MinIO/S3：使用 Traefik 反向代理 + nginx-s3-gateway 的静态托管

以下 docker-compose.yml 使用 nginx-s3-gateway 将 HTTP 请求代理到配置的 S3 兼容存储后端（本例中为 MinIO）。这提供了由 Nginx, Inc. 支持的生产级性能，加上高度可配置性——由于 nginx-s3-gateway 内部使用 nginx，可以灵活地进行配置。

关于我们如何设置 Traefik 以与这些容器标签配合工作的详细信息，请参见使用 Let’s Encrypt Cloudflare DNS-01、TLS-ALPN-01 和 HTTP-01 挑战的简单 Traefik docker-compose 设置。

docker-compose.yml

services:
  s3-gateway:
    image: nginxinc/nginx-s3-gateway:latest
    environment:
      # 必填项（参见仓库文档）
      S3_BUCKET_NAME: "mydomain-app"
      AWS_ACCESS_KEY_ID: "mydomain-app-reader"
      AWS_SECRET_ACCESS_KEY: "Ooch7rooD8yo8ooW6ohghahNgaeshu"
      S3_SERVER: "minio.mydomain.com"
      S3_REGION: "eu-central-1"
      S3_STYLE: "path"
      S3_SERVER_PORT: "443"
      S3_SERVER_PROTO: "https"
      AWS_SIGS_VERSION: "4"
      PROVIDE_INDEX_PAGE: true
      ALLOW_DIRECTORY_LIST: "false"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app-mydomain.rule=Host(`app.mydomain.com`)"
      - "traefik.http.routers.app-mydomain.entrypoints=websecure"
      - "traefik.http.routers.app-mydomain.tls.certresolver=cloudflare-ec384"
      - "traefik.http.routers.app-mydomain.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.app-mydomain.tls.domains[0].sans=*.mydomain.com"

services:
  s3-gateway:
    image: nginxinc/nginx-s3-gateway:latest
    environment:
      # 必填项（参见仓库文档）
      S3_BUCKET_NAME: "mydomain-app"
      AWS_ACCESS_KEY_ID: "mydomain-app-reader"
      AWS_SECRET_ACCESS_KEY: "Ooch7rooD8yo8ooW6ohghahNgaeshu"
      S3_SERVER: "minio.mydomain.com"
      S3_REGION: "eu-central-1"
      S3_STYLE: "path"
      S3_SERVER_PORT: "443"
      S3_SERVER_PROTO: "https"
      AWS_SIGS_VERSION: "4"
      PROVIDE_INDEX_PAGE: true
      ALLOW_DIRECTORY_LIST: "false"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app-mydomain.rule=Host(`app.mydomain.com`)"
      - "traefik.http.routers.app-mydomain.entrypoints=websecure"
      - "traefik.http.routers.app-mydomain.tls.certresolver=cloudflare-ec384"
      - "traefik.http.routers.app-mydomain.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.app-mydomain.tls.domains[0].sans=*.mydomain.com"

基准测试结果

使用 wrk 进行基准测试。服务器运行在 AMD Ryzen 5 3600 6-Core Processor 上，仅使用 HDD（无 SSD），MinIO 通过 HTTPS 提供 S3 bucket 服务。客户端通过路由网络连接，ping 延迟为 0.3ms。

wrk_benchmark.txt

$ wrk -t20 -c1000 -d30s --latency https://my.domain.com
Running 30s test @ https://my.domain.com/
  20 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency    55.16ms   77.11ms   1.92s    96.45%
    Req/Sec   289.80     88.91   630.00     72.58%
  Latency Distribution
     50%   41.14ms
     75%   53.31ms
     90%   86.89ms
     99%  439.90ms
  171457 requests in 30.09s, 1.01GB read
  Socket errors: connect 0, read 0, write 0, timeout 850
  Non-2xx or 3xx responses: 6

$ wrk -t20 -c1000 -d30s --latency https://my.domain.com
Running 30s test @ https://my.domain.com/
  20 threads and 1000 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency    55.16ms   77.11ms   1.92s    96.45%
    Req/Sec   289.80     88.91   630.00     72.58%
  Latency Distribution
     50%   41.14ms
     75%   53.31ms
     90%   86.89ms
     99%  439.90ms
  171457 requests in 30.09s, 1.01GB read
  Socket errors: connect 0, read 0, write 0, timeout 850
  Non-2xx or 3xx responses: 6

从结果可以看出，即使在仅使用 HDD 的次优配置加上额外的 TLS-to-MinIO 开销下，该设置也能以合理的延迟和极低的错误率处理极端负载，适合生产环境使用。

Check out similar posts by category: Nginx, Traefik, S3

If this post helped you, please consider buying me a coffee or donating via PayPal to support research & publishing of new posts on TechOverflow

Buy me a coffee