简介

由于 MinIO 不能修改 HTTPS 默认端口(443),这会导致与 Nginx 冲突。

因此更换 MinIO 方案将直接运行的 minio 改为 docker 内运行。

需要注意 HTTPS 模式将不能再通过 80 端口访问。如果确实需要可以考虑在 Nginx 内添加 80 定义。

关闭和禁止 MinIO 开机启动

1
2
systemctl stop minio
systemctl disable minio

生成 MinIO 证书

MinIO 官方提供了一个很方便的自签证书生成工具,通过此工具生成证书供 MinIO 使用。

1
2
3
4
5
6
mkdir -p ~/.minio/certs
cd ~/.minio/certs
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
mv certgen-linux-amd64 certgen
chmod +x certgen
./certgen -host "localhost,minio.domain.com,*.minio.domain.com"

安装 Docker

参考:https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-22-04

检查 minio-user UID,GID

1
2
# id minio-user
uid=1000(minio-user) gid=1000(minio-user) groups=1000(minio-user)

使用 Docker 运行 MinIO

使用上面 id 查询的 uid,gid 替换以下 --user uid:gid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash
docker stop minio_local
docker rm minio_local
docker rmi minio/minio
docker pull minio/minio
docker run -d                                  \
  --user 1000:1000                             \
  -p 9001:9001 -p 80:80 -p 8443:443            \
  -v /mnt/disk1:/mnt/disk1                     \
  -v /root/.minio/certs:/certs                 \
  -v /etc/default/minio:/etc/config.env        \
  -e "MINIO_CONFIG_ENV_FILE=/etc/config.env"   \
  --name "minio_local"                         \
  minio/minio server --address :80 --address :443 --console-address :9001 --certs-dir /certs

测试 MinIO 是否正常启动

1
2
# curl localhost:9001
Client sent an HTTP request to an HTTPS server.

修改 Nginx 配置文件

总结来说,把 proxy_pass http://127.0.0.1 改为 proxy_pass https://localhost:8443,其他类似同样需要修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
server {
    listen 443 ssl http2;
    server_name minio.domain.com;
    ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

    # Allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # Disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        proxy_pass https://localhost:8443; # This uses the upstream directive definition to load balance
        # proxy_pass https://127.0.0.1;
    }

    location /minio/ui/ {
        rewrite ^/minio/ui/(.*) /$1 break;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;

        # This is necessary to pass the correct IP to be hashed
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;

        # To support websockets in MinIO versions released after January 2023
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        chunked_transfer_encoding off;

        proxy_pass https://localhost:9001; # This uses the upstream directive definition to load balance
    }
}



server {
    listen 443 ssl http2;
    server_name ~^([\w-]+)\.minio\.domain\.com$; # 这里对应泛域名

    ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

    # Allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # Disable buffering
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        # proxy_pass http://localhost$request_uri; # This uses the upstream directive definition to load balance
        proxy_pass https://localhost:8443$request_uri;
    }
}

最后

此时,MinIO 应该可以以 HTTPS 方式启动,HTTPS 访问将支持 SSE-C 加密。