MinIO on OpenBSD 7.2: Configure network

nabbisen - Jan 12 '23 - - Dev Community

Intro

MinIO is one of object storage suites.
It has compatibility with AWS S3 and is open source written in Go (golang).

OpenBSD offers it as a Ports package, so it takes a few minutes to install it.

Well, by default, the daemon listens to the external directly.
This post shows how to configure it to block connections from WAN (Wide Area Network).
It is dealed with --address option.
At the same time, let replayd act as proxy.

Environment

  • OS: OpenBSD 7.2
  • Web proxy: relayd
  • Object Storage: MinIO 0.20220826

Body

minio server default settings

First, check /etc/rc.d/minio, the daemon script of rc.d. It starts with:

#!/bin/ksh

daemon="/usr/local/bin/minio server"
daemon_flags="/var/minio/export"
daemon_user="_minio"
(...)
Enter fullscreen mode Exit fullscreen mode

Next, read the help of minio server:

$ minio server --help
Enter fullscreen mode Exit fullscreen mode

It starts with:

NAME:
  minio server - start object storage server

USAGE:
  minio server [FLAGS] DIR1 [DIR2..]
  minio server [FLAGS] DIR{1...64}
  minio server [FLAGS] DIR{1...64} DIR{65...128}
(...)
Enter fullscreen mode Exit fullscreen mode

And you will find the below in it:

FLAGS:
  --address value              bind to a specific ADDRESS:PORT, ADDRESS can be an IP or hostname (default: ":9000") [$MINIO_ADDRESS]
Enter fullscreen mode Exit fullscreen mode

The --address option is the key.

Introduce --address option

We have to overwrite daemon_flags in /etc/rc.d/minio in order to introduce --address option.
You have two options.

Option 1: Use /etc/rc.conf.local (recommended)

Edit /etc/rc.conf.local to append:

+ minio_flags="--address 127.0.0.1:9000 /var/minio/export"
Enter fullscreen mode Exit fullscreen mode

Besides, the file is not placed at OS installation. Therefore, you may have to create it this time.

It overwrites the part of the daemon script:

daemon_flags="/var/minio/export"
Enter fullscreen mode Exit fullscreen mode

Option 2: Overwrite the daemon script directly

You can also modify /etc/rc.d/minio direcly. It may work.
Rememvber it is, however, ephemeral.

Verify addresses minio listens to

Now the address minio listens to, which is ":9000" by default, is replaced with "127.0.0.1:9000".
Let's verify it.

$ curl -I 127.0.0.1:9000
Enter fullscreen mode Exit fullscreen mode

The output was:

HTTP/1.1 400 Bad Request
Accept-Ranges: bytes
Content-Length: 261
Content-Type: application/xml
Server: MinIO
Vary: Origin
Date: Wed, 11 Jan 2023 12:30:49 GMT
Enter fullscreen mode Exit fullscreen mode

Accepted.

How about requests from outside ?

$ curl -I <minio-ip>:9000
Enter fullscreen mode Exit fullscreen mode

The output was:

curl: (56) Recv failure: Connection reset by peer
Enter fullscreen mode Exit fullscreen mode

Blocked. OK.

Introduce relayd

It's turn of /etc/relayd.conf.
Create it if necessary, and write the below in it:

log connection errors

table <minio_host> { "127.0.0.1" }

minio_fqdn = "<your-fqdn>"
minio_port = "9000"

http protocol "https-filter" {
        block

        pass request header "Host" value $minio_fqdn \
               forward to <minio_host>
        tls keypair $minio_fqdn

        # for minio: extend http headerlen (default = 8192)
        http headerlen 24576

        # performance enhancement
        tcp { nodelay, sack, backlog 128 }

        match header set "X-Client-IP" \
                value "$REMOTE_ADDR:$REMOTE_PORT"
        match header set "X-Forwarded-For" \
                value "$REMOTE_ADDR"
        match header set "X-Forwarded-By" \
                value "$SERVER_ADDR:$SERVER_PORT"
}

relay "https" {
        listen on egress port https tls

        # for minio: extend session timeout (default = 600)
        session timeout 1800

        protocol "https-filter"
        forward to <minio_host> port $minio_port check tcp
}
Enter fullscreen mode Exit fullscreen mode

For TLS connection, generate keypair for <your-fqdn>.
Each below of <your-country-code> / <your-state> / <your-organization> is up to you:

$ cd /etc/ssl

$ export MYDOMAIN="<your-fqdn>"
$ export CERT_SUBJ="/C=<your-country-code (2 digits)>/ST=<your-state>/L=/O=<your-organization>/OU=/CN=$MYDOMAIN"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 \
      -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt -subj "$CERT_SUBJ"; \
  doas chmod 400 private/$MYDOMAIN.key
Enter fullscreen mode Exit fullscreen mode

Be careful that the name of cert file should be end with .crt on relayd.

It is self-signed certificate. Alternatively, you can use Let's Encrypt etc.

Activate the daemon and start it:

$ doas rcctl enable relayd
relayd(ok)

$ doas rcctl start relayd
relayd(ok)
Enter fullscreen mode Exit fullscreen mode

MinIO supports TLS

For the purpose of TLS usage, you don't necessarily have to use relayd, for MinIO supports Network Encryption (TLS).

Outro

Now your MinIO listens to only local address, and relayd stands between MinIO and external network.

[ (external) ] <--> [ (local) relayd <--> minio ]
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .