diff options
author | object42 | 2024-05-26 21:03:46 +0200 |
---|---|---|
committer | object42 | 2024-05-26 21:08:56 +0200 |
commit | 9b3c66bfda134d8f61733c67a64871c59ba5da23 (patch) | |
tree | 990c2e8e9060fce7dbcd919c1d307bd768f97833 | |
parent | baca1017b90354c11820aea1ebbc7c9df1c83e6d (diff) | |
download | aur-9b3c66bfda134d8f61733c67a64871c59ba5da23.tar.gz |
- modified minio config to be compatible with ente-desktop connections
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | PKGBUILD | 11 | ||||
-rw-r--r-- | ente-server-man.1.md | 11 | ||||
-rw-r--r-- | ente-server.yaml | 2 | ||||
-rw-r--r-- | minio-server-nginx.conf | 82 |
5 files changed, 102 insertions, 14 deletions
@@ -1,7 +1,7 @@ pkgbase = ente-server-git pkgdesc = Self hosted server for Ente (mobile) clients - pkgver = r1.7490199 - pkgrel = 5 + pkgver = r1.c5aa536 + pkgrel = 6 url = https://github.com/ente-io arch = x86_64 license = AGPL-3.0-only @@ -29,17 +29,19 @@ pkgbase = ente-server-git source = ente-server.yaml source = http_security_headers.conf source = https_security_headers.conf + source = minio-server-nginx.conf source = usr.bin.ente-server sha256sums = 0d96a4ff68ad6d4b6f1f30f713b18d5184912ba8dd389f86aa7710db079abcb0 sha256sums = f3624560a2c332724967e1e64689f8549a936fb85fc557ccc4bcbb7e57e373e8 - sha256sums = 9151cd1072cf33f88c355761ce931346a58555da49cb6241e9498b4c1dd0b87b + sha256sums = 513de8be26c5e2e1fca7ff9562bddd6a1740ce1622c14edfe766287556385cf6 sha256sums = 2d5221aaa83f32bbc8c75c2d7c70f9ff8021d451b544f230c99fe29b84fcba75 sha256sums = 72c23c4ba9d3468a1b089d182917123cb15b8bf8b52b3955b98a0357d29b5cbd sha256sums = 6ba953245f2a285dbd82ce65635d19410eab1dcd92821c398bdf7ffba9451a9b sha256sums = f5ae64093463a66fa66ecc4627f603ff0f9e17841e1d681dbcc68b1bad95100e - sha256sums = c3e54eacff7f6b4a406dff4b871120c6a97dc5dca179347055514a19d10cfb72 + sha256sums = 77b1b7aa5057e8ee8756bcc3a8415ce801f7b935b8f60c4934d4f4648dc5a92c sha256sums = 405365bd47efa25b8bcefc93a5c0535fd50cce22b5d8dcea070098aa432ff87e sha256sums = a1149c57e233f7be2f12668f5ef0f03409bd5ad37b1a223bb56d2ae865cf6358 + sha256sums = 863d111071bb32c8b5f8baa34731a94861940d2d276ffadf9426d3fc492588b6 sha256sums = 297bc7d90c473758c9054aaaa6155b4e7232d0dfea761a4e55ed8b743f289f86 pkgname = ente-server-git @@ -2,8 +2,8 @@ pkgname=ente-server-git _pkgname_alt=museum _pkg_git_src=https://github.com/ente-io/ente.git -pkgver=r1.7490199 -pkgrel=5 +pkgver=r1.c5aa536 +pkgrel=6 pkgdesc="Self hosted server for Ente (mobile) clients" arch=(x86_64) url="https://github.com/ente-io" @@ -28,19 +28,21 @@ source=( "${pkgname%-git}.yaml" "http_security_headers.conf" "https_security_headers.conf" + "minio-server-nginx.conf" "usr.bin.${pkgname%-git}" ) sha256sums=( "0d96a4ff68ad6d4b6f1f30f713b18d5184912ba8dd389f86aa7710db079abcb0" "f3624560a2c332724967e1e64689f8549a936fb85fc557ccc4bcbb7e57e373e8" - "9151cd1072cf33f88c355761ce931346a58555da49cb6241e9498b4c1dd0b87b" + "513de8be26c5e2e1fca7ff9562bddd6a1740ce1622c14edfe766287556385cf6" "2d5221aaa83f32bbc8c75c2d7c70f9ff8021d451b544f230c99fe29b84fcba75" "72c23c4ba9d3468a1b089d182917123cb15b8bf8b52b3955b98a0357d29b5cbd" "6ba953245f2a285dbd82ce65635d19410eab1dcd92821c398bdf7ffba9451a9b" "f5ae64093463a66fa66ecc4627f603ff0f9e17841e1d681dbcc68b1bad95100e" - "c3e54eacff7f6b4a406dff4b871120c6a97dc5dca179347055514a19d10cfb72" + "77b1b7aa5057e8ee8756bcc3a8415ce801f7b935b8f60c4934d4f4648dc5a92c" "405365bd47efa25b8bcefc93a5c0535fd50cce22b5d8dcea070098aa432ff87e" "a1149c57e233f7be2f12668f5ef0f03409bd5ad37b1a223bb56d2ae865cf6358" + "863d111071bb32c8b5f8baa34731a94861940d2d276ffadf9426d3fc492588b6" "297bc7d90c473758c9054aaaa6155b4e7232d0dfea761a4e55ed8b743f289f86" ) @@ -121,6 +123,7 @@ package() { install -Dvm644 'configurations/local.yaml' -t "${pkgdir}/usr/lib/${pkgname%-git}/" install -Dvm640 "$srcdir/${pkgname%-git}.yaml" "${pkgdir}/etc/${pkgname%-git}/local.yaml" install -Dvm644 "$srcdir/${pkgname%-git}-nginx.conf" -t "${pkgdir}/usr/lib/${pkgname%-git}/" + install -Dvm644 "$srcdir/minio-server-nginx.conf" -t "${pkgdir}/usr/lib/${pkgname%-git}/" install -Dvm644 "$srcdir/usr.bin.