{"id":19135372,"url":"https://github.com/imiric/nginx-s3-proxy","last_synced_at":"2026-04-19T01:02:22.314Z","repository":{"id":146330236,"uuid":"195573527","full_name":"imiric/nginx-s3-proxy","owner":"imiric","description":"A containerized nginx configuration of a reverse proxy to an S3-compatible backend. Simple serving of static websites.","archived":false,"fork":false,"pushed_at":"2020-08-07T17:13:55.000Z","size":23,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-14T20:05:26.496Z","etag":null,"topics":["container","docker","nginx","podman","proxy","s3"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imiric.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-06T18:57:17.000Z","updated_at":"2022-11-28T14:03:06.000Z","dependencies_parsed_at":"2023-04-03T19:32:26.573Z","dependency_job_id":null,"html_url":"https://github.com/imiric/nginx-s3-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/imiric/nginx-s3-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imiric%2Fnginx-s3-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imiric%2Fnginx-s3-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imiric%2Fnginx-s3-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imiric%2Fnginx-s3-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imiric","download_url":"https://codeload.github.com/imiric/nginx-s3-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imiric%2Fnginx-s3-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":284134778,"owners_count":26953118,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-12T02:00:06.336Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","docker","nginx","podman","proxy","s3"],"created_at":"2024-11-09T06:30:01.479Z","updated_at":"2025-11-13T01:02:14.469Z","avatar_url":"https://github.com/imiric.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"* nginx-s3-proxy\n\nThis is an nginx configuration of a reverse proxy to an S3-compatible\nbackend, such as [[https://aws.amazon.com/s3/][AWS S3]] itself, [[https://min.io/][Minio]] or [[https://wasabi.com/][Wasabi]].\n\nIt can function as an HTTP(S) caching node, typically useful for\nserving static web sites.\n\nIt compiles nginx from source adding [[https://github.com/anomalizer/ngx_aws_auth][ngx_aws_auth]] and\n[[https://github.com/openresty/headers-more-nginx-module][ngx_headers_more]] modules, and enables some useful built-in ones. Take\na look at the [[Dockerfile]].\n\n\n** Usage\n\n1. Clone this repo. Read, confirm or tweak the opinionated settings in\n[[src/nginx.conf.tmpl]].\n\n2. [@2] Install [[https://podman.io/][Podman]] (or directly use [[https://www.docker.com/][Docker]]\n   or another [[https://www.opencontainers.org/][OCI]]-compatible tool) and run:\n#+BEGIN_SRC shell\nmake image\n#+END_SRC\n\nThis should build a Podman image named ~imiric/nginx-s3-proxy~ and tagged\n~latest~.\n\nYou can control the tag by setting the ~VERSION~ environment variable. For\nexample:\n#+BEGIN_SRC shell\nexport VERSION=$(date +'%Y%m%d_%H%M%S'); make image\n#+END_SRC\n\n3. [@3] To run a container, first create a ~secrets.env~ file in the repo root\n   directory with the contents:\n#+BEGIN_SRC shell\nNGINX_S3_SERVER_NAME=\u003cyour server name, e.g. example.com\u003e\nNGINX_S3_PROXY_URL=\u003cURL of the S3 server, see examples below\u003e\nNGINX_S3_ACCESS_KEY=\u003ce.g. 1AMZ56N0NL6X032ZMLW7\u003e\nNGINX_S3_SECRET_KEY=\u003ce.g. Ig1SxVgistQ4W3nwwG0CsFy6l9ua485o9rh0fxGY\u003e\nNGINX_S3_BUCKET=\u003cyour S3 bucket name\u003e\n#+END_SRC\n\n~NGINX_S3_PROXY_URL~ for AWS S3 could be\n~http://$BUCKET_NAME.s3-website-us-east-1.amazonaws.com/~, and for\nWasabi ~https://s3.us-east-1.wasabisys.com/$BUCKET_NAME/~.\n\n4. [@4] Then run a container with:\n#+BEGIN_SRC shell\nmake DEBUG=1 run NAME=\u003cyour server name\u003e\n#+END_SRC\n\nThis should start the container in the foreground, mount the\n~secrets.env~ file as a volume, generate the ~/etc/nginx/nginx.conf~ file,\nand start ~nginx~ exposed to the host machine at ~127.0.0.1:8000~.\n\nThis is useful during development and testing, but in production run:\n#+BEGIN_SRC shell\nsudo -E make ENV=prod run NAME=\u003cyour server name\u003e\n#+END_SRC\n\nThis should do as before, except run the container in the background\nand also mount the ~/etc/ssl~ and ~/etc/letsencrypt~ host directories.\n\nRoot permission is needed for binding to ports \u003c=1024, which this does\nat ~0.0.0.0:80~ and ~0.0.0.0:443~.\n\n~sudo -E~ is used to pass environment variables to the root ~podman~ process.\nThis is handy if you previously ran ~export VERSION=$(date +'%Y%m%d_%H%M%S')~\nas all commands should build/use the same image version.\n\n\n*** Renewing TLS certificate\n\nThere's basic support for automating renewals of TLS certificates using\n[[https://letsencrypt.org/][Let's Encrypt]] and [[https://github.com/diafygi/acme-tiny][acme-tiny]].\n\n1. First build the ~*-letsencrypt~ image variant:\n#+BEGIN_SRC shell\nmake LETSENCRYPT=1 image\n#+END_SRC\n\nThe reason a separate image is used for Let's Encrypt is to avoid bundling LE\ndependencies in the production image, and to avoid exposing the\n~/.well-known/acme-challenge/~ endpoint, which is only needed during renewal.\n\n2. [@2] Ensure that the existing container serving on ~:80~ and ~:443~ is stopped:\n#+BEGIN_SRC shell\nsudo podman stop \u003cyour server name\u003e\n#+END_SRC\n\n3. [@3] Run the ~*-letsencrypt~ image variant:\n#+BEGIN_SRC shell\nsudo -E make DEBUG=1 LETSENCRYPT=1 ENV=prod run NAME=tls-renew\n#+END_SRC\n\nNOTE: We built the image in step 1 without ~sudo~ to reduce the amount\nof damage a hostile build script could do, but the image won't be\navailable to ~root~ with this approach, and Podman will attempt to\nfetch it from a public registry. If you trust the build process go\nahead and use ~sudo~ for building as well, but the author prefers to\nbuild rootless, transfer the image to the production environment\nvia SSH and load it with ~cat image.tar | sudo podman load~.\nIn \"proper\" production you might want to push to a centralized\nregistry instead. Feel free to use the approach that best works for\nyou, but image deployment is out of scope for this project.\n\n4. [@4] Run the TLS renewal script:\n#+BEGIN_SRC shell\nsudo podman exec -it tls-renew ./renew-tls-cert.sh \u003cyour server name\u003e\n#+END_SRC\n\nIf everything goes well, you should see some ~acme-tiny~ output and the\nlast two lines should be:\n#+BEGIN_SRC shell\nSigning certificate...\nCertificate signed!\n#+END_SRC\n\n5. [@5] Finally, exit the ~tls-renew~ container with Ctrl+C or\n~sudo podman stop tls-renew~, and restart the original production\ncontainer with ~sudo podman restart \u003cyour server name\u003e~ or recreate it\nwith ~sudo -E make ENV=prod run NAME=\u003cyour server name\u003e~.\n\n\n** License\n\n[[LICENSE][ISC]]\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimiric%2Fnginx-s3-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimiric%2Fnginx-s3-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimiric%2Fnginx-s3-proxy/lists"}