From 3c907d0a16e5ef9af0424ee0f78f8cfafcc2762b Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 31 Aug 2024 19:04:21 -0500
Subject: [PATCH] r/minio-nginx: Reverse proxy for MinIO

The *minio-nginx* role configures nginx to proxy for MinIO.  It uses the
"subdomain" pattern, as described in [Configure NGINX Proxy for MinIO
Server][0]; the S3 API and the console UI are accessible through
different domain names.

[0]: https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html
---
 roles/minio-nginx/handlers/main.yml           |  4 ++
 roles/minio-nginx/meta/main.yml               |  7 +++
 roles/minio-nginx/tasks/main.yml              | 37 +++++++++++++++
 .../templates/minio-console.nginx.conf.j2     | 45 +++++++++++++++++++
 .../minio-nginx/templates/minio.nginx.conf.j2 | 20 +++++++++
 5 files changed, 113 insertions(+)
 create mode 100644 roles/minio-nginx/handlers/main.yml
 create mode 100644 roles/minio-nginx/meta/main.yml
 create mode 100644 roles/minio-nginx/tasks/main.yml
 create mode 100644 roles/minio-nginx/templates/minio-console.nginx.conf.j2
 create mode 100644 roles/minio-nginx/templates/minio.nginx.conf.j2

diff --git a/roles/minio-nginx/handlers/main.yml b/roles/minio-nginx/handlers/main.yml
new file mode 100644
index 0000000..71ffc65
--- /dev/null
+++ b/roles/minio-nginx/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/roles/minio-nginx/meta/main.yml b/roles/minio-nginx/meta/main.yml
new file mode 100644
index 0000000..f6980d6
--- /dev/null
+++ b/roles/minio-nginx/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+- role: minio
+  tags:
+  - minio
+- role: nginx
+  tags:
+  - nginx
diff --git a/roles/minio-nginx/tasks/main.yml b/roles/minio-nginx/tasks/main.yml
new file mode 100644
index 0000000..92c98b6
--- /dev/null
+++ b/roles/minio-nginx/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: ensure nginx is configured to proxy for minio
+  template:
+    src: minio.nginx.conf.j2
+    dest: /etc/nginx/default.d/minio.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload nginx
+  tags:
+  - config
+  - nginx-config
+  - minio-nginx
+  - minio-backend
+
+- name: ensure nginx is configured to proxy for minio console
+  template:
+    src: minio-console.nginx.conf.j2
+    dest: /etc/nginx/conf.d/minio-console.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload nginx
+  tags:
+  - config
+  - nginx-config
+  - minio-nginx
+  - minio-console
+
+- name: ensure selinux allows nginx to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+  tags:
+  - selinux
diff --git a/roles/minio-nginx/templates/minio-console.nginx.conf.j2 b/roles/minio-nginx/templates/minio-console.nginx.conf.j2
new file mode 100644
index 0000000..71ba7da
--- /dev/null
+++ b/roles/minio-nginx/templates/minio-console.nginx.conf.j2
@@ -0,0 +1,45 @@
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ minio_console_domain }};
+    root         /usr/share/nginx/html;
+
+    ssl_certificate "{{ nginx_ssl_certificate }}";
+    ssl_certificate_key "{{ nginx_ssl_certificate_key }}";
+{% if nginx_ssl_ca_certificate is defined %}
+    ssl_client_certificate "{{ nginx_ssl_ca_certificate }}";
+{% endif %}
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_session_timeout  {{ nginx_ssl_session_timeout }};
+    ssl_ciphers {{ nginx_ssl_ciphers|join(':') }};
+    ssl_prefer_server_ciphers on;
+
+    client_max_body_size 0;
+    proxy_buffering off;
+    proxy_request_buffering off;
+    chunked_transfer_encoding off;
+
+    proxy_connect_timeout 300;
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        real_ip_header X-Real-IP;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_pass http://127.0.0.1:{{ minio_console_port }};
+    }
+
+    error_page 404 /404.html;
+    location = /40x.html {}
+
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {}
+}
+
diff --git a/roles/minio-nginx/templates/minio.nginx.conf.j2 b/roles/minio-nginx/templates/minio.nginx.conf.j2
new file mode 100644
index 0000000..82ace39
--- /dev/null
+++ b/roles/minio-nginx/templates/minio.nginx.conf.j2
@@ -0,0 +1,20 @@
+client_max_body_size 0;
+proxy_buffering off;
+proxy_request_buffering off;
+chunked_transfer_encoding off;
+
+proxy_connect_timeout 300;
+
+location / {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    real_ip_header X-Real-IP;
+
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+
+    proxy_pass http://127.0.0.1:{{ minio_port }};
+}