做网站用图床是一个常见做法，好处是把静态文件放在一个专门的服务器上分担主站点的流量，通过异步延迟载入图片来优化网站的载入速度，本文介绍 Minio 的基本配置方法。

下载 Minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio -P /usr/local/bin
chmod +x /usr/local/bin

赋予 Minio 程序用户和组权限

chown www:www /usr/local/bin/minio

建议和 nginx 的用户和组相同，便于访问，我使用的是 www。

创建环境变量文件

配置文件定义环境变量，路径是 /etc/default/minio

MINIO_VOLUMES="/data/"
MINIO_OPTS="-C /etc/minio --address 127.0.0.1:9000 --console-address 127.0.0.1:9001"
MINIO_ROOT_USER="管理员账号"
MINIO_ROOT_PASSWORD="管理员密码"

这里把配置文件设置在 /etc/minio，默认监听在 127.0.0.1 的 9000 和 9001 端口，其中 9000 端口用作 web 访问，9001 用作管理。注意修改 root 账户名称和密码，另外赋予 /data 访问权限（www）：

使用 systemd 来管理

创建 systemd 脚本，文件路径为 /etc/systemd/system/minio.service：

[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/

User=minio-user
Group=minio-user

EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"

ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

开启并启动：

systemctl enable minio.service
systemctl start minio.service

配置对外访问

在配置文件里，我们将 Minio 监听的是 127.0.0.1，默认只有本机能访问，我们需要配置 Nginx 的反向代理，并将访问地址暴露到互联网。具体过程略，有需要的请参考下面这篇文章：

编译安装 Nginx 反向代理具有 pagespeed 等高级功能

Nginx 是一款轻量级的Web服务器、反向代理服务器，特点是内存占用少、启动快、高并发处理能力强，广泛非常应用。本文介绍的是编译安装方式，编译加入了 Naxsi、Replace Filter、Cac...

配置好之后创建一个配置文件，将服务对外暴露（配置部分的 SSL 证书请自行用 acme.sh 申请，这里不赘述）：

server
    {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name XXXXXX.XXX;

        ssl_certificate /root/.acme.sh/XXX/fullchain.cer;
        ssl_certificate_key /root/.acme.sh/XXX/XXX.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
        # To allow special characters in headers
        ignore_invalid_headers off;
        # Allow any size file to be uploaded.
        # Set to a value such as 1000m; to restrict file size to a specific value
        client_max_body_size 0;
        # To disable buffering
        proxy_buffering off;

        location / {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-NginX-Proxy true;

            # This is necessary to pass the correct IP to be hashed
            real_ip_header X-Real-IP;

            proxy_connect_timeout 300;
            
            # To support websocket
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            chunked_transfer_encoding off;

            proxy_pass http://127.0.0.1:9001;
        }

    }

这里配置的是 console address，也就是管理界面。下面这个则是访问端口（9000）的配置文件（注意域名要跟管理部分区分开）：

server
{
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;
    server_name access.XXXXXX.XXX;
    ssl_certificate /root/.acme.sh/XXX/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/XXX/XXX.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_session_cache builtin:1000 shared:SSL:10m;
    # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
    ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
    # To allow special characters in headers
    ignore_invalid_headers off;
    # Allow any size file to be uploaded.
    # Set to a value such as 1000m; to restrict file size to a specific value
    client_max_body_size 0;
    # To disable buffering
    proxy_buffering off;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    
        proxy_connect_timeout 300;
        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;
    
        proxy_pass http://127.0.0.1:9000;
    }
}

配置完毕后重启 nginx

systemctl restart nginx

最后，通过刚才设置的账号密码登陆到管理界面，创建 Buckets，生成 Toeken，就可以正常使用了。对 WordPress 而言，建议使用下面这个插件对接 S3 对象存储：

Media Cloud for Amazon S3, Imgix, Google Cloud Storage, DigitalOcean Spaces and more

Automatically store media on Amazon S3, Google Cloud Storage, DigitalOcean Spaces + others. Serve CSS/JS assets through CDNs. Integrate with Imgix.

• Minio
• Nginx
• S3
• 对象存储