MinIO as an Enterprise CDN: Use Case & Benefits
Deploying MinIO on Kubernetes enables you to build a scalable, private CDN for assets (CSS, JS, images) used by web or mobile applications.
Key benefits include:
- Scalability: Automatically grows with application traffic.
- Performance: Built-in compression and cache headers optimize asset delivery.
- Security: Strict OWASP-compliant headers, access controls, and TLS encryption protect every asset.
- API Compatibility: S3 interface integrates with DevOps, CI/CD, and analytics pipelines.
- Multi-cloud Ready: Run in any Kubernetes, on-prem or cloud.
Below: a YAML-only Helm configuration for a production-ready, secure MinIO CDN with OWASP HTTP headers (CSP, CORS, HSTS, etc.) preconfigured for static asset serving.
# minio-cdn-values.yaml — OWASP-hardened MinIO for secure static asset CDN
tenant:
name: cdn-minio
image:
repository: minio/minio
tag: RELEASE.2024-08-17T01-24-54Z
pullPolicy: IfNotPresent
pools:
- name: pool-0
servers: 4
volumesPerServer: 2
size: 100Gi
storageClassName: fast-ssd
console:
image:
repository: minio/console
tag: v0.30.0
replicaCount: 2
users:
- accessKey: cdn-admin
secretKey: "CHANGEME_SUPER_SECRET"
policy: consoleAdmin
tls:
enabled: true
certSecret: minio-tls-secret
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
env:
# S3 public URLs and built-in compression
- name: MINIO_SERVER_URL
value: "https://cdn.your-domain.com"
- name: MINIO_COMPRESSION_ENABLE
value: "on"
- name: MINIO_COMPRESSION_EXTENSIONS
value: ".txt,.log,.csv,.json,.css,.js"
- name: MINIO_COMPRESSION_MIME_TYPES
value: "text/*,application/json,application/xml"
# ── OWASP / HTTP security headers ────────────────
# CSP: restrict asset sources to own CDN
- name: MINIO_BROWSER_HEADER_CONTENT_SECURITY_POLICY
value: "default-src 'self'; img-src 'self' https://cdn.your-domain.com/images; style-src 'self' https://cdn.your-domain.com/css; script-src 'self' https://cdn.your-domain.com/js"
# CORS: only GET/HEAD from allowed origins
- name: MINIO_API_CORS_ALLOW_ORIGIN
value: "https://your-frontend.com,https://www.your-frontend.com"
- name: MINIO_API_CORS_ALLOW_METHODS
value: "GET,HEAD"
- name: MINIO_API_CORS_ALLOW_HEADERS
value: "Authorization"
- name: MINIO_API_CORS_EXPOSE_HEADERS
value: "ETag"
- name: MINIO_API_CORS_MAX_AGE
value: "3600"
# HSTS
- name: MINIO_BROWSER_HEADER_STRICT_TRANSPORT_SECURITY
value: "max-age=63072000; includeSubDomains; preload"
# Clickjacking, XSS, and content type protections
- name: MINIO_BROWSER_HEADER_X_FRAME_OPTIONS
value: "DENY"
- name: MINIO_BROWSER_HEADER_X_CONTENT_TYPE_OPTIONS
value: "nosniff"
- name: MINIO_BROWSER_HEADER_REFERRER_POLICY
value: "strict-origin-when-cross-origin"
- name: MINIO_BROWSER_HEADER_PERMISSIONS_POLICY
value: "geolocation=(), microphone=(), camera=()"
- name: MINIO_BROWSER_HEADER_X_XSS_PROTECTION
value: "1; mode=block"
service:
type: ClusterIP
port: 9000
consoleService:
type: ClusterIP
port: 9001
Deploy with:
helm repo add minio https://operator.min.io/
helm repo update
kubectl create ns minio-cdn
helm install cdn-minio minio/tenant -n minio-cdn -f minio-cdn-values.yaml
This configuration delivers a simple, cloud-native, secure CDN for your static resources—ready to connect with your ingress, asset pipeline, or development team needs.
Top comments (0)