From 3e0d63cd5d89f5d00035335f9637100a17a929a8 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 12:37:26 -0500 Subject: [PATCH 01/11] chore: init minio proxy config --- conf/minio.conf.tpl | 72 +++++++++++++++++++++++++++++++++++++++++++++ conf/nginx.conf.tpl | 4 +++ entrypoint.bash | 27 +++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 conf/minio.conf.tpl diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl new file mode 100644 index 0000000..1876eab --- /dev/null +++ b/conf/minio.conf.tpl @@ -0,0 +1,72 @@ +upstream minio { + server ${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; +} + +upstream minio_console { + server ${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}; +} + +server { + # tpl__tls_yes__start + # Use 444 for internal SSL to allow streaming back to self (above) + listen 444 ssl; + # tpl__tls_yes__end + + # tpl__tls_no__start + listen 80; + # tpl__tls_no__end + + server_name ${BENTO_MINIO_DOMAIN}; + + # Allow special characters in headers + ignore_invalid_headers off; + + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + proxy_pass http://minio; + } + + location /minio/ui/ { + rewrite ^/minio/ui/(.*) /$1 break; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-NginX-Proxy true; + + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + + proxy_connect_timeout 300; + + # To support websockets in MinIO versions released after January 2023 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress) + # Uncomment the following line to set the Origin request to an empty string + # proxy_set_header Origin ''; + + chunked_transfer_encoding off; + + proxy_pass http://minio_console; # This uses the upstream directive definition to load balance + } +} diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl index f0496cc..bd41371 100644 --- a/conf/nginx.conf.tpl +++ b/conf/nginx.conf.tpl @@ -266,4 +266,8 @@ http { } # tpl__redirect_yes__end + # tpl__use_minio__start + include minio.conf; + # tpl__use_minio__end + } diff --git a/entrypoint.bash b/entrypoint.bash index 2aa2d82..0c268f4 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -72,6 +72,10 @@ envsubst "$(cat ./VARIABLES)" \ < ./conf/nginx.conf.tpl \ > ./nginx.conf.pre +echo "[bento_gateway] [entrypoint] creating minio.conf.pre" +envsubst "$(cat ./VARIABLES)" \ + < ./conf/minio.conf.tpl \ + > ./minio.conf.pre # ---------------------------------------------------------------------------------------------------------------------- # Run "fine-tuning", i.e., processing the configuration files to *remove* chunks that aren't relevant to the environment @@ -92,6 +96,19 @@ else ./cbioportal.conf.pre fi +# Run fine-tuning on minio.conf.pre +if [[ "${use_tls}" == 0 ]]; then + echo "[bento_gateway] [entrypoint] Fine-tuning minio.conf to not use TLS" + sed -i.bak \ + '/tpl__tls_yes__start/,/tpl__tls_yes__end/d' \ + ./minio.conf.pre +else + echo "[bento_gateway] [entrypoint] Fine-tuning minio.conf to use TLS" + sed -i.bak \ + '/tpl__tls_no__start/,/tpl__tls_no__end/d' \ + ./minio.conf.pre +fi + # Run fine-tuning on nginx.conf.pre if [[ "${use_tls}" == 0 ]]; then echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to not use TLS" @@ -139,11 +156,21 @@ else '/tpl__redirect_yes__start/,/tpl__redirect_yes__end/d' \ ./nginx.conf.pre fi +if [[ "$(true_values_to_1 $BENTO_MINIO_ENABLED)" == 1]]; then + echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use Minio" +else + echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to disable Minio" + sed -i.bak \ + '/tpl__use_minio__start/,/tpl__use_minio__end/d' \ + ./nginx.conf.pre + # ---------------------------------------------------------------------------------------------------------------------- # Generate final configuration files / locations ----------------------------------------------------------------------- # - Move cbioportal.conf into position cp ./cbioportal.conf.pre "${BENTO_GATEWAY_CONF_DIR}/cbioportal.conf" +# - Move minio.conf into position +cp ./minio.conf.pre "${BENTO_GATEWAY_CONF_DIR}/minio.conf" # - Move nginx.conf into position cp ./nginx.conf.pre "${BENTO_GATEWAY_CONF_DIR}/nginx.conf" # - Remove pre-final configuration files + any backups From 7262dc16efc01505664ff4eaaac9bfc2459e7f62 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 12:45:12 -0500 Subject: [PATCH 02/11] fix entrypoint --- entrypoint.