feat: add alist proxy server

Author: boxsnake

Diff for: docker/.env.example

@@ -6,14 +6,13 @@ NACOS_PASS=nacos
 
 MINIO_PORT_API=9000
 MINIO_PORT_CONSOLE=9001
+MINIO_PORT_PROXY=9010
 # Notes:
 #   - MinIO password should be more than 8 characters
 #   - Root password is password to login console
 #   - Non-root password is for foreign API access
 MINIO_ROOT_USER=admin
 MINIO_ROOT_PASS=pw12345678
-MINIO_USER=minio
-MINIO_PASS=MINIO_123456
 MINIO_BUCKET_IMAGE=images
 # Note: Access key length should be between 3 and 20
 MINIO_KEY=KYJG_UPLOAD_KEY

Diff for: docker/composer/docker-compose.img-alist-build.minio-proxy.Dockerfile

@@ -0,0 +1,12 @@
+FROM nginx:1.25-alpine
+
+WORKDIR /data
+ADD docker/config/img-alist-builder/minio-proxy /etc/nginx
+
+RUN mkdir -p ./log && \
+    mkdir -p ./cache/proxy_temp_dir && \
+    mkdir -p ./cache/proxy_cache_dir && \
+    chown -R nginx:nginx .
+
+VOLUME ["/data/cache", "/data/log"]
+EXPOSE 80

Diff for: docker/composer/docker-compose.img-alist-build.yml

@@ -5,6 +5,11 @@ services:
     build:
       context: ${PROJECT_BASE}
       dockerfile: docker/composer/docker-compose.img-alist-build.minio.Dockerfile
+  minio-proxy:
+    image: gsapi/minio-proxy
+    build:
+      context: ${PROJECT_BASE}
+      dockerfile: docker/composer/docker-compose.img-alist-build.minio-proxy.Dockerfile
   minio-img2webp:
     image: gsapi/minio-img2webp
     build:

Diff for: docker/composer/docker-compose.img-alist-run.yml

@@ -35,6 +35,7 @@ services:
     environment:
       MINIO_ROOT_USER: ${MINIO_ROOT_USER}
       MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASS}
+      MINIO_BROWSER_REDIRECT_URL: http://localhost:${MINIO_PORT_CONSOLE:-9001}
     volumes:
       - ${DATA_DIR}/minio/config:/root/.minio
       - ${DATA_DIR}/minio/data:/data
@@ -61,8 +62,7 @@ services:
         aliases:
           - minio-proxy.local
     volumes:
-      - ${DATA_DIR}/minio-proxy/pid:/var/run
-      - ${DATA_DIR}/minio-proxy/cache:/var/cache/nginx
+      - ${DATA_DIR}/minio-proxy/cache:/data/cache
       - ${DATA_DIR}/minio-proxy/log:/data/log
     ports:
       - ${MINIO_PORT_PROXY:-9010}:80
@@ -131,8 +131,6 @@ services:
     environment:
       MINIO_ROOT_USERNAME: ${MINIO_ROOT_USER}
       MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASS}
-      MINIO_USERNAME: ${MINIO_USER}
-      MINIO_PASSWORD: ${MINIO_PASS}
       MINIO_BUCKET_IMAGE: ${MINIO_BUCKET_IMAGE}
       MINIO_KEY: ${MINIO_KEY}
       MINIO_SECRET: ${MINIO_SECRET}
@@ -153,6 +151,7 @@ services:
       ALIST_USERNAME: ${ALIST_USERNAME}
       ALIST_PASSWORD: ${ALIST_PASSWORD}
       ALIST_MOUNT_PATH: ${ALIST_MOUNT_PATH}
+      ALIST_CACHE_EXPIRE: ${ALIST_CACHE_EXPIRE}
       MINIO_BUCKET_IMAGE: ${MINIO_BUCKET_IMAGE}
       MINIO_KEY: ${MINIO_KEY}
       MINIO_SECRET: ${MINIO_SECRET}

