Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@superseb

superseb/minio-nginx-selfsigned.sh

Last active February 23, 2024 06:52
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save superseb/32c439aac5097723f395acc77c47e829 to your computer and use it in GitHub Desktop.
Save superseb/32c439aac5097723f395acc77c47e829 to your computer and use it in GitHub Desktop.
Download ZIP
Minio + NGINX in Docker using self signed certificates
Raw
minio-nginx-selfsigned.sh
#!/bin/bash
if [ "$#" -lt 0 ]; then
echo "Usage: $0"
exit 1
fi
echo "Generating nip.io based on found external IP"
FOUNDIP=$(docker run --rm --net=host appropriate/curl https://api.ipify.org)
APIFQDN="minio-api.${FOUNDIP}.nip.io"
FQDN="minio.${FOUNDIP}.nip.io"
echo "Using API FQDN: ${APIFQDN}"
echo "Using Console FQDN: ${FQDN}"
# Minio setup
# Generated access key and secret key
ACCESS_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
SECRET_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
# Generate certificates
mkdir api
cd api
curl https://gist.githubusercontent.com/superseb/b2c1d6c9baa32609a49ee117a27bc700/raw/7cb196e974e13b213ac6ec3105971dd5e21e4c66/selfsignedcert.sh | bash -s -- $APIFQDN
cd ..
mkdir console
cd console
curl https://gist.githubusercontent.com/superseb/b2c1d6c9baa32609a49ee117a27bc700/raw/7cb196e974e13b213ac6ec3105971dd5e21e4c66/selfsignedcert.sh | bash -s -- $FQDN
cd ..
cat $PWD/api/certs/ca.pem > $PWD/public.crt
cat $PWD/console/certs/ca.pem >> $PWD/public.crt
# Run minio container
docker run -d --name=minio -e MINIO_ROOT_USER=$ACCESS_KEY -e MINIO_ROOT_PASSWORD=$SECRET_KEY -e MINIO_SERVER_URL="https://${APIFQDN}" -e MINIO_BROWSER_REDIRECT_URL="https://${FQDN}" -v $PWD/data:/data -v $PWD/public.crt:/root/.minio/certs/CAs/public.crt minio/minio server /data --console-address=:9001
# nginx
cat <<EOF > $PWD/nginx.conf
server {
listen 80;
server_name $FQDN;
return 301 https://$FQDN$request_uri;
}
server {
listen 443 ssl;
server_name $APIFQDN;
# To allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# To disable buffering
proxy_buffering off;
ssl_certificate /apicerts/cert.pem;
ssl_certificate_key /apicerts/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header Host \$http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://minio:9000;
}
}
server {
listen 443 ssl;
server_name $FQDN;
# To allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# To disable buffering
proxy_buffering off;
ssl_certificate /consolecerts/cert.pem;
ssl_certificate_key /consolecerts/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header Host \$http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://minio:9001;
}
}
EOF
docker run -d --name=nginx -p 80:80 -p 443:443 -v $PWD/nginx.conf:/etc/nginx/conf.d/minio.conf:ro -v $PWD/api/certs:/apicerts -v $PWD/console/certs:/consolecerts --link=minio nginx
mkdir -p $PWD/.mc/certs/CAs
cat $PWD/api/certs/ca.pem > $PWD/.mc/certs/CAs/public.crt
cat $PWD/console/certs/ca.pem >> $PWD/.mc/certs/CAs/public.crt
docker run --rm -v $PWD/.mc:/root/.mc minio/mc config host add minio https://$APIFQDN $ACCESS_KEY $SECRET_KEY
docker run --rm -v $PWD/.mc:/root/.mc minio/mc mb minio/rancherbackups
MINIO_FILE=$PWD/minio-info.txt
echo "Minio API URL: $APIFQDN" | tee -a $MINIO_FILE
echo "Minio Console URL: $FQDN" | tee -a $MINIO_FILE
echo "Minio Access Key: $ACCESS_KEY" | tee -a $MINIO_FILE
echo "Minio Secret Key: $SECRET_KEY" | tee -a $MINIO_FILE
echo "Minio created bucket: rancherbackups" | tee -a $MINIO_FILE
echo "CA certificate:" | tee -a $MINIO_FILE
cat $PWD/api/certs/ca.pem | tee -a $MINIO_FILE
echo "Using Minio mc: list files in rancherbackups" | tee -a $MINIO_FILE
echo "docker run --rm -v \$PWD/.mc:/root/.mc minio/mc ls minio/rancherbackups" | tee -a $MINIO_FILE
echo "Using Minio mc: interactive shell" | tee -a $MINIO_FILE
echo "docker run --rm -v \$PWD/.mc:/root/.mc -ti --entrypoint sh minio/mc" | tee -a $MINIO_FILE
echo "All Minio info is also stored in ${MINIO_FILE}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment