Issue
Minio uses a long API key, however nothing prohibits everyone from hammering against it trying to gain access.
Minio S3 storage, while secure, has now way to ‘tell me’ when someone is trying to break in.
This leads me to my goal…
Goal
To restrict access to only authorized IP’s and/or Domains
Initial Configuration
My Minio runs as a docker behind NPM, additionally both sending and receiving hosts are proxied through CloudFlare.
Solution
Create a rule in CloudFlare that blocks any traffic going to the minio data url that are:
not going to the correct end bucket
and
not containing the correct user agent
This isn’t perfect, however it will definitely block script kiddies and make life hell for anyone else with bad intent.
Update
I removed the destination folder requirement. This will broaden the rule’s scope to block any request to minio-s3-connect.blandford.tech unless the User-Agent matches one of my backup tools.