Minio & console behind Traefik reverse proxy

Question

I'm trying to get an instance of MinIO working on my Docker Compose stack with a Traefik reverse proxy. The docker compose for MinIO and Traefik look like this:

  traefik:
    container_name: traefik
    image: traefik:2.2.1
    restart: unless-stopped
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,1>      - --entryPoints.traefik.address=:8080
      - --api=true
      - --log=true
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME_CLOUD_SERVER`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules
      - --providers.file.watch=true
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $DOCKERDIR/traefik2/rules:/rules
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/traefik2/acme/acme.json:/acme.json
      - $DOCKERDIR/traefik2/traefik.log:/traefik.log
      - $DOCKERDIR/shared:/shared
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_CLOUD_SERVER`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME_CLOUD_SERVER"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME_CLOUD_SERVER"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"

  minio:
    container_name: minio
    image: minio/minio
    restart: always
    command: server /data --console-address ":9001"
    security_opt:
      - no-new-privileges:true
    networks:
      - t2_proxy
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - MINIO_BROWSER_REDIRECT_URL=${MINIO_CONSOLE}
      - MINIO_DOMAIN=${MINIO_DOMAIN}
      - MINIO_ROOT_USER=${MINIO_ROOT_USER}
      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
      - MINIO_SERVER_URL=${MINIO_SERVER}
    volumes:
      - /mnt/storage/minio:/data
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.minio-console-rtr.entrypoints=https"
      - "traefik.http.routers.minio-console-rtr.rule=Host(`minio.$DOMAINNAME_CLOUD_SERVER`)"
      - "traefik.http.routers.minio-console-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.minio-console-rtr.middlewares=chain-oauth@file" # Google OAuth 2.0
      ## HTTP Services
      - "traefik.http.routers.minio-console-rtr.service=minio-console-svc"
      - "traefik.http.services.minio-console-svc.loadbalancer.server.port=9001"

      ## HTTP Routers
      - "traefik.http.routers.minio-rtr.entrypoints=https"
      - "traefik.http.routers.minio-rtr.rule=Host(`s3.$DOMAINNAME_CLOUD_SERVER`)"
      - "traefik.http.routers.minio-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.minio-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.minio-rtr.service=minio-svc"
      - "traefik.http.services.minio-svc.loadbalancer.server.port=9000"

I can access the console just fine, but I am greeted with "An error has occurred The backend cannot be reached.". There's a red banner at the top saying "Get "": unsupported protocol scheme """. If I check the console, the response I get is a 500 on https://minio.domainname/api/v1/login, with an error message saying "unable to contact configured identity provider". Absolutely no idea where this might be coming from as I had it working with about the same stack a few months ago.

Answer 1

This error occurring form minio latest version, as you didn't mention the tag in your minio container image, it pulls the latest tag,

To solve just specify the previous version tag in your minio container with

image:minio/minio:RELEASE.2022-07-15T03-44-22Z

You can look on the below official repo for more specific version tag's

https://quay.io/repository/ricardbejarano/minio?tab=tags

As well please always go with the specific release tag and never pull the :latest in your dockerfile or docker-compose as it leads to unexpected results, since you didn't tested the latest version in your environment