Home | Benchmarks | Categories | Atom Feed

Posted on Fri 17 June 2022 under Object Storage

File Sharing with Caddy & MinIO

In this post, I'll explore a cost-effective and mobile-friendly method of securely sharing files across devices.

Last year I reviewed MinIO, a file sharing system with support for much of AWS S3's API. It's written in Go and supports storing data on S3, HDFS or with efficient redundancy on local disks. It comes with a Web UI out of the box that allows for setting up users, groups, buckets and allows downloading, uploading and previewing files, including videos, via both desktop and mobile web browsers. MinIO has had 9 security disclosures in the past 5 years.

Caddy Server began life in 2014 as an HTTPS-first web server. It's able to generate an SSL certificate via Let's Encrypt automatically when the server is launched. TLS 1.3 is supported and the certificate lasts for 90 days before it needs to be renewed. The 37,500 lines of Go that Caddy Server is made up of has primarily been written by Matt Holt, a software engineer based in Utah and Francis Lavoie, a senior developer at Vectorface in Ottawa. In the summer of 2020, Caddy Server was acquired by Apilayer. To date, Caddy Server has only suffered 3 security disclosures.

While researching this post I found PCPartPicker had 14 TB, 7200 RPM disk drives selling for $199.99 giving a one-off cost of $14.34 / TB. If the above drive averages 100 MB/s serving a large file sequentially that means a 1 Gbps up connection could potentially be saturated when taking TCP/IP overheads into account. This is before taking any potential replication configuration or page caching into account.

This software stack can run either on residential or Cloud infrastructure and both Caddy Server and MinIO support Linux, macOS and Windows. In this post, I'll set up a file sharing system on my MacBook Pro.

Caddy Server Up & Running

The latest, stable version of Caddy Server can be installed via Homebrew on macOS.

$ brew install caddy

For demonstration purposes, I'll create a folder on my desktop and an example file.

$ mkdir -p ~/Desktop/working
$ cd ~/Desktop/working
$ echo test > test.txt

Running the following will launch Caddy's File Server. No domain name has been specified so the server will only run on TCP port 80 without TLS support.

$ caddy file-server --browse

Opening http://127.0.0.1/ will display a Web UI where files can be downloaded but not uploaded. No support for redundancy or an S3 backend is supported out of the box which is where MinIO comes in.

MinIO Up & Running

The latest stable version of MinIO can also be installed via Homebrew on macOS.

$ brew install minio/stable/minio

The following will launch the MinIO Web UI on TCP port 9001 and the API server on TCP port 9002. The root credentials should be changed to something more sophisticated.

$ MINIO_ROOT_USER=admin \
  MINIO_ROOT_PASSWORD=password \
  minio server \
    /Users/mark/Desktop/working \
    --console-address "127.0.0.1:9001" \
    --address 127.0.0.1:9002

Caddy's Reverse Proxy

I've used Duck DNS to acquire a free CNAME that I've pointed at my residential IPv4 address. I'll set an environment variable with the Duck DNS API token and then feed that to Caddy Server.

$ export DUCKDNS_API_TOKEN=000000000-0000-aaaa-aaaa-000000000
$ vi Caddyfile
tls {
    dns duckdns {env.DUCKDNS_API_TOKEN}
}

I've set up port forwarding on my router. Both TCP 80 and 443 will forward to my MacBook Pro. TCP port 80 access will allow for HTTP-based challenges from Let's Encrypt when generating SSLs.

I'll now launch Caddy's Reverse Proxy. The CNAME is for illustrative purposes.

$ caddy reverse-proxy \
    --from my-cname-i-picked.duckdns.org \
    --to 127.0.0.1:9001

Four random servers controlled by Let's Encrypt were able to fetch a challenge file and thus able to prove my control of the CNAME Duck DNS provided to me. I was then issued an SSL certificate that lives with Caddy Server's configuration in ~/Library/Application Support/Caddy.

Qualys' SSL Server Test tool gave the SSL certificate an A rating.

Connecting via curl I can see the certificate is good for 90 days and both Caddy and MinIO are identified as the server software.

$ curl -sv https://the-cname-i-picked.duckdns.org/ 1>/dev/null
...
*  start date: Jun 17 06:56:51 2022 GMT
*  expire date: Sep 15 06:56:50 2022 GMT
...
< server: Caddy
< server: MinIO Console
...

Opening https://the-cname-i-picked.duckdns.org/ from a browser on any given Desktop or Mobile device will bring up the login screen for MinIO. Once logged in, I can begin to share files.

Thank you for taking the time to read this post. I offer both consulting and hands-on development services to clients in North America and Europe. If you'd like to discuss how my offerings can help your business please contact me via LinkedIn.

Copyright © 2014 - 2022 Mark Litwintschik. This site's template is based off a template by Giulio Fidente.