OpenBSD - Minio

Page content

Inspired

https://obsd.solutions/en/blog/2023/01/11/minio-on-openbsd-72-install/

Requirements

  • Fresh VM, running OpenBSD 7.2, fully patched

  • Public IP, all Ports allowed

  • FQDN pointing to your IP

run all the commands as root (or with ‘doas’ prepending …)

add Package

as usual with OpenBSD

pkg_add minio

Extend File Limits

we need some more current open files …

cat << EOF >> /etc/login.conf

# Minio, added $(date)
EOF

cat << 'EOF' >> /etc/login.conf
minio:\
  :openfiles-cur=4096:\
  :openfiles-max=8192:\
  :tc=daemon:
EOF

# Rebuild capdb
cap_mkdb /etc/login.conf

don’t forget go restart the box

Enable and Start the Service

rcctl enable minio
rcctl restart minio

Minio is running

-> http://minio.your.domain.de:9000

user/pass: minioadmin

if everything works as expected, we wanna put TLS in Front of the Service. Let’s do it with OnBoard Tools like Relayd.

Bind to Localhost

Bind minio to localhost only

echo 'minio_flags="--address 127.0.0.1:9000 --console-address 127.0.0.1:9001 /var/minio/export"' >> /etc/rc.conf.local

Restart Minio

and restart the Service

rcctl restart minio

Configure Relayd

set our fqdn as variable

export MYDOMAIN="your.domain.de"
cat << EOF > /etc/relayd.conf
log connection errors

table <minio_host> { "127.0.0.1" }

minio_fqdn = "${MYDOMAIN}"
minio_port = "9001"

http protocol "https-filter" {
        block
        
        pass request header "Host" value \$minio_fqdn forward to <minio_host>
        tls keypair \$minio_fqdn

        # for minio: extend http headerlen (default = 8192)
        http headerlen 24576

        # performance enhancement
        tcp { nodelay, sack, backlog 128 }

        match header set "X-Client-IP"      value "\$REMOTE_ADDR:$REMOTE_PORT"
        match header set "X-Forwarded-For"  value "\$REMOTE_ADDR"
        match header set "X-Forwarded-By"   value "\$SERVER_ADDR:$SERVER_PORT"
}

relay "https" {
        listen on egress port https tls
        
        # for minio: extend session timeout (default = 600)
        session timeout 1800

        protocol "https-filter"
        forward to <minio_host> port \$minio_port check tcp
}
EOF

Create SelfSigned Cert

you can skip this as the let’s encrypt stuff is working … -> jump here

cd /etc/ssl
export CERT_SUBJ="/C=CH/ST=ZURICH/L=/O=STOEGE/OU=/CN=$MYDOMAIN"
openssl req -newkey rsa:2048 -new -nodes -x509 -days 36500 -keyout private/$MYDOMAIN.key -out $MYDOMAIN.crt -subj "$CERT_SUBJ";
chmod 400 private/$MYDOMAIN.key

create acme-client.conf

we need a small config file for acme client

# Copy Example
cp /etc/examples/acme-client.conf /etc/

# Kill Last 10 Lines
sed -i -e :a -e '$d;N;2,6ba' -e 'P;D' /etc/acme-client.conf

# Append MyStuff
cat << EOF >> /etc/acme-client.conf
# added $(date)
domain ${MYDOMAIN} {
  domain key "/etc/ssl/private/${MYDOMAIN}.key"
  domain full chain certificate "/etc/ssl/${MYDOMAIN}.fullchain.pem"
  sign with letsencrypt
}
EOF

Config Webserver

minimal config for the httpd server

cat << EOF > /etc/httpd.conf
server "${MYDOMAIN}" {
  listen on * port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}
EOF

Start Webserver, Get Cert, Stop Webserver

we shortly need to start the webserver for the acme client

rcctl -f start httpd
acme-client -v ${MYDOMAIN}
rcctl stop httpd

Extract Cert

we got the full chain from let’s encrypt, need to extract our Certification

cat ${MYDOMAIN}.fullchain.pem |sed '/^$/,$d' > ${MYDOMAIN}.crt

Enable and Start

finally start Relayd

rcctl enable relayd
rcctl restart relayd

-> does it work now ? yes, it works !

Don’t forget to Change Default Username / Passwort asap …

Management

add Client

pkg_add minioc

restart verbose

rcctl -d restart minio
minioc alias set myminio http://x.x.x.x:9000 minioadmin minioadmin

minioc: Configuration written to `/root/.minioc/config.json`. Please update your access credentials.
minioc: Successfully created `/root/.minioc/share`.
minioc: Initialized share uploads `/root/.minioc/share/uploads.json` file.
minioc: Initialized share downloads `/root/.minioc/share/downloads.json` file.
Added `myminio` successfully.

Any Comments ?

sha256: 6fb2f04e8ef2a3d0d7c464ccd78625aec7815f3b6da2495bd63975895f76deda