Domains, Certificates, Proxies

To enable proper HTTPS support the Relayer machine will need a valid SSL certificate. This involves owning a domain, and using a certificate authority to issue a certificate verifying that your network is the correct destination for your domain.

Domain Names

To obtain an SSL cert, a registered domain name is required. If you do not have one, there are many reasonably priced options. It is generally unimportant which domain registry is chosen, however for Option 2 you will need them to support custom DNS nameservers (most will).

Option 1 – Certificate from Domain Registry

Many domain registries will offer (sometimes as an add-on) the ability to obtain a certificate directly from them. This is the most straightforward choice to achieve HTTPS support, but has some limitations, such as certificates not auto-renewing. All certificates are issued with expiration dates, and a new certificate will need to be applied before expiry to ensure no disruption to HTTPS service.

A certificate issued through a domain registry will most commonly be in the form of two files: a public certificate .crt, .cer, or .pem filetype, and a private key .key or .pem filetype. Additionally, a certificate authority bundle can also be provided.

UI Relayer

With these two files in hand, simply open up the UI and visit the Configuration tab. Under General Configuration, select Custom SSL Certificate from the Certificate Type dropdown, and upload the relevant files to the interface.
Information on the applied certificate will populate to the right side of the tab when Custom SSL Certificate is selected.

CLI Relayer

During the configuration of the setup script, one of the prompts will be regarding HTTPS and certificates. Simply run the setup.sh script again if you need to reconfigure an existing install. When prompted, provide the path to a public.crt and private.key files (must be these exact names). The Relayer should then be able to start MinIO with HTTPS using the provided certificate information.

Using the Endpoint

Before the domain will be usable from the internet, a port will need to be opened. For a system directly on the internet (such as a VPS) this may not be a problem, but any device behind a router will need a forward to the Relayer machine. This forwarding process is outlined in a document on the storage provider docs.

The default HTTPS port is 443. There are several options to make this work with MinIO:

• Start MinIO on port 443 (it defaults to 9000). Change this in the Relayer’s .env.
• Keep MinIO on port 9000, and access it via https://<Your Domain>:9000 instead.
• Keep MinIO on port 9000, and set the port forward rule to map external port 443 traffic to internal port 9000.

With the desired port forwarded to the machine, you can begin using your domain as an S3 endpoint featuring full SSL support.

Option 2 – Cloudflare & Proxy

Using Cloudflare and a proxy service (in this case Traefik) is a more involved setup, but brings about more options and features not possible with Option 1. The below guide will outline setting up on a Linux-based Relayer, and uses documentation from Cloudflare and Traefik which is more detailed and should be referred to for any troubleshooting.

Step 1 – Cloudflare Creation

You will need to create a Cloudflare account if you do not have one already. The free tier is sufficient for everything covered in this guide. Once logged in, visit the main dashboard, and click “Add site” in the upper right. Provide the domain name and follow through the menu process, also outlined in this document.

Step 2 – DNS Nameserver Change

You should eventually be provided with Cloudflare Nameservers to use for DNS purposes. To do this, you will need to return to your domain registry and find where to input a Custom DNS nameserver. Put the two nameservers provided to you by Cloudflare there, and save. This usually takes a few minutes to update, and can be checked on within the Cloudflare DNS dashboard.

Step 3 – DNS Records

Visit Cloudflare’s DNS Records page for your domain. All Records made previously with the registrar will not carry over, and will need to be recreated with Cloudflare. Edit/create an A record type, perhaps called relayer, with the content being your network/machine’s Public IPv4. While here, also make a CNAME record called relayer-admin with the content relayer.yourdomain, substituting yourdomain for your full domain name. Feel free to leave the Proxy enabled – it can simplify troubleshooting to leave off, but you also lose Cloudflare’s many benefits.

Step 3.5 – Encryption Mode

Additionally, head to the SSL/TLS menu along the left side, and from Overview choose Full (strict) encryption mode.

Step 4 – API Token

Lastly, we’ll need to generate a DNS API token. In the top right of the Cloudflare dashboard click and visit “My Profile.” Along the left of the screen visit the API Tokens screen, and click the button labelled Create Token. Choose the Edit zone DNS template, changing only the Zone Resources Specific zone -> All zones, Create Token, and then Continue to Summary. Protect this API Token, as it is sensitive information, and keep it for the next step.

Step 5 – Traefik Configuration

Next we will configure Traefik, which conveniently deploys using Docker-compose. Other proxy services such as nginx or HAProxy can work as well.

We will edit the existing Relayer docker-compose.yml file to add the Traefik service, inspired by this guide. Use your existing docker-compose file for everything up to the commented (#) line.

version: "3.4"
services:
  xns:
    container_name: xns-relayer
    image: scprime/xns-relayer:stable
    restart: unless-stopped
    volumes:
      - ./relayer-data:/relayer
      #- /mnt/disk2/relayer-cache:/relayer/meta
    ports:
      - ${UI_PORT}:8888
      - ${MINIO_PORT}:9000
    env_file:
      - .env
# replace above with your existing compose.yml
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.relayer.service=relayer"
      - "traefik.http.routers.relayer.rule=Host(`relayer.YOUR_DOMAIN`)"
      - "traefik.http.services.relayer.loadbalancer.server.port=9000"
      - "traefik.http.routers.relayeradmin.service=relayeradmin"
      - "traefik.http.routers.relayeradmin.rule=Host(`relayer-admin.YOUR_DOMAIN`)"
      - "traefik.http.services.relayeradmin.loadbalancer.server.port=8888"
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    command:
      - --providers.docker.exposedbydefault=false
      #- --log.level=DEBUG
      - --providers.docker=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
    environment:
      - CLOUDFLARE_EMAIL=CLOUDFLARE_ACCOUNT_EMAIL_ADDRESS
      - CLOUDFLARE_DNS_API_TOKEN=CLOUDFLARE_TOKEN
    ports:
      - 80:80
      - 443:443
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

Edit the above template to provide your Cloudflare account’s e-mail address where CLOUDFLARE_ACCOUNT_EMAIL_ADDRESS is (note: case sensitive), the API Token from earlier in place of CLOUDFLARE_TOKEN, and YOUR_DOMAIN as your web domain name. Save and exit.

Step 6 – Traefik Startup, Port Forward

You can now start Traefik by stopping the Relayer container (if running), and starting with docker-compose up -d. Before the domain will be usable from the internet, port 443 (the HTTPS port) will need to be open. For a system directly on the internet (such as a VPS) this may not be a problem, but any device behind a router will need this port forwarded to the machine running Traefik. This forwarding process is outlined in a document on the storage provider docs. Note that if Traefik is not running, the port may show as closed.

Step 7 – Relayer Config

With port 443 accessible, head to the Relayer Dashboard. From the Configuration tab, select No SSL for the Endpoint Certification Type. MinIO will run in HTTP mode; this is because SSL is used to reach the proxy, and not the Relayer’s MinIO endpoint directly. You can still securely connect to your endpoint using HTTPS. Save, and click Restart from the Dashboard.

Using the Endpoint

Visiting https://relayer.YOUR_DOMAIN/ in a web browser should land the MinIO web-UI, with a “lock” icon next to the domain in the browser bar. This lock can be clicked to eventually display the domain’s certificate, which should be freshly issued.

If something other than this occurs, be sure every step was performed carefully, read over the linked resources, and troubleshoot to the best of your ability (uncommenting the log.level=DEBUG line and docker logs may prove helpful). The loaded certificates can be directly checked by opening letsencrypt/acme.json – there will be a barebones default certificate at all times, with generated ones appearing underneath. Traefik can be challenging to troubleshoot, but once it is running properly it has a reputation of continuing without problem.

The certificates issued through Traefik (using LetsEncrypt) are valid for 90 days. These should auto-renew every 60 days, providing a 30-day buffer.

S3 client software should be able to connect directly to relayer.yourdomain using HTTPS, even without specifying a port. This URL is effectively piped to what the previous <local IP>:9000 used. Visiting this URL in a web browser yields the MinIO interface.