Using Nginx as a reverse proxy for minio to enable public access to files

Publish: 2022-04-19 | Modify: 2022-04-19

MinIO is an object storage service based on the Apache License v2.0 open-source protocol. It is compatible with the Amazon S3 cloud storage service interface and is ideal for storing large amounts of unstructured data, such as images, videos, log files, backup data, and container/virtual machine images.

In a previous article titled "Setting up MinIO Object Storage and mc Client Commands Using Docker," I shared how to set up a MinIO bucket as publicly readable and privately writable, and how to enable public access to files through an Nginx reverse proxy.

Note: Users reading this article should have a basic understanding of Linux and a habit of reading official documentation.

Prerequisites

MinIO service has been set up and the mc client has been installed, with the storage added to the mc client configuration.

Setting MinIO Bucket to Public Read and Private Write

Those who have used domestic object storage services may be familiar with the feature of setting a bucket to be publicly readable and privately writable, which is widely used for distributing and accessing static files. MinIO is a storage system compatible with the S3 protocol, but it seems that S3 does not have the concept of public read and private write. On S3, it is referred to as a policy (access policy).

To set a MinIO bucket to be publicly readable and privately writable, you only need to set the policy to download. The command is as follows:

# Set the anonymous access policy for MinIO, with options: none, download, upload, public
mc policy set upload host/bucket/
# Check the anonymous policy
mc policy list host/bucket/
  • host: The name you set when using mc config host add
  • bucket: The name of the bucket

After setting this, you can test it by accessing http://IP:9000/bucket/file_name. If you can access the file directly without any parameters, it means that the setting has taken effect.

Accessing Through Nginx Reverse Proxy

By default, MinIO is accessed through port 9000. It is not convenient to include the port number every time, so it is usually accessed through an Nginx reverse proxy. I have written an Nginx reverse proxy configuration that you can use as a reference:

server {
    listen 443 ssl http2;
    # Replace with your own SSL certificate path
    ssl_certificate /path/domain.com.crt;
    ssl_certificate_key /path/domain.com.key;
    ssl_session_timeout 1d;
    #ssl_session_cache builtin:1000 shared:SSL:10m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    proxy_buffering off;

    # Replace with your own domain name
    server_name domain.com;
    # Path to website logs, note that the nginx user needs write permissions; if not needed, you can comment it out
    access_log /data/wwwlogs/domain.com.log combined;

    charset utf-8,gbk;

    location / {
        # Enable custom error pages
        proxy_intercept_errors on;
        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;
        # Replace with your own bucket name; note: it should end with a /
        proxy_pass http://127.0.0.1:9000/bucket/;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # Client cache time, set to 7 days here; adjust as needed
        expires 7d;
        add_header XCDN-Cache "$upstream_cache_status";
        # You can upload an HTML file or image as a 404 page in the bucket, then change it to the absolute path under the bucket, starting with /
        # If not needed, you can comment this out
        error_page 404 /404.png;
    }
}
server
{
    # 301 redirect
    listen 80;
    server_name domain.com;
    rewrite ^(.*) https://domain.com$1 redirect;
}

After setting this up, check the configuration with nginx -t and reload the nginx configuration with nginx -s reload. Then, test the access by using your domain name http://domain.com/filename.

Related Recommendations


Comments