nabbisen
Posted on January 12, 2023
Intro
MinIO is one of object storage suites.
It has compatibility with AWS S3 and is open source written in Go (golang).
OpenBSD offers it as a Ports package, so it takes a few minutes to install it.
Well, by default, the daemon listens to the external directly.
This post shows how to configure it to block connections from WAN (Wide Area Network).
It is dealed with --address
option.
At the same time, let replayd act as proxy.
Environment
- OS: OpenBSD 7.2
- Web proxy: relayd
- Object Storage: MinIO 0.20220826
Body
minio server default settings
First, check /etc/rc.d/minio
, the daemon script of rc.d. It starts with:
#!/bin/ksh
daemon="/usr/local/bin/minio server"
daemon_flags="/var/minio/export"
daemon_user="_minio"
(...)
Next, read the help of minio server
:
$ minio server --help
It starts with:
NAME:
minio server - start object storage server
USAGE:
minio server [FLAGS] DIR1 [DIR2..]
minio server [FLAGS] DIR{1...64}
minio server [FLAGS] DIR{1...64} DIR{65...128}
(...)
And you will find the below in it:
FLAGS:
--address value bind to a specific ADDRESS:PORT, ADDRESS can be an IP or hostname (default: ":9000") [$MINIO_ADDRESS]
The --address
option is the key.
Introduce --address
option
We have to overwrite daemon_flags
in /etc/rc.d/minio
in order to introduce --address
option.
You have two options.
Option 1: Use /etc/rc.conf.local
(recommended)
Edit /etc/rc.conf.local
to append:
+ minio_flags="--address 127.0.0.1:9000 /var/minio/export"
Besides, the file is not placed at OS installation. Therefore, you may have to create it this time.
It overwrites the part of the daemon script:
daemon_flags="/var/minio/export"
Option 2: Overwrite the daemon script directly
You can also modify /etc/rc.d/minio
direcly. It may work.
Rememvber it is, however, ephemeral.
Verify addresses minio listens to
Now the address minio listens to, which is ":9000" by default, is replaced with "127.0.0.1:9000".
Let's verify it.
$ curl -I 127.0.0.1:9000
The output was:
HTTP/1.1 400 Bad Request
Accept-Ranges: bytes
Content-Length: 261
Content-Type: application/xml
Server: MinIO
Vary: Origin
Date: Wed, 11 Jan 2023 12:30:49 GMT
Accepted.
How about requests from outside ?
$ curl -I <minio-ip>:9000
The output was:
curl: (56) Recv failure: Connection reset by peer
Blocked. OK.
Introduce relayd
It's turn of /etc/relayd.conf
.
Create it if necessary, and write the below in it:
log connection errors
table <minio_host> { "127.0.0.1" }
minio_fqdn = "<your-fqdn>"
minio_port = "9000"
http protocol "https-filter" {
block
pass request header "Host" value $minio_fqdn \
forward to <minio_host>
tls keypair $minio_fqdn
# for minio: extend http headerlen (default = 8192)
http headerlen 24576
# performance enhancement
tcp { nodelay, sack, backlog 128 }
match header set "X-Client-IP" \
value "$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
}
relay "https" {
listen on egress port https tls
# for minio: extend session timeout (default = 600)
session timeout 1800
protocol "https-filter"
forward to <minio_host> port $minio_port check tcp
}
For TLS connection, generate keypair for <your-fqdn>
.
Each below of <your-country-code>
/ <your-state>
/ <your-organization>
is up to you:
$ cd /etc/ssl
$ export MYDOMAIN="<your-fqdn>"
$ export CERT_SUBJ="/C=<your-country-code (2 digits)>/ST=<your-state>/L=/O=<your-organization>/OU=/CN=$MYDOMAIN"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 \
-keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt -subj "$CERT_SUBJ"; \
doas chmod 400 private/$MYDOMAIN.key
Be careful that the name of cert file should be end with .crt
on relayd.
It is self-signed certificate. Alternatively, you can use Let's Encrypt etc.
Activate the daemon and start it:
$ doas rcctl enable relayd
relayd(ok)
$ doas rcctl start relayd
relayd(ok)
MinIO supports TLS
For the purpose of TLS usage, you don't necessarily have to use relayd, for MinIO supports Network Encryption (TLS).
Outro
Now your MinIO listens to only local address, and relayd stands between MinIO and external network.
[ (external) ] <--> [ (local) relayd <--> minio ]
Posted on January 12, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.