Remove MinIO console from public Tailscale funnel #277

New issue

Open

opened 2026-04-10 01:10:53 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-04-10 01:10:53 +00:00

Contributor

Type

Bug

Lineage

Discovered during Mercury banking scoping session — audited MinIO funnel exposure.

Repo

pal-e-platform

What Broke

MinIO admin console is exposed to the public internet via Tailscale funnel annotation. The login page is reachable by anyone at minio.tail5b443a.ts.net with no WAF or rate limiting. Root user is admin.

Repro Steps

Open https://minio.tail5b443a.ts.net from any browser (no Tailscale required)
MinIO login page is publicly accessible

Expected Behavior

MinIO console should only be reachable from within the tailnet (Tailscale ingress, not funnel). The S3 API funnel for serving public assets remains unchanged.

Environment

terraform/modules/networking/main.tf lines 288-317
Tailscale funnel annotation on minio-funnel ingress

Acceptance Criteria

tailscale.com/funnel annotation removed or set to false on minio-funnel ingress (line 295)
tofu plan -lock=false shows only the console ingress change
tofu apply successful
minio.tail5b443a.ts.net no longer reachable from public internet
minio-api.tail5b443a.ts.net still serves public assets (S3 API funnel unchanged)
MinIO console still accessible from tailnet
Verify westside-app (westside-landing) assets still load correctly — no disruption to any current image/asset URLs served via S3 API funnel

S3 API funnel (minio-api-funnel, lines 319-348) intentionally remains public for CDN asset serving
westside-app depends on public S3 API for asset loading — must not be disrupted

### Type Bug ### Lineage Discovered during Mercury banking scoping session — audited MinIO funnel exposure. ### Repo pal-e-platform ### What Broke MinIO admin console is exposed to the public internet via Tailscale funnel annotation. The login page is reachable by anyone at `minio.tail5b443a.ts.net` with no WAF or rate limiting. Root user is `admin`. ### Repro Steps 1. Open `https://minio.tail5b443a.ts.net` from any browser (no Tailscale required) 2. MinIO login page is publicly accessible ### Expected Behavior MinIO console should only be reachable from within the tailnet (Tailscale ingress, not funnel). The S3 API funnel for serving public assets remains unchanged. ### Environment - `terraform/modules/networking/main.tf` lines 288-317 - Tailscale funnel annotation on `minio-funnel` ingress ### Acceptance Criteria - [ ] `tailscale.com/funnel` annotation removed or set to `false` on `minio-funnel` ingress (line 295) - [ ] `tofu plan -lock=false` shows only the console ingress change - [ ] `tofu apply` successful - [ ] `minio.tail5b443a.ts.net` no longer reachable from public internet - [ ] `minio-api.tail5b443a.ts.net` still serves public assets (S3 API funnel unchanged) - [ ] MinIO console still accessible from tailnet - [ ] Verify westside-app (westside-landing) assets still load correctly — no disruption to any current image/asset URLs served via S3 API funnel ### Related - S3 API funnel (`minio-api-funnel`, lines 319-348) intentionally remains public for CDN asset serving - westside-app depends on public S3 API for asset loading — must not be disrupted