OpenBSD - Minio
Inspired
https://obsd.solutions/en/blog/2023/01/11/minio-on-openbsd-72-install/
Requirements
-
Fresh VM, running OpenBSD 7.2, fully patched
-
Public IP, all Ports allowed
-
FQDN pointing to your IP
run all the commands as root (or with ‘doas’ prepending …)
add Package
as usual with OpenBSD
pkg_add minio
Extend File Limits
we need some more current open files …
cat << EOF >> /etc/login.conf
# Minio, added $(date)
EOF
cat << 'EOF' >> /etc/login.conf
minio:\
:openfiles-cur=4096:\
:openfiles-max=8192:\
:tc=daemon:
EOF
# Rebuild capdb
cap_mkdb /etc/login.conf
don’t forget go restart the box
Enable and Start the Service
rcctl enable minio
rcctl restart minio
Minio is running
-> http://minio.your.domain.de:9000
user/pass: minioadmin
if everything works as expected, we wanna put TLS in Front of the Service. Let’s do it with OnBoard Tools like Relayd.
Bind to Localhost
Bind minio to localhost only
echo 'minio_flags="--address 127.0.0.1:9000 --console-address 127.0.0.1:9001 /var/minio/export"' >> /etc/rc.conf.local
Restart Minio
and restart the Service
rcctl restart minio
Configure Relayd
set our fqdn as variable
export MYDOMAIN="your.domain.de"
cat << EOF > /etc/relayd.conf
log connection errors
table <minio_host> { "127.0.0.1" }
minio_fqdn = "${MYDOMAIN}"
minio_port = "9001"
http protocol "https-filter" {
block
pass request header "Host" value \$minio_fqdn forward to <minio_host>
tls keypair \$minio_fqdn
# for minio: extend http headerlen (default = 8192)
http headerlen 24576
# performance enhancement
tcp { nodelay, sack, backlog 128 }
match header set "X-Client-IP" value "\$REMOTE_ADDR:$REMOTE_PORT"
match header set "X-Forwarded-For" value "\$REMOTE_ADDR"
match header set "X-Forwarded-By" value "\$SERVER_ADDR:$SERVER_PORT"
}
relay "https" {
listen on egress port https tls
# for minio: extend session timeout (default = 600)
session timeout 1800
protocol "https-filter"
forward to <minio_host> port \$minio_port check tcp
}
EOF
Create SelfSigned Cert
you can skip this as the let’s encrypt stuff is working … -> jump here
cd /etc/ssl
export CERT_SUBJ="/C=CH/ST=ZURICH/L=/O=STOEGE/OU=/CN=$MYDOMAIN"
openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt -subj "$CERT_SUBJ";
chmod 400 private/$MYDOMAIN.key
create acme-client.conf
we need a small config file for acme client
# Copy Example
cp /etc/examples/acme-client.conf /etc/
# Kill Last 10 Lines
sed -i -e :a -e '$d;N;2,6ba' -e 'P;D' /etc/acme-client.conf
# Append MyStuff
cat << EOF >> /etc/acme-client.conf
# added $(date)
domain ${MYDOMAIN} {
domain key "/etc/ssl/private/${MYDOMAIN}.key"
domain full chain certificate "/etc/ssl/${MYDOMAIN}.fullchain.pem"
sign with letsencrypt
}
EOF
Config Webserver
minimal config for the httpd server
cat << EOF > /etc/httpd.conf
server "${MYDOMAIN}" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
EOF
Start Webserver, Get Cert, Stop Webserver
we shortly need to start the webserver for the acme client
rcctl -f start httpd
acme-client -v ${MYDOMAIN}
rcctl stop httpd
Extract Cert
we got the full chain from let’s encrypt, need to extract our Certification
cat ${MYDOMAIN}.fullchain.pem |sed '/^$/,$d' > ${MYDOMAIN}.crt
Enable and Start
finally start Relayd
rcctl enable relayd
rcctl restart relayd
-> does it work now ? yes, it works !
Don’t forget to Change Default Username / Passwort asap …
Management
add Client
pkg_add minioc
restart verbose
rcctl -d restart minio
minioc alias set myminio http://x.x.x.x:9000 minioadmin minioadmin
minioc: Configuration written to `/root/.minioc/config.json`. Please update your access credentials.
minioc: Successfully created `/root/.minioc/share`.
minioc: Initialized share uploads `/root/.minioc/share/uploads.json` file.
minioc: Initialized share downloads `/root/.minioc/share/downloads.json` file.
Added `myminio` successfully.
Any Comments ?
sha256: 6fb2f04e8ef2a3d0d7c464ccd78625aec7815f3b6da2495bd63975895f76deda