使用 Docker 部署

准备配置 .env

1
2
3
4
RUSTFS_ACCESS_KEY=rustfsadmin
RUSTFS_SECRET_KEY=rustfsadmin
RUSTFS_CONSOLE_ENABLE=true
RUSTFS_SERVER_DOMAINS=s3.example.com

准备 Docker 启动脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 创建数据库和日志目录
mkdir data logs

# 确保目录和容器内进程的用户id一致。
sudo chown -R 10001:10001 data logs

docker run -d \
--name rustfs \
-p 127.0.0.1:9000:9000 \
-p 127.0.0.1:9001:9001 \
-v ./data:/data \
-v ./logs:/logs \
--env-file .env \
rustfs/rustfs:latest \
/data

nginx 配置

API 接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# rustfs Api endpoint
server {
listen 80;
listen 443 ssl;
server_name s3.example.com;

ssl_certificate ssl/example.com.crt;
ssl_certificate_key ssl/example.com.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;

ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_cache_convert_head off;

proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

proxy_pass http://127.0.0.1:9000;
}
}

控制台页面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# rustfs Admin endpoint
server {
listen 80;
listen 443 ssl;
server_name s3-admin.example.com;
client_max_body_size 0;

ssl_certificate ssl/example.com.crt;
ssl_certificate_key ssl/example.com.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;

# 双向认证配置,按需开启
# ssl_client_certificate ssl/ca.crt; # 配置 CA 证书,用于验证客户端证书的签发者
# ssl_verify_client on; # 启用客户端证书验证
# ssl_crl ssl/crl.pem; # 配置 CRL 文件路径,用于检查吊销的证书

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:9001;
}
}

配置存储桶权限

默认权限为私有,需要用 apikey 才可以上传与下载。

先到访问密钥里面创建一个 APIKey
image.png

进入 存储桶 -> 设置 点击访问策略 旁边的编辑

image.png

选择自定义策略,私有写公有读 的 策略内容为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}

使用 CURL 操作对象存储

curl 操作对象存储,或者测试对象存储权限等。可以参考
使用cURL命令管理对象存储(s3)