Diff for: docker/config/apt/debian-buster.list

@@ -110,6 +110,23 @@ function Encrypt-Password {
     }
 }
 
+function ConvertTo-Integer {
+    param(
+        [Parameter(
+            Mandatory = $true,
+            ValueFromPipeline = $true,
+            ValueFromPipelineByPropertyName = $true
+        )]
+        [Object] $NumericString
+    )
+
+    process {
+        $numberStr = "{0}" -f $NumericString;
+        $number = [int] $numberStr;
+        return $number;
+    }
+}
+
 # Process steps
 function Step-Login {
     $loginRes = Fetch-Api Post "api/auth/login/hash" -Body @{
@@ -136,9 +153,9 @@ function Step-AddStorage {
         mount_path = ${Env:ALIST_MOUNT_PATH}
         order = 0
         remark = "Image MinIO Storage"
-        cache_expiration = ${Env:ALIST_CACHE_EXPIRE}
+        cache_expiration = ConvertTo-Integer ${Env:ALIST_CACHE_EXPIRE}
         web_proxy = $false
-        webdav_policy = "native_proxy"
+        webdav_policy = "302_redirect"
         down_proxy_url = ""
         extract_folder = ""
         enable_sign = $false
@@ -148,12 +165,12 @@ function Step-AddStorage {
         addition = ConvertTo-Json @{
             root_folder_path = "/"
             bucket = ${Env:MINIO_BUCKET_IMAGE}
-            endpoint = "http://minio.local:9000"
-            region = "alist"
+            endpoint = "http://minio-proxy.local:80"
+            region = "minio"
             access_key_id = ${Env:MINIO_KEY}
             secret_access_key = ${Env:MINIO_SECRET}
             session_token = ""
-            custom_host = "minio.local:9000"
+            custom_host = "minio-proxy.local:80"
             sign_url_expire = 4
             placeholder = ""
             force_path_style = $true

Diff for: docker/config/img-alist-builder/alist-init/init-test.ps1

@@ -7,12 +7,10 @@ LOCK_FILE=${DATA_DIR}/initialized.lock
 # Initialization steps
 function step_init_minio () {
   mc alias set minio http://minio.local:9000 "${MINIO_ROOT_USERNAME}" "${MINIO_ROOT_PASSWORD}"
-  mc admin user add minio "${MINIO_USERNAME}" "${MINIO_PASSWORD}"
-  mc admin policy attach minio consoleAdmin --user "${MINIO_USERNAME}"
   mc admin user svcacct add \
     --access-key "${MINIO_KEY}" \
     --secret-key "${MINIO_SECRET}" \
-    minio "${MINIO_USERNAME}"
+    minio "${MINIO_ROOT_USERNAME}"
 }
 
 function step_add_img2webp_trigger () {
@@ -25,7 +23,12 @@ function step_add_img2webp_trigger () {
     queue_dir="" \
     queue_limit="0"
   mc admin service restart minio
-  mc mb minio/${MINIO_BUCKET_IMAGE}
+  mc mb \
+    --ignore-existing \
+    --region "minio" \
+    --with-versioning \
+    minio/${MINIO_BUCKET_IMAGE}
+  mc anonymous set public minio/${MINIO_BUCKET_IMAGE}
   mc event add minio/${MINIO_BUCKET_IMAGE} arn:minio:sqs::1:redis --suffix .jpg --event put
   mc event add minio/${MINIO_BUCKET_IMAGE} arn:minio:sqs::1:redis --suffix .jpeg --event put
   mc event add minio/${MINIO_BUCKET_IMAGE} arn:minio:sqs::1:redis --suffix .jfif --event put

Diff for: docker/config/img-alist-builder/alist-init/init.ps1

@@ -0,0 +1,87 @@
+user nginx;
+worker_processes auto;
+error_log /data/log/nginx-error.log crit;
+pid /var/run/nginx.pid;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+worker_rlimit_nofile 51200;
+
+stream
+{
+    log_format tcp_format
+        '$time_local|$remote_addr|$protocol|$status|$bytes_sent|$bytes_received|'
+        '$session_time|$upstream_addr|$upstream_bytes_sent|$upstream_bytes_received|'
+        '$upstream_connect_time';
+
+    access_log /data/log/tcp-access.log tcp_format;
+    error_log /data/log/tcp-error.log;
+    include /etc/nginx/tcp/*.conf;
+}
+
+events
+{
+    use epoll;
+    worker_connections 51200;
+    multi_accept on;
+}
+
+http
+{
+    log_format http_format
+        '{'
+        '    "host": "$host",'
+        '    "request": "$request"'
+        '}';
+
+    map $http_upgrade $connection_upgrade
+    {
+        default upgrade;
+        ''      close;
+    }
+
+    include mime.types;
+    include proxy.conf;
+
+    default_type application/octet-stream;
+
+    server_names_hash_bucket_size 512;
+    client_header_buffer_size 32k;
+    large_client_header_buffers 4 32k;
+    client_max_body_size 300m;
+
+    sendfile on;
+    tcp_nopush on;
+
+    keepalive_timeout 60;
+
+    tcp_nodelay on;
+
+    fastcgi_connect_timeout 300;
+    fastcgi_send_timeout 300;
+    fastcgi_read_timeout 300;
+    fastcgi_buffer_size 64k;
+    fastcgi_buffers 4 64k;
+    fastcgi_busy_buffers_size 128k;
+    fastcgi_temp_file_write_size 256k;
+    fastcgi_intercept_errors on;
+
+    gzip on;
+    gzip_min_length 1k;
+    gzip_buffers 4 16k;
+    gzip_http_version 1.1;
+    gzip_comp_level 2;
+    gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
+    gzip_vary on;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_disable "MSIE [1-6]\.";
+
+    limit_conn_zone $binary_remote_addr zone=perip:10m;
+    limit_conn_zone $server_name zone=perserver:10m;
+
+    server_tokens off;
+    access_log /data/log/http-access.log http_format;
+    error_log /data/log/http-error.log;
+
+    include /etc/nginx/vhost/*.conf;
+}

