docs/self-hosting/advanced/s3/rustfs.mdx
We need to configure an S3-compatible storage service in the server-side database to store files.
<Callout type={'info'}> Due to recent changes in MinIO's commercial strategy, we no longer recommend MinIO as the S3 storage backend. Please migrate to open-source solutions such as RustFS or ceph, or to cloud providers like Tencent Cloud Object Storage or Cloudflare R2. </Callout>
First, pull the RustFS Docker image:
docker pull rustfs/rustfs:latest
You can inspect its version with the following command. We recommend version v1.0.0 or above:
docker inspect --format='{{index .Config.Labels "version"}}' rustfs/rustfs:latest
We recommend using Docker Compose to deploy RustFS:
services:
rustfs:
image: rustfs/rustfs:latest
container_name: lobe-rustfs
ports:
- '9000:9000'
- '9001:9001'
environment:
- RUSTFS_CONSOLE_ENABLE=true
- RUSTFS_ACCESS_KEY=<YOUR_ACCESS_KEY>
- RUSTFS_SECRET_KEY=<YOUR_SECRET_KEY>
volumes:
- rustfs-data:/data
volumes:
rustfs-data:
Then start RustFS:
docker compose up -d
Open the RustFS WebUI (http://localhost:9001/) and you will be redirected to the login screen. Enter the username (RUSTFS_ACCESS_KEY in the docker-compose.yml) and password (RUSTFS_SECRET_KEY in the same file) to sign in.
Click Object Storage in the left sidebar, then the Create Bucket button in the top-right corner to create a new bucket. This example uses the name lobe. Leave Versioning and Object Lock disabled (default settings).
<Image alt={"Create Bucket"} src={'/blog/assetsc958eae64465451c4374cdee8f6fd596.webp'} />
Go to the bucket and click Settings, choose Custom for the policy, and paste the following JSON to make the bucket public-read/private-write:
{
"ID": "",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetObject"
],
"NotAction": [],
"Resource": [
"arn:aws:s3:::lobe/*"
],
"NotResource": [],
"Condition": {}
}
]
}
Save the settings to apply the policy.
<Callout type={'warning'}>
You can reuse the RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY defined in the docker-compose.yml, but for better security we recommend creating a dedicated access key.
</Callout>
Click Access Key in the left sidebar, then Add Access Key to create a new key. The name is arbitrary, and you can keep the default main-account policy.
Copy the generated Access Key and Secret Key (the Export button lets you save the JSON locally). The English labels in the UI are confusing, but remember the shorter string is the Access Key and the longer string is the Secret Key (the exported JSON is correct).
<Image alt={"Add Key"} src={'/blog/assets43d66c62b79a027895b5a6127b2f2de2.webp'} />
<Image alt={"Export Key"} src={'/blog/assets04fecea4e5f4ce3490bf11bec66ff477.webp'} />
You also need reverse-proxy rules so that RustFS is accessible from the LAN/public internet. Map the following ports to domains:
| Domain | Port | Required |
|---|---|---|
lobe-s3-api.example.com | 9000 | Yes |
lobe-s3-ui.example.com | 9001 |
After completing the reverse proxy, remember to configure the corresponding SSL certificate and enable HTTPS access.
Update the LobeHub .env file with the following environment variables to use RustFS as the S3 backend:
# RustFS Access Key / Secret Key
S3_ACCESS_KEY_ID=<YOUR_ACCESS_KEY>
S3_SECRET_ACCESS_KEY=<YOUR_SECRET_KEY>
# RustFS API endpoint
S3_ENDPOINT=https://lobe-s3-api.example.com
# Bucket name
S3_BUCKET=lobe
S3_ENABLE_PATH_STYLE=1