Can't reverse proxy Minio

asyuradookhy · March 31, 2025, 9:38am

1. The problem I’m having:

When I try to deploy caddy and minio with docker compose, I find that the reverse proxy minio cannot work properly
I can ensure that minio is installed correctly.

2. Error messages and/or full log output:

This is rclone.conf

[minio]
type = s3
provider = Minio
access_key_id = b222222222E8PjkW6
secret_access_key = 1TJRQNcGyi1111111mIHP
endpoint = https://minio.x.y
#endpoint = http://ip:9000
acl = private

When I change the endpoint to ‘http://ip:9000’ it works，

 root@host:~# rclone lsd minio:
          -1 2025-03-31 12:13:07        -1 test

it does not work for https://minio.x.y

root@host:~# rclone lsd minio:
2025/03/31 12:15:04 ERROR : : error listing: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: 1831D86EAA6FCFC3, HostID: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
2025/03/31 12:15:04 NOTICE: Failed to lsd with 2 errors: last error was: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: 1831D86EAA6FCFC3, HostID: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8, api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.

3. Caddy version: 2.9.1

4. How I installed and ran Caddy:

docker compose

System environment:

debian 12

docker-compose.yml:

services:
    caddy:
        image: caddy
        container_name: caddy
        restart: always
        network_mode: host
        volumes:
            - /home/caddy/Caddyfile:/etc/caddy/Caddyfile
            - /home/caddy:/data
    minio:
        restart: unless-stopped
        container_name: minio
        ports:
            - 127.0.0.1:9000:9000
            - 127.0.0.1:9001:9001
        volumes:
            - /home/minio/data:/data
            - /home/minio/config:/root/.minio
        environment:
            - MINIO_ROOT_USER=minio
            - MINIO_ROOT_PASSWORD=1111111111111111111111
            - MINIO_COMPRESSION_ENABLE="on"
        command: server /data --address ":9000" --console-address ":9001"
        image: minio/minio:latest

Caddyfile:

minio.x.y {
    reverse_proxy 127.0.0.1:9000
    tls 222@gmail.com 
}

console.x.y {
    reverse_proxy 127.0.0.1:9001
    tls 222@gmail.com 
}

https://console.x.y can be accessed correctly.
Does anyone know what else needs to be added to this caddyfile?

Mohammed90 · March 31, 2025, 10:41am

Remove these. They expose your minio instance externally because Docker overrides user iptable config.

The response is coming from minio. Caddy doesn’t change the requests or manipulate them. It only proxies the data back and forth. Double check the access key and the associated privileges.

asyuradookhy · March 31, 2025, 12:03pm

I know the risk of exposure.
The port I actually wrote is

127.0.0.1:9000:9000
127.0.0.1:9001:9001

The purpose of exposing the port is to test whether the access key is correct.
It turns out that http works, but https doesn’t.
Maybe there is some more setting needed in minio?

Mohammed90 · March 31, 2025, 12:19pm

It’s definitely a minio config issue. Can you check this guide? I don’t have much experience with minio.

asyuradookhy · March 31, 2025, 1:10pm

Finally solved it
I tried to connect minio with other software and everything worked fine
The reason is rclone config file

This is the most important part

Press Enter for the default (other-v2-signature).
   / Use this if unsure.
 1 | Will use v4 signatures and an empty region.
   \ ()
   / Use this only if v4 signatures don't work.
 2 | E.g. pre Jewel/v10 CEPH.
   \ (other-v2-signature)
region> 2

Final rclone.conf,it works

[minio]
type = s3
provider = Minio
access_key_id = bv1111111111PjkW6
secret_access_key = 222222222222222mIHP
endpoint = https://minio.x.y
acl = private
location_constraint = auto
region = other-v2-signature