Docker部署minio,SSL证书问题与两个解决方案
假设你已经有了域名 *.yourdomain.com,且申请了一个可用的ssl证书。
(1)使用Nginx转发Minio
此种情况的条件可能为,Nginx与Minio部署在同一台机器上,Nginx开放了443端口(有其他服务也是用了Nginx代理),此时Minio就不能占有443端口了。
部署Minio的docker-compose.yml
version: '3'
services:
minio:
image: minio/minio:RELEASE.2023-03-20T20-16-18Z
container_name: minio-RELEASE.2023-03-20T20-16-18Z
restart: always
ports:
- "9900:9900"
- "9901:9901"
volumes:
- ./minio-RELEASE.2023-03-20T20-16-18Z/config:/root/.minio
- ./minio-RELEASE.2023-03-20T20-16-18Z/data:/data
extra_hosts:
- "file-test.yourdomain.com:192.168.213.5"
- "minio-test.yourdomain.com:192.168.213.5"
environment:
MINIO_ACCESS_KEY: "ud6Krmb7z1k2sxm"
MINIO_SECRET_KEY: "6LwwnkQ3pgp9kHc"
MINIO_SERVER_URL: "https://file-test.yourdomain.com"
MINIO_BROWSER_URL: "https://minio-test.yourdomain.com"
command: server /data --console-address ":9901" -address ":9900"此时minio内部端口为9900和9901,其中9900为API端口,9901为浏览器端口。
使用Nginx转发的配置文件,minio.conf,并假设Nginx暴露ssl端口为443。
server {
listen 443 ssl;
server_name file-test.yourdomain.com;
ssl_certificate /etc/nginx/ssl/public.cer;
ssl_certificate_key /etc/nginx/ssl/private.key;
charset utf-8;
location / {
proxy_pass http://192.168.213.5:9900/;
client_max_body_size 1024M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 500 502 503 504 /usr/share/nginx/html/50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name minio-test.yourdomain.com;
ssl_certificate /etc/nginx/ssl/public.cer;
ssl_certificate_key /etc/nginx/ssl/private.key;
charset utf-8;
location / {
proxy_pass http://192.168.213.5:9901/;
client_max_body_size 1024M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
error_page 500 502 503 504 /usr/share/nginx/html/50x.html;
location = /50x.html {
root html;
}此时配置好之后,需要通过此种方式在Minio中配置ssl证书。
进入minio的部署目录,docker-ccompose挂载了一个卷,进入目录:config/certs/CAs
将fullchain.cer文件放到此目录内,目录结构如下:
[root@localhost CAs]# ls
fullchain.cer
[root@localhost CAs]# pwd
/data/docker-compose/middleware/minio-RELEASE.2023-03-20T20-16-18Z/config/certs/CAs此时,浏览器访问:https://minio-test.yourdomain.com 即可访问minio页面
API调用地址为:https://file-test.yourdomain.com
【注】fullchain.cer就是public.cer与ca.cer合一起了。
(2)不使用Nginx转发Minio,Minio使用https://域名:端口访问
minio的docker-compose.yml文件如下,只在环境变量中添加了访问的端口信息:
version: '3'
services:
minio:
image: minio/minio:RELEASE.2023-03-20T20-16-18Z
container_name: minio-RELEASE.2023-03-20T20-16-18Z
restart: always
ports:
- "9900:9900"
- "9901:9901"
volumes:
- ./minio-RELEASE.2023-03-20T20-16-18Z/config:/root/.minio
- ./minio-RELEASE.2023-03-20T20-16-18Z/data:/data
extra_hosts:
- "minio.yourdomain.com:192.168.213.5"
environment:
MINIO_ACCESS_KEY: "ud6Krmb7z1k2sxm"
MINIO_SECRET_KEY: "6LwwnkQ3pgp9kHc"
MINIO_SERVER_URL: "https://minio.yourdomain.com:9900"
MINIO_BROWSER_URL: "https://minio.yourdomain.com:9901"
command: server /data --console-address ":9901" -address ":9900"将ssl证书放到minio的.config/certs文件夹中,目录结构如下,CAs文件夹为空:
[root@ecm-93b7-0001 certs]# ls
CAs private.key public.crt
[root@ecm-93b7-0001 certs]# pwd
/data/docker-compose/middleware/minio-RELEASE.2023-03-20T20-16-18Z/config/certs【特别注意】必须叫private.key、public.crt,如果更名,需要修改docker-compose,请自行百度。
此时,浏览器访问:https://minio.yourdomain.com:9900 即可访问minio页面
API调用地址为:https://minio.yourdomain.com:9901