以开启https的nginx转发流量到minio

前提：

• 具有访问在线镜像仓库的网络条件

registry.cn-chengdu.aliyuncs.com

• 需要有docker和docker-compose环境

安装可参考：shell脚本一键安装docker+docker-compose/containerd+nerdctl，支持双架构_shell脚本安装docker compose-CSDN博客

[root@localhost minio_nginx]# docker info
Client:Version:    27.2.0Context:    defaultDebug Mode: false
......[root@localhost minio_nginx]# docker-compose version
Docker Compose version v2.23.0

生成nginx所需密钥和证书

[root@localhost data]# yum install -y openssl   # 安装openssl[root@localhost data]# openssl genrsa -out server.key 2048    # 生成私钥文件[root@localhost data]# openssl req -new -key server.key -out server.csr   # 生成证书签名请求[root@localhost data]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 
# 输入信息后生成自签名文件[root@localhost data]# ll  # 确保以下两个文件存放在nginx/ssl目录下
total 8
-rw-r--r--. 1 root root 1180 Sep 22 11:11 server.crt
-rw-r--r--. 1 root root 1675 Sep 22 11:10 server.key
[root@localhost data]# pwd
/data/nginx/ssl

目录和文件构成解析

[root@localhost data]# tree -a minio_nginx/
minio_nginx/
├── .env
├── minio_nginx.yml
└── nginx├── conf│   ├── conf.d│   ├── conf.d.template│   │   └── proxy.conf.template│   └── nginx.conf└── ssl├── server.crt└── server.key5 directories, 7 files

.env

[root@localhost minio_nginx]# cat .env 
image_registry: "registry.cn-chengdu.aliyuncs.com/su03"  # 镜像仓库地址
minio_image: "$image_registry/minio:2024.11.7-debian-12-r0"   # minio镜像
minio_ak: minio  # 你需要的minio的accesskey
minio_sk: minio2025   # 你需要的minio的secretkey
nginx_image: "$image_registry/nginx:1.26.3"   # nginx镜像
nginx_container_listen_port: "8889"   # nginx容器监听的端口
nginx_access_url: "192.168.226.100"   # 实际访问的IP
nginx_access_port:"8886"    #实际访问的端口
nginx_proxy_url: "http://192.168.225.10:9001"    # nginx proxy后面的服务地址，这里是minio服务，自己验证时为proxy功能专门在网卡处分配了个IP给minio，如没有此需求，此处可以填nginx_access_url的值

minio_nginx.yml 

[root@localhost minio_nginx]# cat minio_nginx.yml 
version: '3'services:minio:image: ${minio_image}container_name: minio-serverrestart: alwaysenvironment:MINIO_ROOT_USER: ${minio_ak}MINIO_ROOT_PASSWORD: ${minio_sk}MINIO_DEFAULT_BUCKETS: "app-bucket:private"TZ: Asia/Shanghaiports:- "9000:9000"- "9001:9001"volumes:- minio-data:/datanetworks:- middleware-networkhealthcheck:test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]interval: 10stimeout: 5sretries: 3start_period: 20snginx:image: ${nginx_image}container_name: nginx-proxyrestart: always ports:- "8886:8889"volumes:- ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro- ./nginx/conf/conf.d:/etc/nginx/conf.d:rw- ./nginx/conf/conf.d.template:/etc/nginx/conf.d.template:ro- ./nginx/ssl:/etc/nginx/ssl:ro environment:N_C_L_P: ${nginx_container_listen_port}N_A_URL: ${nginx_access_url}N_A_PORT: ${nginx_access_port}N_P_URL: ${nginx_proxy_url}command: >sh -c "envsubst '$$N_C_L_P $$N_A_URL $$N_A_PORT $$N_P_URL' < /etc/nginx/conf.d.template/proxy.conf.template > /etc/nginx/conf.d/proxy.conf && nginx -g 'daemon off;'"networks:- middleware-networknetworks:middleware-network:driver: bridgename: middleware-networkvolumes:minio-data:  driver: localname: minio-data

nginx/conf/conf.d.template/proxy.conf.template 

# 注意： 
nginx/conf/conf.d 可以为空但需要创建此目录，后面执行安装后会映射proxy.conf文件在此目录中
nginx/conf/conf.d.template/proxy.conf.template 是需要创建目录和文件的[root@localhost minio_nginx]# cat nginx/conf/conf.d.template/proxy.conf.template 
server {listen 80;server_name _;return 301 https://$host$request_uri;
}server {listen $N_C_L_P ssl http2;server_name $N_A_URL;  # 明确指定服务器IP，避免默认匹配问题# 关闭对WebSocket的访问日志（可选，减少干扰）access_log off;ssl_certificate /etc/nginx/ssl/server.crt;ssl_certificate_key /etc/nginx/ssl/server.key;ssl_session_cache shared:SSL:10m;ssl_session_timeout 1d;ssl_protocols TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;# 核心配置：确保所有头部与实际访问地址一致client_max_body_size 0;client_body_buffer_size 10M;location / {proxy_pass $N_P_URL;# 强制转发实际访问的Host（包含端口）proxy_set_header Host "$N_A_URL:$N_A_PORT";  # 直接写死为宿主机访问地址，避免变量解析问题proxy_set_header Origin "http://$N_A_URL:$N_A_PORT";  # 关键：补充Origin头部，MinIOWebSocket鉴权需要proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Port $N_A_PORT;  # 明确转发宿主机端口# WebSocket专属配置proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;# 超时设置proxy_connect_timeout 60s;proxy_send_timeout 300s;proxy_read_timeout 300s;proxy_buffering off;proxy_cache off;}
}

nginx/conf/nginx.conf 

[root@localhost minio_nginx]# cat nginx/conf/nginx.conf 
user  nginx;
worker_processes  auto;error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;events {worker_connections  1024;
}http {include       /etc/nginx/mime.types;default_type  application/octet-stream;# 取消上传文件大小限制（0表示无限制）client_max_body_size 0;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile        on;# tcp_nopush     on;keepalive_timeout  65;gzip  on;gzip_vary on;gzip_proxied any;gzip_comp_level 5;gzip_buffers 16 8k;gzip_http_version 1.1;gzip_types text/plain text/css text/javascript application/javascript application/json text/xml application/xml application/xml+rss text/rssimage/webpimage/jpegimage/pngimage/svg+xml;include /etc/nginx/conf.d/*.conf;
}

证书放置

[root@localhost nginx]# ll ssl/    #将生成的私钥和证书文件放在minio_nginx/nginx/ssl目录中
total 8
-rw-r--r--. 1 root root 1180 Sep 22 11:11 server.crt
-rw-r--r--. 1 root root 1675 Sep 22 11:10 server.key

安装验证

[root@localhost minio_nginx]# docker-compose -f minio_nginx.yml up -d

卸载

[root@localhost minio_nginx]# docker-compose -f minio_nginx.yml down

单独更新/重启容器

docker-compose -f docker-compose.yml up -d --no-deps --build minio
docker-compose -f docker-compose.yml restart minio