在 docker 中配置 minio 使用 https

在 docker 中配置 minio 使用 https

这是我的docker-compose.yml

version: '3.7'

services:
  minio:
    image: minio/minio
    command: server -C /etc/minio --address ":9000" --console-address ":9001" /data
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    volumes:
      - minio:/data
      - /etc/minio:/root/.minio/
      - /etc/minio:/etc/minio/
      
volumes:
  minio:

ls -l /etc/minio/

drwx------ 2 root root 4096 May 20 11:43 CAs
lrwxrwxrwx 1 root root   59 May 20 11:45 private.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem
lrwxrwxrwx 1 root root   61 May 20 11:44 public.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem

通过 http 访问可以,但通过 https 访问不行不是。我不知道哪里出了问题。遗憾的是日志没有显示任何内容,文档也没有帮助。

答案1

由于目标不存在于容器内,因此无法解析符号链接private.keypublic.crt

最简单的方法就是/etc/letsencrypt也安装在容器内部。

请记住,每次更新证书后,您都需要重新启动容器(或至少重新加载容器内的 minio 进程)。

答案2

实际上查看错误,我同意这可能是因为它无法读取证书,但我相信这是一个权限问题,而不是错误路径问题..所以我会说使用 chown 来更改目录和文件的权限

答案3

docker_compose.yml


networks:
  app-tier:
    driver: bridge


services:
  minio:
    image: minio/minio
    ports:
      - "9000:9000"
      - "9001:9001"
    networks:
      - app-tier
    volumes:
      - /data/minio:/data
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    command: server --console-address ":9001" /data
  nginx:
    image: nginx:latest
    container_name: 'nginx'
    hostname: 'nginx'
    ports:
      - "8443:8443" 
      - "8444:8444" 
    environment:
      - "VIRTUAL_HOST=minio.example.com"
      - "VIRTUAL_PORT=8443"
    networks:
      - app-tier
    volumes:
      - ./conf/app.conf:/etc/nginx/conf.d/default.conf:ro"
      - '/etc/letsencrypt/live/:/etc/letsencrypt/live/'
      - '/etc/letsencrypt/archive/:/etc/letsencrypt/archive/'
volumes:
  minio_storage: {}

app.conf 应该放在 conf 文件夹中

upstream minio {
  server minio:9001;
  keepalive 15;
}
upstream minio_api {
  server minio:9000;
  keepalive 15;
}
server {
  listen 8443 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    chunked_transfer_encoding off;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  }
}
server {
  listen 8444 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio_api;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    chunked_transfer_encoding off;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  }

}

检查 /etc/letsencrypt 文件夹的权限,因为容器在非特权用户下运行

相关内容