_servers. We also pass the certificate details using ssl_certificate and ssl_certificate_key fields to enable SSL termination.

Launch Minio and access Minio via browser.

Now that certificates and Nginx config is set, make sure the host domain.abc is accessible from your computer. On a local system you can just edit the /etc/hosts file to add a field to resolve domain.abc to 127.0.0.1.

Start Minio server following the docs here. Then access the link https://domain.abc, you should see a warning about SSL certificate not being signed by a CA. You can safely ignore this as you have created the certificate yourself. You should now be able to access Minio browser login page.

Access via mc

Add mc host using

mc --insecure config host add myminio https://domain.abc minio_access_key minio_secret_key

Then use mc as you'd normally do. Refer mc docs here.

Access via minio-go

go checks for certificates validation by default. You'd need to disable that before being able to access Minio server. UThis can be done as follows:

tlsConfig := &tls.Config{}
tlsConfig.InsecureSkipVerify = true

var transport http.RoundTripper = &http.Transport{
    TLSClientConfig:       tlsConfig,
}

// Create new minio-go client
s3Client, err := minio.NewWithRegion("domain.abc", "minio_access_key", "minio_secret_key", true)
if err != nil {
    log.Fatalln(err)
}
// Set custom transport.
s3Client.SetCustomTransport(transport)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment