Minio Buckets not working behind Traefik reverse-proxy

Question

I have a minio docker service running, which is connectable on storage/console. My traefik also works for this.

But I suspect the connections to use the pattern BUCKET.backup.lo.domain.com which leads to a 404 from traefik.

I clearly see this pattern, for example, when using Cyberduck to connect (in the traefik logs and Cyberduck itself). The connection itself is possible (backup.lo.domain.com). I also get the buckets listed. But as soon as I click on the bucket it shows a modal with the bucket.lo.domain.com pattern and the traefik default certificate.

version: "3.8"
volumes:
    minio-data:
services:
  minio:
    container_name: minio-backup
    image: quay.io/minio/minio:RELEASE.2022-01-08T03-11-54Z
    networks:
      - traefik
    volumes:
      - minio-data:/data
    command:
      - server
      - /data
      - --console-address
      - ":9001"
    environment:
      - TZ=${TIME_ZONE}
      - MINIO_ROOT_USER=root
      - MINIO_ROOT_PASSWORD=password
      - MINIO_BROWSER_REDIRECT_URL=https://backup-console.lo.domain.com
      - MINIO_DOMAIN=https://backup.lo.domain.com
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik

      - traefik.http.routers.minio.service=minio
      - traefik.http.routers.minio.rule=Host(`backup.lo.domain.com`)
      - traefik.http.routers.minio.tls.certresolver=letsenc
      - traefik.http.routers.minio.entrypoints=websecure
      - traefik.http.services.minio.loadbalancer.server.port=9000

      - "traefik.http.routers.minio-console.service=minio-console"
      - "traefik.http.routers.minio-console.rule=Host(`backup-console.lo.domain.com`)"
      - "traefik.http.routers.minio-console.entrypoints=websecure"
      - "traefik.http.routers.minio-console.tls.certresolver=letsenc"
      - "traefik.http.services.minio-console.loadbalancer.server.port=9001"
    restart: unless-stopped

  traefik:
    image: traefik
    container_name: traefik
    command:
      - --providers.docker=true
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
    labels:
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsenc"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.domains[0].main=lo.domain.com"
      - "traefik.http.routers.traefik.tls.domains[0].sans=*.lo.domain.com"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: unless-stopped
    networks:
      traefik:
networks:
  traefik_public:

Any ideas? Could I use something like wildcards for subdomains?

Answer 1

The problem here is that buckets do not have sub-domain DNS entries in your setup. If you disable this and use path-style requests things should work fine: https://docs.cyberduck.io/protocols/s3/#disable-use-of-virtual-host-style-requests

Specifically, you need to set s3.bucket.virtualhost.disable to true in Cyberbuck.