Minio console session error when exposed on subpath #2166
Comments
|
I have the same problem Also, when logging out After the |
|
I have attempted to use Is it maybe because i have my console setup on From my What really confuses me, is that I can hit other endpoints just fine. I can get |
|
I too am not able to expose minio console on subpath using latest version and also above mentioned versions (with nginx reverse proxy in front). |
|
I'm here to explain the practices and limits I set up for success Solve the problem that the Console download Object is abnormal |
|
@j13tw Thanks for reaching out and it sounds like you confirm that there is a workaround available? I tried the following nginx configuration, which I think does what you suggest: The minio:
image: quay.io/minio/minio:latest
volumes:
- ./minio-share:/data/d1
command: server --console-address=":9001" /data/d1
environment:
- MINIO_ROOT_USER=secret
- MINIO_ROOT_PASSWORD=secret
- MINIO_DOMAIN=data.bibliometrics.lib.kth.se
- MINIO_SERVER_URL=https://data.bibliometrics.lib.kth.se
- MINIO_BROWSER_REDIRECT_URL=https://data.bibliometrics.lib.kth.se/minio-console
# - CONSOLE_SUBPATH=/minio-console
- MINIO_API_SELECT_PARQUET=on
healthcheck:
test: ["CMD", "curl", "-f", "http://minio:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
restart: alwaysThe result is that when I go to the domain where the minio server is running, I get a redirect to that domain with "/minio-console/" added, which stops due to a "401" as mentioned in the original issue here, since /minio-console/api/v1/session returns a JSON respone with code 401 and message "unauthenticated for invalid credentials":
The same "401" appears when using minio/minio:RELEASE.2022-06-17T02-00-35Z. With this version (everything else being the same) the redirect when hitting the minio server URL is "doubled" and instead goes to "/minio-console/minio-console/login". When manually fixing this and requesting "/minio-console/login" instead , I can see the login screen but not login with my credentials:
I think there is a main.js javascript POST happening to /minio-console/api/v1/login and the error message is This error mentions an IP and port which I'm quite sure I haven't configured anywhere... I'm rolling back my attempt to expose minio console on a subpath using nginx reverse proxy in front, until I have a better understanding of how/if this is possible with or without a workaround. Thankful for any more details/hints for reproducible workarounds. |
If you set the api under the path Here are logs found in my ingress, as you could see there is no destination ( add this environment variables could be helpful.
|
|
This actually works already in all situations version: '3.7'
# Settings and configurations that are common for all containers
x-minio-common: &minio-common
image: quay.io/minio/minio:RELEASE.2022-08-13T21-54-44Z
command: server --console-address ":9001" http://minio{1...4}/data{1...2}
expose:
- "9000"
- "9001"
environment:
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: minioadmin
MINIO_BROWSER_REDIRECT_URL: http://10.0.0.185:9000/minio
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
interval: 30s
timeout: 20s
retries: 3
# starts 4 docker containers running minio server instances.
# using nginx reverse proxy, load balancing, you can access
# it through port 9000.
services:
minio1:
<<: *minio-common
hostname: minio1
volumes:
- data1-1:/data1
- data1-2:/data2
minio2:
<<: *minio-common
hostname: minio2
volumes:
- data2-1:/data1
- data2-2:/data2
minio3:
<<: *minio-common
hostname: minio3
volumes:
- data3-1:/data1
- data3-2:/data2
minio4:
<<: *minio-common
hostname: minio4
volumes:
- data4-1:/data1
- data4-2:/data2
nginx:
image: nginx:1.19.2-alpine
hostname: nginx
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
ports:
- "9000:9000"
- "9001:9001"
depends_on:
- minio1
- minio2
- minio3
- minio4
## By default this config uses default local driver,
## For custom volumes replace with volume driver configuration.
volumes:
data1-1:
data1-2:
data2-1:
data2-2:
data3-1:
data3-2:
data4-1:
data4-2:So whatever is not working is perhaps generally a setup issue here. Also please use |
I'm using RELEASE.2023-04-07T05-28-58Z. |
|
Doesn't work in Kubernetes with the nginx config posted by @harshavardhana. Exposed locally as nodeport (30090 nodeport -> 8080 nginx -> 9001 console): {
"code": 401,
"detailedMessage": "Post \"http://localhost:30090/\": dial tcp 127.0.0.1:30090: connect: connection refused",
"message": "invalid Login"
}Exposed via nginx-ingress on customer's cluster (custom PKI): {
"code": 401,
"detailedMessage": "Post \"https://minio.customer.com/\": x509: certificate signed by unknown authority",
"message": "invalid Login"
}I need a option to tell the console where the minio instance is reachable (in this case simply Update Fixed by not setting |
|
@peterhirn the referenced documentation is for Linux, where hosts would typically have some sort of externally-accessible FQDN. You are on K8s, so there are an entirely different set of expectations around FQDN of pods/services. We do not at this time intend to write detailed documentation on nginx reverse proxies in K8s. That's two steps removed from MinIO, and we don't have the resources to test/validate it against the myriad of possible K8s + DNS configurations out there. We're discussing adding something of a disclaimer at the top guiding users to look at that reference as a baseline that may/will require modification, vs something guaranteed to work in a broad sense. |
|
@peterhirn Thanks a lot for the hint about MINIO_SERVER_URL. It ended a long hour of uncertainty and frustration for me. I was setting up a MinIO server behind Caddy as a reverse proxy. Everything looked fine, but the login failed, as described above. I did set MINIO_SERVER_URL because it was recommended by the documentation and it made sense, but that was the issue. I removed it, and now everything works fine. @ravindk89 I have full understanding that the documentation cannot cover all cases, but currently it says that MINIO_SERVER_URL maybe necessary if "The Console must use a specific hostname to connect or reference the MinIO Server, e.g. due to a reverse proxy or similar configuration.". This sounded like my case, and MINIO_SERVER_URL is mentioned in many examples online, so I set it, but it broke my setup. The troubleshooting is very hard then. Maybe the documentation could be more specific, or at least mention that this variable should not be set unless some specific problems occur. |
That's actually how we got to where we are now. Without that guidance, we had users who were frequently running into issues with the Console failing to load or redirecting incorrectly when reverse proxies were configured. It would be easier if the errors were always the same for a given set of inputs, but that hasn't been my/our experience. It varies depending on MinIO version, K8s setup, nginx setup, and whether or not you're using Operators/custom charts/official charts/hand-written YAML. I actually think this behavior overall might improve in newer versions of MinIO, as we are refining how the Console and Server talk to each other. I have to check how necessary this is now. |
@harshavardhana Thank you so much for your complete answer. Just a quick update: |
Unable to expose the console on an nginx reverse proxy subpath using minio/minio:RELEASE.2022-07-08T00-05-23Z.
Getting a 401 response on
http://localhost/console/api/v1/sessionwhile everything else appears to load up fine:{"code":401,"message":"unauthenticated for invalid credentials"}The text was updated successfully, but these errors were encountered: