Hi,
I am trying to run a minio service through traefik. I did not encounter any issue in running it properly locally, but I can't do it on a remote server. I am using a configuration to generate TLS. The classical whoami works fine, but when I try to access minio-console, I get a "You need to enable JavaScript to run this app." answer to my request. So, it shouldn't be a big deal but I do not understand the problem. Here is my docker-compose and my traefik static and dynamic confs:
version: '3.8'
services:
reverse-proxy:
image: traefik:v2.10
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
# Web
- 80:80
- 8080:8080
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/config/static.yml:/etc/traefik/traefik.yml:ro
- ./traefik/config/dynamic.yml:/etc/traefik/dynamic.yml:ro
- ./certs:/etc/certs:ro
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.dashboard.rule=Host(`ajmr.mobiliscope.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
minio:
image: docker.io/bitnami/minio:2022
container_name: minio
environment:
- MINIO_ROOT_USER=mathieu
- MINIO_ROOT_PASSWORD=mathieu-password
- MINIO_BROWSER_REDIRECT_URL=http://ajmr.mobiliscope.com/minioconsole
volumes:
- minio_data:/data
labels:
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`ajmr.mobiliscope.com`) && Path(`/minio`)
- traefik.http.routers.minio.tls=true
- traefik.http.services.minio.loadbalancer.server.port=9000
- traefik.http.routers.minioconsole.service=minioconsole
- traefik.http.routers.minioconsole.rule=Host(`ajmr.mobiliscope.com`) && Path(`/minioconsole`)
- traefik.http.routers.minioconsole.tls=true
- traefik.http.services.minioconsole.loadbalancer.server.port=9001
networks:
- proxy
volumes:
minio_data:
networks:
proxy:
external: true
global:
sendAnonymousUsage: false
api:
dashboard: true
insecure: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
watch: true
exposedByDefault: true
file:
filename: /etc/traefik/dynamic.yml
watch: true
log:
level: INFO
format: common
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http:
routers:
traefik:
rule: "Host(`ajmr.mobiliscope.com`)"
service: "api@internal"
tls:
domains:
- main: "ajmr.mobiliscope.com"
sans:
- "*.ajmr.mobiliscope.com"
- main: "domain.local"
sans:
- "*.domain.local"
tls:
certificates:
- certFile: "/etc/certs/local-cert.pem"
keyFile: "/etc/certs/local-key.pem"
Normally you would probably use PathPrefix instead of Path. It seems you try to force minio to some paths, but I don't think that works.
We use sub-domains instead:
labels:
- traefik.enable=true
- traefik.http.routers.myminio.entrypoints=websecure
- traefik.http.routers.myminio.rule=Host(`minio.example.com`)
- traefik.http.routers.myminio.service=myminio
- traefik.http.services.myminio.loadbalancer.server.port=9000
- traefik.http.routers.myminioadmin.entrypoints=websecure
- traefik.http.routers.myminioadmin.rule=Host(`minioadmin.example.com`)
- traefik.http.routers.myminioadmin.service=myminioadmin
- traefik.http.services.myminioadmin.loadbalancer.server.port=9001
PS: we enable TLS globally on entrypoint
Thanks for your help. I made this modifications except the TLS one. How do you define the "TLS globally on entrypoint". Note that, at this point, it did not fix the problem.
You can’t just run web-apps with a custom path, as it will break URLs from (absolute) redirects, links, images and scripts. It needs to support setting a custom „base path“. Otherwise you need to use a sub-domain.
Entrypoints TLS docs.
I guess I have an issue with the sub domains. My server contains a sub domain already (ajmr.mobiliscope.com). Is it possible to deal with a sub subdomain, like minioadmin.xx.yy.com ? That's what I define in my dynamic config and it could the source of my issue. What do you think ?
Sub-sub-domain should be no problem, you just need the A record in your DNS.
OK, thanks.
I try to go back to a simpler way to define my minio config:
minio:
image: docker.io/bitnami/minio:2022
container_name: minio
ports:
- '9000:9000'
- '9001:9001'
environment:
- MINIO_ROOT_USER=mathieu
- MINIO_ROOT_PASSWORD=mathieu-password
volumes:
- 'minio_data:/data'
labels:
- "traefik.enable=true"
- "traefik.http.routers.minio.entrypoints=websecure"
- "traefik.http.routers.minio.tls=true"
- "traefik.http.routers.minio.rule=Host(`$MY_DOMAIN`) && PathPrefix(`/minio`)"
When I browse https://ajmr.mobiliscope.com/minio, there is a redirection to the port 9001 (http://ajmr.mobiliscope.com:9001/). There is no routing to the minio docker. What am I doing wrong ?
This is how we run Traefik and a minio instance, you need to update LE email and (sub-)domains, users and paths:
services:
traefik:
image: traefik:v2.10
ports:
- 80:80
- 443:443
hostname: minio
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- letsencrypt:/letsencrypt
- /var/log:/var/log
command:
- --api.dashboard=true
- --log.level=INFO
#- --log.filepath=/var/log/traefik.log
- --accesslog=true
#- --accesslog.filepath=/var/log/traefik-access.log
- --providers.docker.network=proxy
- --providers.docker.exposedByDefault=false
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entryPoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.address=:443
#- --entrypoints.websecure.asDefault=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesresolvers.myresolver.acme.email=user@example.com
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
labels:
- traefik.enable=true
- traefik.http.routers.mydashboard.entrypoints=websecure
- traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
- traefik.http.routers.mydashboard.service=api@internal
- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
minio:
image: minio/minio:RELEASE.2023-05-04T21-44-30Z
networks:
- proxy
volumes:
- /data/minio:/data
environment:
- MINIO_ROOT_USER=minioadmin
- MINIO_ROOT_PASSWORD=miniopassword
entrypoint: ["/bin/sh", "-c"]
command:
- |
minio server /data --console-address ":9001"
labels:
- traefik.enable=true
- traefik.http.routers.myminio.entrypoints=websecure
- traefik.http.routers.myminio.rule=Host(`minio.example.com`)
- traefik.http.routers.myminio.service=myminio
- traefik.http.services.myminio.loadbalancer.server.port=9000
- traefik.http.routers.myminioadmin.entrypoints=websecure
- traefik.http.routers.myminioadmin.rule=Host(`minioadmin.example.com`)
- traefik.http.routers.myminioadmin.service=myminioadmin
- traefik.http.services.myminioadmin.loadbalancer.server.port=9001
networks:
proxy:
name: proxy
volumes:
letsencrypt:
name: letsencrypt
I am not sure if the command is really required for minio, was doing some experiments with it. But it runs like this 
Please note that there are already new hotfix releases out there: link.
It works now ! My main mystake was I didn't configure the sub sub domains in my DNS config dashboard.
Thanks again !