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.bash b/entrypoint.bash index 0c268f4..cb7b2ba 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -156,7 +156,7 @@ else '/tpl__redirect_yes__start/,/tpl__redirect_yes__end/d' \ ./nginx.conf.pre fi -if [[ "$(true_values_to_1 $BENTO_MINIO_ENABLED)" == 1]]; then +if [[ "$(true_values_to_1 $BENTO_MINIO_ENABLED)" == 1 ]]; then echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use Minio" else echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to disable Minio" From 57fc82fb25a2e1169b47871ce8476bcfb29b54e3 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 12:51:19 -0500 Subject: [PATCH 03/11] close entrypoint if --- entrypoint.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.bash b/entrypoint.bash index cb7b2ba..b8e4734 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -163,6 +163,7 @@ else sed -i.bak \ '/tpl__use_minio__start/,/tpl__use_minio__end/d' \ ./nginx.conf.pre +fi # ---------------------------------------------------------------------------------------------------------------------- From 9ad0bd01060d047b83b19958c386c6b03722f1f4 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 13:00:25 -0500 Subject: [PATCH 04/11] test minio subdomain cert --- conf/minio.conf.tpl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index 1876eab..0eb0e54 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -18,6 +18,11 @@ server { server_name ${BENTO_MINIO_DOMAIN}; + # tpl__tls_yes__start + ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTO_GATEWAY_INTERNAL_MINIO_FULLCHAIN_RELATIVE_PATH}; + ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTO_GATEWAY_INTERNAL_MINIO_PRIVKEY_RELATIVE_PATH}; + # tpl__tls_yes__end + # Allow special characters in headers ignore_invalid_headers off; From e799e847ac95d5f079e95556bc9e5620db74e533 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 13:09:07 -0500 Subject: [PATCH 05/11] rm minio upstreams --- conf/minio.conf.tpl | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index 0eb0e54..47d0337 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -1,14 +1,5 @@ -upstream minio { - server ${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; -} - -upstream minio_console { - server ${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}; -} - server { # tpl__tls_yes__start - # Use 444 for internal SSL to allow streaming back to self (above) listen 444 ssl; # tpl__tls_yes__end @@ -46,7 +37,7 @@ server { proxy_set_header Connection ""; chunked_transfer_encoding off; - proxy_pass http://minio; + proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; } location /minio/ui/ { @@ -72,6 +63,6 @@ server { chunked_transfer_encoding off; - proxy_pass http://minio_console; # This uses the upstream directive definition to load balance + proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}; } } From c8bcd0adc2542b0142baad55d2b63ab1b356c057 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 13:48:28 -0500 Subject: [PATCH 06/11] minio error logs --- conf/minio.conf.tpl | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index 47d0337..d36cda5 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -38,31 +38,40 @@ server { chunked_transfer_encoding off; proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; + + # Errors + error_log /var/log/bentov2_minio_errors.log; } location /minio/ui/ { - rewrite ^/minio/ui/(.*) /$1 break; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-NginX-Proxy true; + # General reverse proxy settings + include /gateway/conf/proxy.conf; + include /gateway/conf/proxy_extra.conf; # This is necessary to pass the correct IP to be hashed + proxy_set_header X-NginX-Proxy true; real_ip_header X-Real-IP; proxy_connect_timeout 300; - # To support websockets in MinIO versions released after January 2023 - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress) # Uncomment the following line to set the Origin request to an empty string - # proxy_set_header Origin ''; + proxy_set_header Origin ''; chunked_transfer_encoding off; - proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}; + rewrite ^ $request_uri; + rewrite ^/minio/ui/(.