Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Subpath behavior #2818

Merged
merged 4 commits into from
May 22, 2023
Merged

Fix Subpath behavior #2818

merged 4 commits into from
May 22, 2023

Conversation

dvaldivia
Copy link
Collaborator

Fixes subpath behavior for Console

How to Test this PR

Vanilla nginx

Assuming we are exposing the console under http://localhost:8000/console/subpath/

  1. Make assets via make assets and build MinIO with this branch of console
  2. Start MinIO for a given Subpath
CI=true;MINIO_BROWSER_REDIRECT_URL=http://localhost:8000/console/subpath/;MINIO_SERVER_URL=http://localhost:9000 minio --console-address ":9090"
  1. Start nginx with the following configuraiton
events { worker_connections 1024; }

http {

server {
    listen 8000;

    location /console/subpath/ {
        rewrite   ^/console/subpath/(.*) /$1 break;
        proxy_pass http://localhost:9090;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # This allows WebSocket connections
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

}

with the command

nginx -c /PATH/TO/nginx.conf -g "daemon off;"
  1. Visit http://localhost:8000/console/subpath/ on a browser
Screenshot 2023-05-17 at 12 10 45 PM

In Kubernetes with nginx ingress

  1. Create a Tenant with the the address for console under a subpath:
  features:
    domains:
      console: https://ns-1.minio-x1/console/subpath/
      minio:
        - https://ns-1.minio-x1

Full Tenant Example:

apiVersion: minio.min.io/v2
kind: Tenant
metadata:
  name: subpath-tenant
  namespace: ns-1
spec:
  configuration:
    name: subpath-tenant-env-configuration
  credsSecret:
    name: subpath-tenant-secret
  exposeServices:
    console: true
    minio: true
  features:
    domains:
      console: https://ns-1.minio-x1/console/subpath/
      minio:
        - https://ns-1.minio-x1
  image: miniodev/minio:subpath
  imagePullSecret: { }
  mountPath: /export
  pools:
    - affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: v1.min.io/tenant
                    operator: In
                    values:
                      - subpath-tenant
                  - key: v1.min.io/pool
                    operator: In
                    values:
                      - pool-0
              topologyKey: kubernetes.io/hostname
      name: pool-0
      resources: { }
      runtimeClassName: ""
      servers: 4
      volumeClaimTemplate:
        metadata:
          name: data
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: "68719476736"
          storageClassName: standard
      volumesPerServer: 4
  requestAutoCert: true
  users:
    - name: subpath-tenant-user-0
Screenshot 2023-05-17 at 12 13 23 PM
  1. Create an ingress controller with the subpath
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ns-1-ingress
  namespace: ns-1
  labels:
    app: console
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/proxy-body-size: 5120g
spec:
  rules:
    - host: ns-1.minio-x1
      http:
        paths:
          - pathType: Prefix
            path: "/console/subpath/(.*)"
            backend:
              service:
                name: subpath-tenant-console
                port:
                  number: 9443
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: minio
                port:
                  number: 443
  1. visit https://ns-1.minio-x1/console/subpath/
Screenshot 2023-05-17 at 12 14 58 PM

In all cases:

  • Assets will load
  • API calls will work
  • Websockets will work

Fixes #1908
Fixes #2045
Fixes #2149
Fixes #2188
Fixes #2483
Fixes #2766
Fixes #2774
Fixes #2775

Signed-off-by: Daniel Valdivia <[email protected]>
@allanrogerr
Copy link
Contributor

Vanilla nginx
Im facing this open build/index.html: file does not exist. Any tips?

Copy link
Collaborator

@bexsoft bexsoft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an issue while trying to create a bucket. API returns 404 while fetching API.
Tested with provided steps
Screenshot 2023-05-18 at 11 58 16
Screenshot 2023-05-18 at 11 58 10
Screenshot 2023-05-18 at 11 56 40
Screenshot 2023-05-18 at 11 54 46

Copy link
Collaborator

@bexsoft bexsoft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Issue is related to a misconfiguration in nginx, fixed and it worked.

