S3ProxyをTLS対応してUbuntu上にインストールとサービス化するメモ

Views EN MD
S3Proxy S3 Ubuntu Systemd

S3ProxyをUbuntuにインストールするメモ。

専用ユーザーの作成

# Create dedicated s3proxy user (no home directory, no login)
sudo useradd --system --no-create-home --shell /bin/false s3proxy

# Or, if home directory is needed
# sudo useradd --system --home /var/lib/s3proxy --shell /bin/false s3proxy

ディレクトリ構成の作成

# Create necessary directories
sudo mkdir -p /opt/s3proxy
sudo mkdir -p /var/lib/s3proxy/data
sudo mkdir -p /etc/s3proxy
sudo mkdir -p /var/log/s3proxy

# Set ownership
sudo chown -R s3proxy:s3proxy /var/lib/s3proxy
sudo chown -R s3proxy:s3proxy /var/log/s3proxy
sudo chown s3proxy:s3proxy /etc/s3proxy

s3proxyバイナリの配置

wget https://github.com/gaul/s3proxy/releases/download/s3proxy-2.9.0/s3proxy

# Deploy s3proxy binary (copy from current directory)
sudo mv s3proxy /opt/s3proxy/
sudo chown s3proxy:s3proxy /opt/s3proxy/s3proxy
sudo chmod 755 /opt/s3proxy/s3proxy

キーストアの作成

# Create keystore (self-signed certificate)
sudo keytool -genkeypair -alias s3proxy -keyalg RSA -keysize 2048 \
  -validity 3650 -keystore /etc/s3proxy/keystore.jks \
  -storepass changeme -keypass changeme \
  -dname "CN=s3proxy.maki.lol, OU=, O=, L=, ST=Tokyo, C=JP"

# Set ownership and permissions
sudo chown s3proxy:s3proxy /etc/s3proxy/keystore.jks
sudo chmod 600 /etc/s3proxy/keystore.jks

CA証明書が必要な場合

sudo keytool -exportcert -keystore /etc/s3proxy/keystore.jks  -alias s3proxy -rfc -storepass changeme > s3proxy.crt

設定ファイルの作成

# Create configuration file
sudo tee /etc/s3proxy/s3proxy.properties > /dev/null <<'EOF'
s3proxy.authorization=aws-v4
s3proxy.identity=changeme
s3proxy.credential=changeme
s3proxy.secure-endpoint=https://0.0.0.0:8443
s3proxy.keystore-path=/etc/s3proxy/keystore.jks
s3proxy.keystore-password=changeme
jclouds.provider=filesystem-nio2
jclouds.filesystem.basedir=/var/lib/s3proxy/data
jclouds.region=us-east-1
EOF

# Set ownership and permissions
sudo chown s3proxy:s3proxy /etc/s3proxy/s3proxy.properties
sudo chmod 600 /etc/s3proxy/s3proxy.properties

systemdサービスファイルの作成

sudo tee /etc/systemd/system/s3proxy.service > /dev/null <<'EOF'
[Unit]
Description=S3 Proxy Service
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=s3proxy
Group=s3proxy
WorkingDirectory=/opt/s3proxy

# Execution command
ExecStart=/opt/s3proxy/s3proxy --properties /etc/s3proxy/s3proxy.properties

# Logging configuration
StandardOutput=append:/var/log/s3proxy/s3proxy.log
StandardError=append:/var/log/s3proxy/s3proxy-error.log

# Restart configuration
Restart=on-failure
RestartSec=10s

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/s3proxy /var/log/s3proxy

# Resource limits
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

サービスの有効化と起動

# Reload systemd daemon
sudo systemctl daemon-reload

# Enable service (auto-start on boot)
sudo systemctl enable s3proxy

# Start service
sudo systemctl start s3proxy

# Check status
sudo systemctl status s3proxy

動作確認

# Check service status
sudo systemctl status s3proxy

# Check logs
sudo tail -f /var/log/s3proxy/s3proxy.log

# Check process
ps aux | grep s3proxy

# Check port
sudo ss -tlnp | grep 8443

AWS CLIで動作確認

aws --profile s3proxy configure set aws_access_key_id changeme
aws --profile s3proxy configure set aws_secret_access_key changeme
aws --profile s3proxy configure set region us-east-1
aws --profile s3proxy --endpoint-url=https://localhost:8443 --no-verify-ssl s3 mb s3://test-bucket
aws --profile s3proxy --endpoint-url=https://localhost:8443 --no-verify-ssl s3 ls