Ubuntu 22.04 以 HTTPS 方式部署运行 MinIO

Posted on by 落落

此文章需要先查看上集:Ubuntu 22.04 部署多节点 MinIO

简介

由于 MinIO 不能修改 HTTPS 默认端口(443),这会导致与 Nginx 冲突。

因此更换 MinIO 方案将直接运行的 minio 改为 docker 内运行。

需要注意 HTTPS 模式将不能再通过 80 端口访问。如果确实需要可以考虑在 Nginx 内添加 80 定义。

关闭和禁止 MinIO 开机启动

systemctl stop minio
systemctl disable minio

生成 MinIO 证书

MinIO 官方提供了一个很方便的自签证书生成工具,通过此工具生成证书供 MinIO 使用。

mkdir -p ~/.minio/certs
cd ~/.minio/certs
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
mv certgen-linux-amd64 certgen
chmod +x certgen
./certgen -host "localhost,minio.domain.com,*.minio.domain.com"

安装 Docker

参考:https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-22-04

检查 minio-user UID,GID

# id minio-user
uid=1000(minio-user) gid=1000(minio-user) groups=1000(minio-user)

使用 Docker 运行 MinIO

使用上面 id 查询的 uid,gid 替换以下 --user uid:gid

#!/bin/bash
docker stop minio_local
docker rm minio_local
docker rmi minio/minio
docker pull minio/minio
docker run -d                                  \
  --user 1000:1000                             \
  -p 9001:9001 -p 80:80 -p 8443:443            \
  -v /mnt/disk1:/mnt/disk1                     \
  -v /root/.minio/certs:/certs                 \
  -v /etc/default/minio:/etc/config.env        \
  -e "MINIO_CONFIG_ENV_FILE=/etc/config.env"   \
  --name "minio_local"                         \
  minio/minio server --address :80 --address :443 --console-address :9001 --certs-dir /certs

测试 MinIO 是否正常启动

# curl localhost:9001
Client sent an HTTP request to an HTTPS server.

修改 Nginx 配置文件

总结来说,把 proxy_pass http://127.0.0.1 改为 proxy_pass https://localhost:8443,其他类似同样需要修改

server {
    listen 443 ssl http2;
    server_name minio.domain.com;
    ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

    # Allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # Disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        proxy_pass https://localhost:8443; # This uses the upstream directive definition to load balance
        # proxy_pass https://127.0.0.1;
    }

    location /minio/ui/ {
        rewrite ^/minio/ui/(.*) /$1 break;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;

        # This is necessary to pass the correct IP to be hashed
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;

        # To support websockets in MinIO versions released after January 2023
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        chunked_transfer_encoding off;

        proxy_pass https://localhost:9001; # This uses the upstream directive definition to load balance
    }
}



server {
    listen 443 ssl http2;
    server_name ~^([\w-]+)\.minio\.domain\.com$; # 这里对应泛域名

    ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

    # Allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # Disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        # proxy_pass http://localhost$request_uri; # This uses the upstream directive definition to load balance
        proxy_pass https://localhost:8443$request_uri;
    }
}

最后

此时,MinIO 应该可以以 HTTPS 方式启动,HTTPS 访问将支持 SSE-C 加密。

相关文章:rclone 命令同步文件时使用 SSE-C(还在写)

凄凄长夜,萧萧风雪。落叶飘零,伴我天明。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据