*) /$1 break; + proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; + + # Add sub_filter directives to rewrite base href + sub_filter ' Date: Tue, 17 Dec 2024 14:21:06 -0500 Subject: [PATCH 07/11] proxy pass https --- conf/minio.conf.tpl | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index d36cda5..7c604d8 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -26,23 +26,22 @@ server { proxy_request_buffering off; location / { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - + # Reverse proxy settings + include /gateway/conf/proxy.conf; + include /gateway/conf/proxy_extra.conf; proxy_connect_timeout 300; # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; - proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; + proxy_pass https://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; # Errors error_log /var/log/bentov2_minio_errors.log; } + location /minio/ui { return 302 https://${BENTOV2_DOMAIN}/minio/ui/; } location /minio/ui/ { # General reverse proxy settings include /gateway/conf/proxy.conf; @@ -62,7 +61,7 @@ server { rewrite ^ $request_uri; rewrite ^/minio/ui/(.*) /$1 break; - proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; + proxy_pass https://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; # Add sub_filter directives to rewrite base href sub_filter ' Date: Tue, 17 Dec 2024 14:25:16 -0500 Subject: [PATCH 08/11] rm duplicate conf --- conf/minio.conf.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index 7c604d8..b5a7d8d 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -31,7 +31,6 @@ server { include /gateway/conf/proxy_extra.conf; proxy_connect_timeout 300; # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; From 7059e63326e7e214b1a2d0a9c7e961247cf1d8b8 Mon Sep 17 00:00:00 2001 From: v-rocheleau Date: Tue, 17 Dec 2024 15:47:02 -0500 Subject: [PATCH 09/11] working minio proxy --- conf/minio.conf.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index b5a7d8d..d9256b0 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -34,7 +34,7 @@ server { proxy_set_header Connection ""; chunked_transfer_encoding off; - proxy_pass https://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; + proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_INTERNAL_PORT}; # Errors error_log /var/log/bentov2_minio_errors.log; @@ -60,7 +60,7 @@ server { rewrite ^ $request_uri; rewrite ^/minio/ui/(.*) /$1 break; - proxy_pass https://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; + proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; # Add sub_filter directives to rewrite base href sub_filter ' Date: Wed, 18 Dec 2024 16:30:05 -0500 Subject: [PATCH 10/11] chore: fix console redirect and address comment --- conf/minio.conf.tpl | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/conf/minio.conf.tpl b/conf/minio.conf.tpl index d9256b0..8a27206 100644 --- a/conf/minio.conf.tpl +++ b/conf/minio.conf.tpl @@ -40,7 +40,7 @@ server { error_log /var/log/bentov2_minio_errors.log; } - location /minio/ui { return 302 https://${BENTOV2_DOMAIN}/minio/ui/; } + location /minio/ui { return 302 https://${BENTO_MINIO_DOMAIN}/minio/ui/; } location /minio/ui/ { # General reverse proxy settings include /gateway/conf/proxy.conf; @@ -62,13 +62,6 @@ server { rewrite ^/minio/ui/(.*) /$1 break; proxy_pass http://${BENTO_MINIO_CONTAINER_NAME}:${BENTO_MINIO_CONSOLE_PORT}$uri; - # Add sub_filter directives to rewrite base href - sub_filter ' Date: Thu, 19 Dec 2024 17:30:31 -0500 Subject: [PATCH 11/11] lint --- entrypoint.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.bash b/entrypoint.bash index b8e4734..7a04de6 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -76,6 +76,7 @@ echo "[bento_gateway] [entrypoint] creating minio.conf.pre" envsubst "$(cat ./VARIABLES)" \ < ./conf/minio.conf.tpl \ > ./minio.conf.pre + # ---------------------------------------------------------------------------------------------------------------------- # Run "fine-tuning", i.e., processing the configuration files to *remove* chunks that aren't relevant to the environment