Hi, I have self-hosted Minio S3-compatible storage deployed on a server, and had been trying to get Omeka-S’s AnyCloud module to work with that, but there were blockers preventing it. Finally cracked through. Sharing all the steps I had to do to make it work, hoping it helps others.
Getting the “why” out of the way :
- This is an intermediate step; the purchase of Aws or Wasabi service is still some months away in our project.
- Wasabi was an attractive option, but their free trial doesn’t allow Anonymous Read-only access to buckets - which is a prerequisite for making things work in AnyCloud, and their minim paid tier is 1TB - we’re not there yet.
- The Omeka-s instance we’re working with is hosted on a server where space is running out and it’s more expensive to add more storage there. And we can’t migrate the whole thing over to another place yet.
The problem
- When we configure an https:// endpoint URL and a bucketname in AnyCloud, the baseurl it hits for all file upload / fetch operations becomes :
https://[bucketname].[endpoint-url]/[folder]/filename
. folder
being “original”, “large”, “medium”, “square”- Minio isn’t expecting things this way. It expects the bucketname to be the first string before a
/
in[folder]
. - And, when we’re self-hosting, it’s not a straightforward thing to just automatically create subdomains and have them map to the minio deployment.
- I tried some path-forwarding hacks. They worked for fetching files, but failed the S3 signature check when an upload was attempted from Omeka-s side.
- If I used the
http://IP-address:port
of my minio deployment instead of https:// endpoint, then AnyCloud didn’t do the bucketname-prefixing now, and uploading worked, because the http:// urls is hit from the backend. - BUT… fetching of files went for a toss, because that’s done from the frontend, and browsers don’t allow you to pull in images etc from
http://
urls as a security measure.
The hack
- My minio deployment was mapped to a subdomain like this:
https://subdomain.domain.com
. - In AnyCloud configuration, for endpoint url I entered the top-level domain only like
https://domain.com
- In Bucket name, I entered the
subdomain
. - In the Minio instance, I created buckets by the name of all the folders that Omeka-s uses :
original, large, medium, square
, and also all additional folders that I found under files/ path in the Omeka-s folder. - I updated each bucket’s access rules to allow public read-only access.
- And now it worked! For uploading or fetching files, Omeka-s is hitting urls like
https://subdomain.domain.com/original/filename
, and Minio being mapped tohttps://subdomain.domain.com
is gladly receiving the request, usingoriginal
here as the Bucket name, and saving/fetchingfilename
in it.
How to deploy Minio on a https:// url
Pre-requisites
-
Add a subdomain A-record in your domain’s DNS settings pointing to your server’s IP address. Check with your domain provider for how to or lookup their guides articles.
-
Setup Nginx on the server, with a virtualhost/conf for your subdomain url. You can lookup online.
-
Docker needs to be installed. The main docker site has the instructions needed.
Minio deployment
I’m using docker compose to deploy Minio instead of direct-installing; makes things much easier in terms of controlling the location of the storage folder, the port number etc. Sample docker-compose.yaml :
services:
minio1:
image: minio/minio:latest
container_name: minio1
restart: always
volumes:
- /mnt/HC_Volume_101240489/minio-data:/data1
ports:
- 9001:9000
- 9091:9091
environment:
- MINIO_ROOT_USER=ACCESS_KEY
- MINIO_ROOT_PASSWORD=ACCESS_SECRET
command:
server /data1 --console-address ":9091"
- Note the line under
volumes
: part left of ‘:’ is the local folder path where everything is stored. On my server, this is a mounted 100GB volume. - Replace
ACCESS_KEY
andACCESS_SECRET
with your values, and those are the ones you have to put in in AnyCloud configuration as well. - Note the
9091
above - that’s for the minio console (aka control-panel, dashboard) url. Keep it consistent.
Reverse-proxying minio in nginx conf
This link was helpful to setup reverse-proxy in the server’s Nginx setup: cookbook/docs/setup-nginx-proxy-with-minio.md at master · astaxie/cookbook · GitHub . It does the job till http:// .
Enabling SSL
To make it https:// , normal LetsEncrypt process is enough. There is no further work needed in terms of mounting certificates in minio etc. No need to go down that rabbit-hole.
You can look online for “LetsEncrpy certbot nginx”.
The commands:
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --nginx
Choose the minio subdomain, go with defaults in all the things it asks.
Creating the buckets in Minio
- We have to open the Minio’s console url in web browser. in above example it’s on :9091 port. I accessed it on url:
http://[IP-address]:9091
. - You might need to firewall-allow or ssh-tunnel at your end to be able open it.
- It’s not recommended to leave these things open from security point-of-view; for setting-up stage you can do it as temporary and close it off later.
- Login with the
ACCESS_KEY
andACCESS_SECRET
values that you’ve set - they double up as username and password. - Buckets > Create Bucket > enter each Omeka-S folder name like “original”, “large” etc and create the bucket without other settings changed.
- Click on the created Bucket > Go to Anonymous side-tab > Add Access Rule > Enter prefix as
/
and choosereadonly
for Access.
PS: Some online guide links had to be removed due to forum limitations on posting links.