使用 Minio 构建支持通用 S3 协议的对象存储存

我们介绍过便宜大碗而且稳定的 BuyVM ，对于一个千兆+不限流量+大容量硬盘的 VPS 来说，除了开 PT 挂机以外，我们还可以把它变成私有的网盘/图床，让他为我们的 WordPress 博客使用。本文基于 BuyVM 的 VPS （拉斯维加斯 1G 款），通过搭建 Minio 服务构建对象存储，为了不尽可能对新手友好，避免引入新的概念，我们直接用编译好的二进制文件来进行部署。

下载 Minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio -P /usr/local/bin
chmod +x /usr/local/bin

赋予 Minio 程序用户和组权限

chown www:www /usr/local/bin/minio

建议和 nginx 的用户和组相同，便于访问，我使用的是 www。

创建环境变量文件

配置文件定义环境变量，路径是 /etc/default/minio

MINIO_VOLUMES="/data/"
MINIO_OPTS="-C /etc/minio --address 127.0.0.1:9000 --console-address 127.0.0.1:9001"
MINIO_ROOT_USER="管理员账号"
MINIO_ROOT_PASSWORD="管理员密码"

这里把配置文件设置在 /etc/minio，默认监听在 127.0.0.1 的 9000 和 9001 端口，其中 9000 端口用作 web 访问，9001 用作管理。注意修改 root 账户名称和密码，另外赋予 /data 访问权限（www）：

使用 systemd 来管理

创建 systemd 脚本，文件路径为 /etc/systemd/system/minio.service：

[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/

User=minio-user
Group=minio-user

EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"

ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

开启并启动：

systemctl enable minio.service
systemctl start minio.service

配置对外访问

在配置文件里，我们将 Minio 监听的是 127.0.0.1，默认只有本机能访问，我们需要配置 Nginx 的反向代理，并将访问地址暴露到互联网。具体过程略，有需要的请参考下面这篇文章：

编译安装 Nginx 用于反向代理

这篇文章将介绍一种通过编译源代码的方式安装 Nginx ，并且在编译过程中加入 Replace Filter ，Cache Purge ，PageSpeed 等常用插件。

配置好之后创建一个配置文件，将服务对外暴露（配置部分的 SSL 证书请自行用 acme.sh 申请，这里不赘述）：

server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name XXXXXX.XXX;

        ssl_certificate /root/.acme.sh/XXX/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/XXX/XXX.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
        # To allow special characters in headers
        ignore_invalid_headers off;
        # Allow any size file to be uploaded.
        # Set to a value such as 1000m; to restrict file size to a specific value
        client_max_body_size 0;
        # To disable buffering
        proxy_buffering off;

        location / {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-NginX-Proxy true;

            # This is necessary to pass the correct IP to be hashed
            real_ip_header X-Real-IP;

            proxy_connect_timeout 300;
            
            # To support websocket
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            chunked_transfer_encoding off;

            proxy_pass http://127.0.0.1:9001;
        }

    }

这里配置的是 console address，也就是管理界面。下面这个则是访问端口（9000）的配置文件（注意域名要跟管理部分区分开）：

server
{
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;
    server_name access.XXXXXX.XXX;
    ssl_certificate /root/.acme.sh/XXX/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/XXX/XXX.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_session_cache builtin:1000 shared:SSL:10m;
    # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
    ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    
        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;
    
        proxy_pass http://127.0.0.1:9000;
    }
}

配置完毕后重启 nginx

systemctl restart nginx

最后，通过刚才设置的账号密码登陆到管理界面，创建 Buckets，生成 Toeken，就可以正常使用了。对 WordPress 而言，建议使用下面这个插件对接 S3 对象存储：

Media Cloud for Amazon S3, Imgix, Google Cloud Storage, DigitalOcean Spaces and more

Automatically store media on Amazon S3, Google Cloud Storage, DigitalOcean Spaces + others. Serve CSS/JS assets through CDNs. Integrate with Imgix.