MinIO on OpenBSD 7.2: Configure network

@nabbisen

Intro

MinIO is one of object storage suites. It has compatibility with AWS S3 and is open source written in Go (golang).

OpenBSD offers it as a Ports package, so it takes a few minutes to install it.

Well, by default, the daemon listens to the external directly. This post shows how to configure it to block connections from WAN (Wide Area Network). It is dealed with --address option. At the same time, let replayd act as proxy.

Environment

  • OS: OpenBSD 7.2
  • Web proxy: relayd
  • Object Storage: MinIO 0.20220826

Body

minio server default settings

First, check /etc/rc.d/minio, the daemon script of rc.d. It starts with:

#!/bin/ksh

daemon="/usr/local/bin/minio server"
daemon_flags="/var/minio/export"
daemon_user="_minio"
(...)

Next, read the help of minio server:

$ minio server --help

It starts with:

NAME:
  minio server - start object storage server

USAGE:
  minio server [FLAGS] DIR1 [DIR2..]
  minio server [FLAGS] DIR{1...64}
  minio server [FLAGS] DIR{1...64} DIR{65...128}
(...)

And you will find the below in it:

FLAGS:
  --address value              bind to a specific ADDRESS:PORT, ADDRESS can be an IP or hostname (default: ":9000") [$MINIO_ADDRESS]

The --address option is the key.

Introduce --address option

We have to overwrite daemon_flags in /etc/rc.d/minio in order to introduce --address option. You have two options.

Edit /etc/rc.conf.local to append:

+ minio_flags="--address 127.0.0.1:9000 /var/minio/export"

Besides, the file is not placed at OS installation. Therefore, you may have to create it this time.

It overwrites the part of the daemon script:

daemon_flags="/var/minio/export"

Option 2: Overwrite the daemon script directly

You can also modify /etc/rc.d/minio direcly. It may work. Rememvber it is, however, ephemeral.

Verify addresses minio listens to

Now the address minio listens to, which is “:9000” by default, is replaced with “127.0.0.1:9000”. Let’s verify it.

$ curl -I 127.0.0.1:9000

The output was:

HTTP/1.1 400 Bad Request
Accept-Ranges: bytes
Content-Length: 261
Content-Type: application/xml
Server: MinIO
Vary: Origin
Date: Thu, 12 Jan 2023 12:59:42 GMT

Accepted.

How about requests from outside ?

$ curl -I <minio-ip>:9000

The output was:

curl: (56) Recv failure: Connection reset by peer

Blocked. OK.

Introduce relayd

It’s turn of /etc/relayd.conf. Create it if necessary, and write the below in it:

log connection errors

table <minio_host> { "127.0.0.1" }

minio_fqdn = "<your-fqdn>"
minio_port = "9000"

http protocol "https-filter" {
        block
        
        pass request header "Host" value $minio_fqdn \
               forward to <minio_host>
        tls keypair $minio_fqdn

        # for minio: extend http headerlen (default = 8192)
        http headerlen 24576

        # performance enhancement
        tcp { nodelay, sack, backlog 128 }

        match header set "X-Client-IP" \
                value "$REMOTE_ADDR:$REMOTE_PORT"
        match header set "X-Forwarded-For" \
                value "$REMOTE_ADDR"
        match header set "X-Forwarded-By" \
                value "$SERVER_ADDR:$SERVER_PORT"
}

relay "https" {
        listen on egress port https tls
        
        # for minio: extend session timeout (default = 600)
        session timeout 1800

        protocol "https-filter"
        forward to <minio_host> port $minio_port check tcp
}

For TLS connection, generate keypair for <your-fqdn>. Each below of <your-country-code> / <your-state> / <your-organization> is up to you:

$ cd /etc/ssl

$ export MYDOMAIN="<your-fqdn>"
$ export CERT_SUBJ="/C=<your-country-code (2 digits)>/ST=<your-state>/L=/O=<your-organization>/OU=/CN=$MYDOMAIN"
$ doas openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 \
      -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt -subj "$CERT_SUBJ"; \
  doas chmod 400 private/$MYDOMAIN.key

Be careful that the name of cert file should be end with .crt on relayd.

It is self-signed certificate. Alternatively, you can use Let’s Encrypt etc.

Activate the daemon and start it:

$ doas rcctl enable relayd
relayd(ok)

$ doas rcctl start relayd
relayd(ok)

MinIO supports TLS

For the purpose of TLS usage, you don’t necessarily have to use relayd, for MinIO supports Network Encryption (TLS).

Outro

Now your MinIO listens to only local address, and relayd stands between MinIO and external network.

[ (external) ] <--> [ (local) relayd <--> minio ]

Series

MinIO on OpenBSD
  1. MinIO on OpenBSD 7.2: Install
  2. MinIO on OpenBSD 7.2: Configure network

Comments or feedbacks are welcomed and appreciated.