Serving Static Files Securely with MinIO Object Storage

MinIO is a high-performance, S3-compatible object storage solution that can be self-hosted or used as a service. It’s perfect for serving static files like images, videos, and documents for your website or application. However, configuring the right access permissions is crucial to ensure your files are accessible while remaining secure.

The Challenge: Public Access Without Security Risks

When serving static files, you typically want:

Files to be publicly accessible via direct URLs
Protection against unauthorized modifications or deletions
Simple configuration that doesn’t require authentication for viewing

The default "Public" access policy in MinIO is problematic because, as the warning states:

"Warning: With Public access anyone will be able to upload, download and delete files from this Bucket"

This is clearly not what we want for static file hosting!

The Solution: Anonymous Read-Only Access

Here’s how to properly configure MinIO for secure static file serving:

Step 1: Create Your Bucket

First, create a bucket for your static files. In this example, I created a bucket called blog with files organized in subdirectories:

blog/
  alpine-linux/
    debian-install.png
    grub-cl.png
    grub-menu.png
    iso-verification.png

Step 2: Set the Bucket Policy to "Private"

This might seem counterintuitive, but start by setting the bucket policy to "Private" in the MinIO console. This removes any overly permissive access that would allow file deletion.

Step 3: Configure Anonymous Access Rules

This is the key step that enables secure public access:

In the MinIO console, navigate to your bucket
Find the "Anonymous" panel or tab
Click "Add Access Rule"
Configure the rule:
- Prefix: Set to / or * to cover all files (or use a specific prefix like /blog/* if you only want to expose certain directories)
- Access: Set to readonly
Save the rule and ensure it’s enabled

Step 4: Test Access

Your files should now be accessible via URLs in this format:

https://[your-minio-endpoint]/[bucket-name]/[object-path]

For example:

https://static.example.com/blog/alpine-linux/grub-cl.png

Benefits of This Approach

Security: Files can be viewed but not modified or deleted by the public
Simplicity: No authentication required for viewing files
Flexibility: You can apply different access rules to different prefixes
Performance: Direct access to files without proxy layers

Troubleshooting

If your files aren’t accessible after following these steps:

Check URL format: Ensure you’re using the correct endpoint and path
Verify anonymous policy: Make sure the anonymous policy is active
CORS settings: If accessing from web applications, you may need to configure CORS
Check object paths: Ensure paths in URLs match exactly how objects are stored

Conclusion

MinIO’s anonymous access rules provide the perfect balance between accessibility and security for serving static files. By avoiding the overly permissive "Public" policy and instead using targeted read-only anonymous access, you can confidently serve your static content without worrying about unauthorized modifications.

This approach is ideal for blog images, documentation assets, and other static content that needs to be publicly accessible but protected from tampering.

Serving Static Files Securely with MinIO Object Storage ​

The Challenge: Public Access Without Security Risks ​

The Solution: Anonymous Read-Only Access ​

Step 1: Create Your Bucket ​

Step 2: Set the Bucket Policy to "Private" ​

Step 3: Configure Anonymous Access Rules ​

Step 4: Test Access ​

Benefits of This Approach ​

Troubleshooting ​

Conclusion ​