|
|
|
|
@ -64,20 +64,64 @@ script in the following Linux distributions:
|
|
|
|
|
``/etc/ssl/certs/ca-certificates.crt`` file;
|
|
|
|
|
3. Restart Traefik.
|
|
|
|
|
|
|
|
|
|
> With the Step 1. Minio server will get the certificate it needs, hence SSE-C
|
|
|
|
|
> will be enabled.
|
|
|
|
|
|
|
|
|
|
> Steps 2. and 3. will need to be repeated each time you get a new CA
|
|
|
|
|
> certificate.
|
|
|
|
|
> These steps can be automated this way:
|
|
|
|
|
> Start Traefik with this command:
|
|
|
|
|
> ``sh -c "update-ca-certificates && traefik"``
|
|
|
|
|
> while ``/usr/local/share/ca-certificates`` container path is mounted from the
|
|
|
|
|
> host with the CA certificate produced by this script.
|
|
|
|
|
|
|
|
|
|
> I am using Alpine Traefik image, the correct ca certificates path is
|
|
|
|
|
> ``/usr/local/share/ca-certificates/``, otherwise one of these
|
|
|
|
|
> https://golang.org/src/crypto/x509/root_linux.go
|
|
|
|
|
With the Step 1. Minio server will get the certificate it needs, hence SSE-C
|
|
|
|
|
will be enabled.
|
|
|
|
|
|
|
|
|
|
Steps 2. and 3. will need to be repeated each time you get a new CA
|
|
|
|
|
certificate.
|
|
|
|
|
These steps can be automated this way:
|
|
|
|
|
Start Traefik with this command:
|
|
|
|
|
``sh -c "update-ca-certificates && traefik"``
|
|
|
|
|
while ``/usr/local/share/ca-certificates`` container path is mounted from the
|
|
|
|
|
host with the CA certificate produced by this script.
|
|
|
|
|
|
|
|
|
|
I am using Alpine Traefik image, the correct ca certificates path is
|
|
|
|
|
``/usr/local/share/ca-certificates/``, otherwise one of these
|
|
|
|
|
https://golang.org/src/crypto/x509/root_linux.go
|
|
|
|
|
|
|
|
|
|
- ``docker-compose.yml`` example with the gencert script:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
version: '3'
|
|
|
|
|
|
|
|
|
|
networks:
|
|
|
|
|
oasis: {}
|
|
|
|
|
|
|
|
|
|
services:
|
|
|
|
|
minio:
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
image: minio/minio
|
|
|
|
|
networks:
|
|
|
|
|
- oasis
|
|
|
|
|
volumes:
|
|
|
|
|
- /srv/data/minio:/data
|
|
|
|
|
- /srv/data/minio/start/gencert.sh:/gencert.sh:ro
|
|
|
|
|
entrypoint: sh -c "cd /root/.minio/certs && /gencert.sh --cn minio.example.com && minio server /data"
|
|
|
|
|
environment:
|
|
|
|
|
- "MINIO_ACCESS_KEY=redacted"
|
|
|
|
|
- "MINIO_SECRET_KEY=redacted"
|
|
|
|
|
labels:
|
|
|
|
|
- "traefik.enable=true"
|
|
|
|
|
- "traefik.frontend.rule=Host: minio.example.com"
|
|
|
|
|
- "traefik.frontend.passHostHeader=true"
|
|
|
|
|
- "traefik.port=9000"
|
|
|
|
|
|
|
|
|
|
traefik:
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
image: traefik:1.6-alpine
|
|
|
|
|
volumes:
|
|
|
|
|
- /srv/data/traefik/acme:/etc/traefik/acme
|
|
|
|
|
- /srv/data/traefik/traefik.toml:/etc/traefik/traefik.toml:ro
|
|
|
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro # listen to the Docker events.
|
|
|
|
|
- /srv/data/traefik/ca-certs:/usr/local/share/ca-certificates:ro
|
|
|
|
|
command: sh -c "update-ca-certificates && traefik"
|
|
|
|
|
networks:
|
|
|
|
|
- oasis
|
|
|
|
|
ports:
|
|
|
|
|
- "127.0.0.1:8080:8080"
|
|
|
|
|
- "80:80"
|
|
|
|
|
- "443:443"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Drawbacks
|
|
|
|
|
|
|
|
|
|
|