@dvaldivia dvaldivia merged commit 920fc7d into minio:master May 22, 2023
@dvaldivia dvaldivia deleted the fix-subpath branch May 22, 2023 19:31
@polaris-phecda
Copy link

@dvaldivia I observe that your modification depends on the rewrite configuration of Nginx. Is subpath configuration supported when I directly access the console?

@cesnietor
Copy link
Collaborator

cesnietor commented Jun 7, 2023

Just posterity, the way the env are set didn't work so I had to do it like:

CI=true MINIO_BROWSER_REDIRECT_URL=http://localhost:8000/console/subpath/ MINIO_SERVER_URL=http://localhost:9000 ./minio server --console-address ":9090" ~/Data

Note that there are no ;
Same nginx config shared above worked.

@septatrix
Copy link

septatrix commented Jul 2, 2023

This still feels very fragile or at least poorly documented. I played around with different combinations of slashes for MINIO_SERVER_URL, MINIO_BROWSER_REDIRECT_URL, nginx location and nginx proxy_pass until I finally got it working.
I just used the sample config from the docs Configure NGINX Proxy for MinIO Server which did not work. Not sure if this PR tried to resolve that and failed or if the documentation simply needs to be updated but the current config as documented does not work for me. Furthermore, the documentation does not mention MINIO_BROWSER_REDIRECT_URL and MINIO_SERVER_URL which might also have been a cause for the problems on my side as I had no clue whether or not they require a trailing slash.

Should I open a new issue for that and if yes, is this a problem of the console which can be made more robust (e.g. I think :9001//api/v1/login were not handled) or an issue with the documentation (which should be adjusted such that path like the double-slash should never need to be handled by the console)?


PS: May final configuration is as follows
server {
    ...
    location /console/ {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;

        # This is necessary to pass the correct IP to be hashed
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;

        # To support websockets in MinIO versions released after January 2023
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        chunked_transfer_encoding off;

        proxy_pass http://127.0.0.1:7001/;
    }
}
services:
  minio:
    image: quay.io/minio/minio:RELEASE.2023-06-29T05-12-28Z
    command: server --address ":7000" --console-address ":7001" /data
    ports:
      - "127.0.0.1:7000:7000"
      - "127.0.0.1:7001:7001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
      MINIO_SERVER_URL: https://s3.example.com/
      MINIO_BROWSER_REDIRECT_URL: https://s3.example.com/console/
    ...

@ravindk89
Copy link
Contributor

ravindk89 commented Jul 5, 2023

minio/docs#865

We have an issue to document the updates to subpath behavior, but that is somewhat distinct from using either of those envvars - which last I checked, were mostly necessary for ensuring the Console can correctly connect to the MinIO Server over specific hostnames.

@ravindk89
Copy link
Contributor

To put a finer point on it - this is fragile/poorly documented, primarily because NGINX is not our product. We do need to make improvements and further clarify where to use the envvars in question, but we also cannot promise that our boilerplate NGINX configuration will work in all possible scenarios. We have to assume the implementer has access to NGINX expertise to figure out the gaps.

@nmattia
Copy link

nmattia commented Dec 26, 2024

looks like the parsing/checking of URL is a bit too strict. When setting the server URL to a local alias (without "subdomain"), I get the following:

FATAL Invalid MINIO_SERVER_URL value is environment variable: URL contains unexpected resources, expected URL to be of http(s)://minio.example.com format: http://home.local/s3/

@ramondeklein
Copy link
Collaborator

ramondeklein commented Dec 29, 2024

@nmattia The reason this fails is that MINIO_SERVER_URL has to have the following characteristics:

  • Scheme should be http or https.
  • Path should be empty (this implies that the server cannot run on a sub-path).
  • Query and fragment should be empty.

You try to run the server on a sub-path and that's not supported. See code here: https://github.com/minio/minio/blob/master/cmd/common-main.go#L737

This PR was about running the console on a sub-path.

@minio minio locked as resolved and limited conversation to collaborators Dec 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
10 participants