群晖和MinIO配合可没想象中简单,因为要满足三点.
1)你的S3后端必须是HTTPS的.
2)你的S3后端必须有一个域名.
3)你的Bucket名必须是绑定在域名上.
比如我使用s3.example.com,不但需要给他申请证书,还要保证<bucket>.s3.example.com也有合适的证书,以及正确的解释,那么开始干,至于要不要NG反代,见仁见智,我个人就没什么所谓.
先创建一个配置文件,当然密码你总不会不改吧:
cat <<EOT >> /etc/default/minio
# Volume to be used for MinIO server.
MINIO_VOLUMES="/data"
# Use if you want to run MinIO on a custom port.
MINIO_OPTS="--address :9000 --console-address :9001"
# Root user for the server.
MINIO_ROOT_USER=minioadmin
# Root secret for the server.
MINIO_ROOT_PASSWORD=minioadmin
EOT
然后再创建一个服务:
( cd /etc/systemd/system/; curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service )
useradd minio-user -s /sbin/nologin
当然我还要更改工作目录:
WorkingDirectory=/data
把执行文件下载到/usr/local/bin目录内.
wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
mv minio /usr/local/bin/minio
最后启动一下MinIO:
systemctl enable minio.service
systemctl start minio.service
测试OK后开始做证书,证书放在以下目录,如果是NG反代就这里不用做证书,在NG做,效果没区别.
.minio/certs/private.key
.minio/certs/public.crt
我也给一个反代的示例,当然我也没验证过~
server {
listen 80;
listen [::]:80;
server_name s3.example.com *.s3.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name s3.example.com *.s3.example.com;
ssl_certificate /etc/nginx/ssl/s3.example.com/public.crt;
ssl_certificate_key /etc/nginx/ssl/s3.example.com/private.key;
# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_dhparam /etc/nginx/dhparam.pem;
# To allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# To disable buffering
proxy_buffering off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://10.30.190.248:9000;
}
}
server {
listen 9001 ssl;
listen [::]:9001 ssl;
server_name s3.example.com *.s3.example.com;
ssl_certificate /etc/nginx/ssl/s3.example.com/public.crt;
ssl_certificate_key /etc/nginx/ssl/s3.example.com/private.key;
# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_dhparam /etc/nginx/dhparam.pem;
# To allow special characters in headers
ignore_invalid_headers off;
# Allow any size file to be uploaded.
# Set to a value such as 1000m; to restrict file size to a specific value
client_max_body_size 0;
# To disable buffering
proxy_buffering off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
proxy_pass http://10.30.190.248:9001;
}
}
最后NAS上设置.
现在可以把群晖的配置和关键文件备份上去了.
在Minio后台也能看到了哦.