${pkgname%-git}" -t "${pkgdir}/usr/lib/${pkgname%-git}/" # systemd diff --git a/ente-server-man.1.md b/ente-server-man.1.md index e719b4bab29a..29a52c8b6a9d 100644 --- a/ente-server-man.1.md +++ b/ente-server-man.1.md @@ -41,7 +41,7 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje MINIO_VOLUMES="/srv/minio/data" MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD='<YOUR-STRONG-MINIO-ROOT-PASSWORD>' - MINIO_OPTS="--address <your_public_domain.tld>:3200 --console-address 127.0.0.1:3201" + MINIO_OPTS="--address 127.0.0.1:43200 --console-address 127.0.0.1:43201" ``` - Start on boot and right now: ``` @@ -92,7 +92,7 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje b2-eu-cen: key: minio secret: "<YOUR-STRONG-MINIO-ROOT-PASSWORD>" - endpoint: <your_public_domain.tld>:3200 + endpoint: https://<your_public_domain.tld>:3200 region: eu-central-2 bucket: ente-server ``` @@ -123,10 +123,11 @@ To get the Ente server running a working PostgreSQL database (to store Ente obje **Configuring Nginx proxy**: -- Copy the example Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory: +- Copy the example the MinIO and Ente server Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory: ``` sudo cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/ sudo cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/ + sudo cp -v /usr/lib/ente-server/minio-server-nginx.conf /etc/nginx/ ``` - Edit this example config, and replace <your_public_domain.tld> with your actual public domain name - Request a letsencrypt ceritifacte (or a SSL ceritifacte from another provider) if not already done so: @@ -224,8 +225,8 @@ An AppArmor profile has been provided for those that wish to limit the access th If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed: - Traffic on localhost -- Traffic from your Ente (mobile) client to TCP port 443 to reach Nginx -- Traffic from your Ente (mobile) client to TCP port 3200 to reach the MinIO API port +- Traffic from your Ente (mobile) client to TCP port 443 to reach the Ente server via Nginx +- Traffic from your Ente (mobile) client to TCP port 3200 to reach the MinIO server via Nginx FILES ----- diff --git a/ente-server.yaml b/ente-server.yaml index aeb47b340471..202b545a0bbc 100644 --- a/ente-server.yaml +++ b/ente-server.yaml @@ -46,7 +46,7 @@ s3: b2-eu-cen: key: minio secret: "<YOUR-STRONG-MINIO-ROOT-PASSWORD>" - endpoint: <your_public_domain.tld>:3200 + endpoint: https://<your_public_domain.tld>:3200 region: eu-central-2 bucket: ente-server diff --git a/minio-server-nginx.conf b/minio-server-nginx.conf new file mode 100644 index 000000000000..4c413960430e --- /dev/null +++ b/minio-server-nginx.conf @@ -0,0 +1,82 @@ +# configuration based on: +# <https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html> +upstream minio-api { + server 127.0.0.1:43200; +} + +upstream minio-console { + server 127.0.0.1:43201; +} + +server { + listen 3200 ssl; + listen [::]:3200 ssl; + server_name <your_public_domain.tld>; + include https_security_headers.conf; + http2 on; + + # SSL settings + ssl_certificate /etc/letsencrypt/live/<your_public_domain.tld>/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/<your_public_domain.tld>/privkey.pem; + ssl_dhparam ssl_dhparam_gen5_4096.pem; + + # Global SSL settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:le_nginx_SSL_minio_server:1m; + ssl_session_timeout 1440m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + proxy_pass http://minio-api; # This uses the upstream directive definition to load balance + } + + location /minio/ui/ { + rewrite ^/minio/ui/(.*) /$1 break; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-NginX-Proxy true; + + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + + proxy_connect_timeout 300; + + # To support websockets in MinIO versions released after January 2023 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress) + # Uncomment the following line to set the Origin request to an empty string + # proxy_set_header Origin ''; + + chunked_transfer_encoding off; + + proxy_pass http://minio-console; # This uses the upstream directive definition to load balance + } +} |