群晖和MinIO打配合

/ 0评 / 0

群晖和MinIO配合可没想象中简单,因为要满足三点.

1)你的S3后端必须是HTTPS的.

2)你的S3后端必须有一个域名.

3)你的Bucket名必须是绑定在域名上.

比如我使用s3.example.com,不但需要给他申请证书,还要保证<bucket>.s3.example.com也有合适的证书,以及正确的解释,那么开始干,至于要不要NG反代,见仁见智,我个人就没什么所谓.

先创建一个配置文件,当然密码你总不会不改吧:

cat <<EOT >> /etc/default/minio
# Volume to be used for MinIO server.
MINIO_VOLUMES="/data"
# Use if you want to run MinIO on a custom port.
MINIO_OPTS="--address :9000 --console-address :9001"
# Root user for the server.
MINIO_ROOT_USER=minioadmin
# Root secret for the server.
MINIO_ROOT_PASSWORD=minioadmin
EOT

然后再创建一个服务:

( cd /etc/systemd/system/; curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service )
useradd minio-user -s /sbin/nologin

当然我还要更改工作目录:

WorkingDirectory=/data

把执行文件下载到/usr/local/bin目录内.

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
mv minio /usr/local/bin/minio

最后启动一下MinIO:

systemctl enable minio.service
systemctl start minio.service

测试OK后开始做证书,证书放在以下目录,如果是NG反代就这里不用做证书,在NG做,效果没区别.

.minio/certs/private.key
.minio/certs/public.crt

我也给一个反代的示例,当然我也没验证过~

server {
    listen 80;
    listen [::]:80;
    server_name s3.example.com *.s3.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name s3.example.com *.s3.example.com;
    
    ssl_certificate /etc/nginx/ssl/s3.example.com/public.crt;
    ssl_certificate_key /etc/nginx/ssl/s3.example.com/private.key;
    # add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

    ssl_prefer_server_ciphers on;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_dhparam /etc/nginx/dhparam.pem;

    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        proxy_pass http://10.30.190.248:9000;
    }
}

server {
    listen 9001 ssl;
    listen [::]:9001 ssl;
    server_name s3.example.com *.s3.example.com;
    
    ssl_certificate /etc/nginx/ssl/s3.example.com/public.crt;
    ssl_certificate_key /etc/nginx/ssl/s3.example.com/private.key;
    # add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

    ssl_prefer_server_ciphers on;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_dhparam /etc/nginx/dhparam.pem;

    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;

        proxy_pass http://10.30.190.248:9001;
    }
}

最后NAS上设置.

现在可以把群晖的配置和关键文件备份上去了.

在Minio后台也能看到了哦.

发表评论

您的电子邮箱地址不会被公开。