Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 invalid Login (docker compose, nginx proxy) #3410

Closed
klemenkobetic opened this issue Jul 14, 2024 · 5 comments
Closed

401 invalid Login (docker compose, nginx proxy) #3410

klemenkobetic opened this issue Jul 14, 2024 · 5 comments
Labels
community configuration issue

Comments

@klemenkobetic
Copy link

NOTE

Please subscribe to our paid subscription plans for 24x7 support from our Engineering team.

Expected Behavior

Should be able to login to minio web console

Current Behavior

Console opens but I get invalid login 401

Your Environment

  • MinIO version used (minio --version):
  • Server setup and configuration:
  • Operating System and version (uname -a):
  s3minio_new1:
    image: docker.io/minio/minio:RELEASE.2024-06-26T01-06-18Z.fips
    container_name: s3minio_new1
    hostname: s3minio_new1
    restart: unless-stopped
    volumes:
      - volume_s3minio_new1:/data
    ports:
      - 9000:9000
      - "192.168.200.1:10006:9001"
    networks:
      nextcloud:
        ipv4_address: 10.89.0.6
    environment:
      MINIO_ROOT_USER: s3minio_new1_user
      MINIO_ROOT_PASSWORD: xxyyzzz
      MINIO_SERVER_URL: "http://minio.domain.com"
      MINIO_BROWSER_REDIRECT_URL: "http://minio.domain.com/minio/ui"
    command: server /data --console-address ":9001"

server {
    listen 80;
    server_name minio.domain.com;

    location ~ /.well-known/acme-challenge/ { root /var/www/letsencrypt; }

    location /minio/ui/ {
      rewrite ^/minio/ui/(.*) /$1 break;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;

      proxy_connect_timeout 300;

      # To support websocket
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      chunked_transfer_encoding off;
      proxy_pass http://192.168.200.1:10005;
    }
}

Console opens no errors in F12. I get red invalid login banner and I see 401 in the F12. Username and password are copy/pasted from 'mc config host add' command where I can successfully add the host.

Don't know what else to try.

Note: yes, https is better, safer, trying to narrow down the issue as much as possible.
@prakashsvmx
Copy link
Member

Please refer to the official docker compose example. This looks TLS/Proxy config may be incorrect.

Please check mc admin trace -v -a ALIAS

https://github.com/minio/minio/tree/master/docs/orchestration/docker-compose

@klemenkobetic
Copy link
Author

klemenkobetic commented Jul 14, 2024
edited
Loading

Hi,

thank you for your answer.

I removed all of the environment variables and default settings actually works.

Now I added :

    environment:
      MINIO_ROOT_USER: s3minio_new1_user
      MINIO_ROOT_PASSWORD: xxyyyzzz
      MINIO_SERVER_URL: "https://minio.domain.com"
      MINIO_BROWSER_REDIRECT_URL: "https://minio.domain.com/minio/ui"

server {
    listen 443 ssl http2;
    server_name minio.domain.com;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;

    ssl_certificate     /etc/letsencrypt/live/minio.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/minio.domain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/minio.domain.com/chain.pem;

    location /minio/ui/ {
      rewrite ^/minio/ui/(.*) /$1 break;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;

      proxy_connect_timeout 300;

      # To support websocket
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      chunked_transfer_encoding off;
      proxy_pass http://192.168.200.1:10006;
    }
}

And again back to 401

@harshavardhana
Copy link
Member

environment:
MINIO_ROOT_USER: s3minio_new1_user
MINIO_ROOT_PASSWORD: xxyyyzzz
MINIO_SERVER_URL: "https://minio.domain.com"
MINIO_BROWSER_REDIRECT_URL: "https://minio.domain.com/minio/ui"

yeah it means that minio.domain.com first must be resolvable from outside world to inside the container.

  MINIO_SERVER_URL: "https://minio.domain.com"

This ENV is not useful anymore.

  MINIO_BROWSER_REDIRECT_URL: "https://minio.domain.com/minio/ui"

This domain must be resolvable from outside world inside the container

@klemenkobetic
Copy link
Author

klemenkobetic commented Jul 14, 2024
edited
Loading

Removed the MINIO_BROWSER_REDIRECT_URL, domain is resolvable from the outside world. Using letsencrypt certificate. Still, 401.

Also tried

server {
    listen 80;
    server_name minio.domain.com;

    location ~ /.well-known/acme-challenge/ { root /var/www/letsencrypt; }

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;

      proxy_connect_timeout 300;

      # To support websocket
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      chunked_transfer_encoding off;
      proxy_pass http://192.168.200.1:10005;
    }
}

Same 401.

@klemenkobetic
Copy link
Author

Managed to get it working.

MINIO_BROWSER_REDIRECT_URL: "https://minio.domain.com/minio/ui"

    location /minio/ui/ {
      rewrite ^/minio/ui/(.*) /$1 break;

One question though ; should this work as well?

MINIO_BROWSER_REDIRECT_URL: "https://minio.domain.com/minio_new/ui"

    location /minio_new/ui/ {
      rewrite ^/minio_new/ui/(.*) /$1 break;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community configuration issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harshavardhana @klemenkobetic @prakashsvmx