Using Nginx as a reverse proxy for minio to enable public access to files
Publish: 2022-04-19 | Modify: 2022-04-19
MinIO is an object storage service based on the Apache License v2.0 open-source protocol. It is compatible with the Amazon S3 cloud storage service interface and is ideal for storing large amounts of unstructured data, such as images, videos, log files, backup data, and container/virtual machine images.
In a previous article titled "Setting up MinIO Object Storage and mc Client Commands Using Docker," I shared how to set up a MinIO bucket as publicly readable and privately writable, and how to enable public access to files through an Nginx reverse proxy.
Note: Users reading this article should have a basic understanding of Linux and a habit of reading official documentation.
Prerequisites
MinIO service has been set up and the mc client has been installed, with the storage added to the mc client configuration.
- You can refer to the following link for setting up MinIO using Docker: https://blog.xiaoz.org/archives/16215
- You can also refer to the following link for other setup methods: http://docs.minio.org.cn/docs/ (Note that this Chinese version of the documentation may not be the latest; for the latest version, refer to the English version on the official website.)
- Install the mc client: MinIO Client Quickstart Guide
Setting MinIO Bucket to Public Read and Private Write
Those who have used domestic object storage services may be familiar with the feature of setting a bucket to be publicly readable and privately writable, which is widely used for distributing and accessing static files. MinIO is a storage system compatible with the S3 protocol, but it seems that S3 does not have the concept of public read and private write. On S3, it is referred to as a policy (access policy).
To set a MinIO bucket to be publicly readable and privately writable, you only need to set the policy to download. The command is as follows:
# Set the anonymous access policy for MinIO, with options: none, download, upload, public
mc policy set upload host/bucket/
# Check the anonymous policy
mc policy list host/bucket/host: The name you set when usingmc config host addbucket: The name of the bucket
After setting this, you can test it by accessing http://IP:9000/bucket/file_name. If you can access the file directly without any parameters, it means that the setting has taken effect.
Accessing Through Nginx Reverse Proxy
By default, MinIO is accessed through port 9000. It is not convenient to include the port number every time, so it is usually accessed through an Nginx reverse proxy. I have written an Nginx reverse proxy configuration that you can use as a reference:
server {
listen 443 ssl http2;
# Replace with your own SSL certificate path
ssl_certificate /path/domain.com.crt;
ssl_certificate_key /path/domain.com.key;
ssl_session_timeout 1d;
#ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
proxy_buffering off;
# Replace with your own domain name
server_name domain.com;
# Path to website logs, note that the nginx user needs write permissions; if not needed, you can comment it out
access_log /data/wwwlogs/domain.com.log combined;
charset utf-8,gbk;
location / {
# Enable custom error pages
proxy_intercept_errors on;
proxy_connect_timeout 300;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
# Replace with your own bucket name; note: it should end with a /
proxy_pass http://127.0.0.1:9000/bucket/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Client cache time, set to 7 days here; adjust as needed
expires 7d;
add_header XCDN-Cache "$upstream_cache_status";
# You can upload an HTML file or image as a 404 page in the bucket, then change it to the absolute path under the bucket, starting with /
# If not needed, you can comment this out
error_page 404 /404.png;
}
}
server
{
# 301 redirect
listen 80;
server_name domain.com;
rewrite ^(.*) https://domain.com$1 redirect;
}After setting this up, check the configuration with nginx -t and reload the nginx configuration with nginx -s reload. Then, test the access by using your domain name http://domain.com/filename.
Related Recommendations
Comments
xiaoz
I come from China and I am a freelancer. I specialize in Linux operations, PHP, Golang, and front-end development. I have developed open-source projects such as Zdir, ImgURL, CCAA, and OneNav.
Random article
- Building an Open Source Image Cropping Service with Docker: Thumbor
- LNMP 1.2 Causes WordPress Frontend to Fail to Open
- Webmaster, come in! Get your free Alibaba Cloud coupon now!
- 2 Free and User-friendly Compression Software for Windows: 7-Zip & Bandizip
- Enable Gravatar Avatar Cache to Resolve Slow WordPress Loading
- Solution for Foxmail Unable to Set Up Gmail Email
- Vultr: Get $50 Bonus for New User Registration, 16 Data Centers to Choose from, Hourly Billing
- How to Add M3U TV Live Streaming to Jellyfin
- How to Change Your Public IP Address?
- Chat about the enterprise email service provided by Zoho Mail Lite