Diff for: docker/config/img-alist-builder/minio-init/init.sh

@@ -0,0 +1,12 @@
+proxy_temp_path /data/cache/proxy_temp_dir;
+proxy_cache_path /data/cache/proxy_cache_dir levels=1:2 keys_zone=cache_one:20m inactive=1d max_size=5g;
+client_body_buffer_size 512k;
+proxy_connect_timeout 60;
+proxy_read_timeout 60;
+proxy_send_timeout 60;
+proxy_buffer_size 32k;
+proxy_buffers 4 64k;
+proxy_busy_buffers_size 128k;
+proxy_temp_file_write_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
+proxy_cache cache_one;

Diff for: docker/config/img-alist-builder/minio-proxy/nginx.conf

@@ -0,0 +1,24 @@
+location /
+{
+    proxy_pass http://minio.local:9000/;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header REMOTE-HOST $remote_addr;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_http_version 1.1;
+
+    add_header X-Cache $upstream_cache_status;
+
+    set $static_file_MINIO_IMG 0;
+    if ( $uri ~* "\.(gif|png|jpg|jpeg|jfif|webp|css|js|woff|woff2|ttf|eot)$" )
+    {
+        set $static_file_MINIO_IMG 1;
+        expires 1m;
+    }
+    if ( $static_file_MINIO_IMG = 0 )
+    {
+        add_header Cache-Control no-cache;
+    }
+}

Diff for: docker/config/img-alist-builder/minio-proxy/proxy.conf

@@ -0,0 +1,103 @@
+server
+{
+    listen 80;
+    index index.php index.html index.htm default.php default.htm default.html;
+    root /data;
+
+    add_header Strict-Transport-Security "max-age=31536000";
+    error_page 497 http://$host$request_uri;
+    add_header Access-Control-Allow-Origin '*' always;
+
+    # 引用反向代理规则
+    include proxy/minio-proxy.conf;
+
+    # 禁止访问的文件或目录
+    location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md)
+    {
+        return 404;
+    }
+
+    # 一键申请SSL证书验证目录相关设置
+    location ~ \.well-known
+    {
+        allow all;
+    }
+
+    # 禁止在证书验证目录放入敏感文件
+    if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" )
+    {
+        return 403;
+    }
+
+    set $uri2 $uri;
+    location ~ .*\.(webp)$
+    {
+        proxy_pass http://minio.local:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_connect_timeout 300;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_intercept_errors on;
+        error_page 404 = @other;
+    }
+
+    location @other
+    {
+        rewrite ^(.*) $uri2 break;
+        proxy_pass http://minio.local:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_connect_timeout 300;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+    }
+
+    location ~ .*\.(jpg|jpeg|png|jfif)$
+    {
+        expires 1d;
+        set $flag 0;
+        if ( $http_accept ~* '(image/webp)' )
+        {
+            # 判断来源设备是否支持 WebP
+            set $flag "${flag}1";
+        }
+        if ( $request_method ~* 'GET' )
+        {
+            #判断来源是否是 GET
+            set $flag "${flag}2";
+        }
+        if ( $flag = "012" ) {
+            rewrite ^/(.*)\.\w+$ /$1.webp last;
+        }
+
+        proxy_pass http://minio.local:9000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+
+        proxy_connect_timeout 300;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+    }
+
+    location ~ .*\.(js|css)?$
+    {
+        expires 12h;
+        error_log /dev/null;
+        access_log /dev/null;
+    }
+
+    access_log /dev/null;
+    error_log /data/log/minio-proxy.local-error.log;
+}