准备存储
这里我使用的是Debian12外挂trueNas的nfs存储,在创建文件后,需要注意uid和gid的问题。
root@minio1:/usr/local/bin# id minio
uid=4001(minio) gid=4001(minio) groups=4001(minio)
新建时注意使用:
groupadd -g 4001 minio
useradd -r -u 4001 -g minio minio
挂载路径命令:
192.168.21.4:/mnt/storage_pool/minio /mnt/minio_n4_lowspeed_nfs nfs defaults,_netdev 0 0
安装minio
# 下载MinIO服务器
wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /usr/local/bin/minio
chmod +x /usr/local/bin/minio
# 下载MinIO客户端(mc)
wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /usr/local/bin/mc
chmod +x /usr/local/bin/mc
创建相关文件目录
# 创建目录结构
mkdir -p /mnt/minio_n4_lowspeed_nfs/{data,config,logs}
chown -R minio:minio /mnt/minio_n4_lowspeed_nfs/{data,config,logs}
chmod 755 /mnt/minio_n4_lowspeed_nfs/{data,config,logs}
创建MinIO环境配置文件
# 创建环境配置
cat > /mnt/minio_n4_lowspeed_nfs/config/minio.env << EOF
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=YourStrongPasswordHere
MINIO_VOLUMES="/mnt/minio_n4_lowspeed_nfs/data"
MINIO_OPTS="--console-address :9001 --address :9000"
MINIO_SERVER_URL="http://your_server_ip:9000"
EOF
# 设置权限
chmod 600 /mnt/minio_n4_lowspeed_nfs/config/minio.env
chown minio:minio /mnt/minio_n4_lowspeed_nfs/config/minio.env
创建systemd服务
cat > /etc/systemd/system/minio.service << EOF
[Unit]
Description=MinIO
Documentation=https://min.io/docs/minio/linux/index.html
Wants=network-online.target
After=network-online.target remote-fs.target
AssertFileIsExecutable=/usr/local/bin/minio
[Service]
WorkingDirectory=/mnt/minio_n4_lowspeed_nfs
User=minio
Group=minio
EnvironmentFile=/mnt/minio_n4_lowspeed_nfs/config/minio.env
ExecStart=/usr/local/bin/minio server \$MINIO_VOLUMES \$MINIO_OPTS
Restart=always
LimitNOFILE=65536
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target
EOF
启动MinIO服务
# 重载systemd配置
systemctl daemon-reload
# 启动MinIO
systemctl start minio
# 设置开机自启
systemctl enable minio
# 检查状态
systemctl status minio
设置别名
# 配置mc别名
mc alias set myminio http://localhost:9000 admin YourStrongPasswordHere
# 测试连接
mc ls myminio
S3组权限/用户权限/策略/令牌示例:
访问策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucket1/*", "arn:aws:s3:::bucket2/*", "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket2" ] } ] } EOF
只读策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucket1/*", "arn:aws:s3:::bucket2/*", "arn:aws:s3:::bucket1", "arn:aws:s3:::bucket2" ] } ] }
访问特定目录策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket1/specific-folder/*", "arn:aws:s3:::bucket1" ] } ] }
nginx 转发(需要加上Authentication头)
server {
listen [port] ssl http2;
server_name [url];
ssl_certificate /opt/pro/cert/cert.crt;
ssl_certificate_key /opt/pro/cert/cert.key;
# SSL 优化配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
location /test {
return 200 "OK";
}
location / {
proxy_pass http://[ip]:[port];
# 保持原始请求方法和头信息
proxy_method $request_method;
proxy_pass_request_headers on;
proxy_pass_request_body on;
# 添加以下关键头信息传递
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 关键: 传递Authorization和Date头信息
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Amz-Date $http_x_amz_date;
proxy_set_header X-Amz-Content-Sha256 $http_x_amz_content_sha256;
# 传递所有Amazon特定头信息
proxy_pass_header x-amz-*;
# 增加缓冲区大小
proxy_buffer_size 16k;
proxy_buffers 16 16k;
# 增加超时时间
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
}
}
