1Panel + Docker: Deploying High-Performance Object Storage Garage (S3 Compatible)

·(edited)· / ·

readsAssisted writing

AI TranslationSimplified ChineseEnglish

Key Insights

Preface

When looking for self-hosted image hosting or private cloud storage solutions, MinIO is often the first choice. However, for individual developers or small-to-medium teams, Garage is a lighter, higher-performance, and more flexibly configurable alternative. Written in Rust, it has extremely low resource usage and is fully compatible with the AWS S3 protocol.

This article provides a detailed guide on how to deploy a production-ready Garage object storage service on the 1Panel panel using Docker Compose. It documents and addresses common configuration pitfalls (such as CORS cross-origin issues, WebUI authentication, domain binding, etc.) to build a private OSS that is both secure and easy to use.

0 Prerequisites

Server OS: Debian 12 (recommended) / Ubuntu 22.04+
Management Panel: 1Panel (with OpenResty/Nginx installed)
Core Tools: Docker & Docker Compose
Planned Domains:
s3.example.com — S3 API Endpoint (for upload/management tools)
img.example.com — Public Access Domain (for blog/website image references)
admin.example.com — Web Admin Panel (WebUI)

1 Preparing the Configuration File (`garage.toml`)

Create the directory in 1Panel: /opt/garage/config.
Create the file garage.toml with the following content:

CodeBlock Loading...

2 Writing the Compose File (`docker-compose.yml`)

Key Points:

WebUI Configuration Mounting: The WebUI container must mount garage.toml to automatically read the admin_token.
Password Escaping: In YAML, the $ symbol in Bcrypt password hashes must be written as $$.

Create the compose stack garage-stack in 1Panel with the following content:

CodeBlock Loading...

Start the compose stack and make sure both containers show as "Running".

3 Initializing the Node Layout

A freshly started Garage is in an "unassigned role" state and must be initialized.

Check the Node ID:
Run the following in the 1Panel terminal or via SSH:

CodeBlock Loading...

Copy the displayed Node ID, e.g., a8795c63e0c82b0b.

Assign Space and Apply Configuration:

CodeBlock Loading...

At this point, refreshing the WebUI should show a green Healthy status.

4 Creating a Bucket and Configuring Permissions

To use it as an image hosting service, we need to create a bucket and allow public access.

1. Create a Bucket

In the WebUI, click Buckets -> Create Bucket and name it photo.

2. Bind a Public Domain (Alias) & Enable Website Mode

This is the key to making images directly accessible via https://img.example.com/xxx.jpg.

CodeBlock Loading...

You can also set the Alias and enable Website directly in the WebUI.

3. Create an API Key

In the WebUI, click Keys -> Create Key (name it something like blog-key).
Immediately save the Access Key ID and Secret Access Key that appear.
Click Permissions on the right side of the Key, and check the Read/Write permissions for the photo bucket.
- Or authorize via command line: docker exec -it garage /garage bucket allow --read --write --key blog-key photo

5 Reverse Proxy and HTTPS Configuration (1Panel)

We need to set up three reverse proxies in 1Panel's "Websites" feature:

Domain	Proxy Target	Purpose
`s3.example.com`	`http://127.0.0.1:3900`	S3 API (use this in PicList/Lsky)
`admin.example.com`	`http://127.0.0.1:3903`	WebUI Admin Panel
`img.example.com`	`http://127.0.0.1:3902`	Public Image Access (note the port is 3902)

Remember to apply for and enable HTTPS certificates for all domains.

Security Tip: When using Host mode, it is recommended to only allow ports 80/443 for Nginx in 1Panel's firewall or your cloud provider's security group. Do not directly expose Garage's ports 3900-3903 to the public. Force all requests to go through the Nginx reverse proxy for better security.

6 Solving CORS Cross-Origin Issues

If you reference images on a blog or other website, the browser will block cross-origin requests. We need to force CORS headers in the Nginx configuration for img.example.com.

In 1Panel's website settings -> Configuration File, find the location / block and add the following:

NGINX

location / {
  
    #  CORS Configuration 
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
    
    #  Other configurations

    }
}

Save and reload Nginx.

7 Client Connection Configuration

The service is now fully ready. Enter the following configuration in your image hosting tool:

S3 Endpoint: https://s3.example.com
Bucket: photo
Access Key ID: (the ID obtained in Step 4)
Secret Access Key: (the Secret obtained in Step 4)
Region: garage (default)
Force Path Style: Enabled (True)
Custom Domain: https://img.example.com

Preface

0 Prerequisites

Server OS: Debian 12 (recommended) / Ubuntu 22.04+
Management Panel: 1Panel (with OpenResty/Nginx installed)
Core Tools: Docker & Docker Compose
Planned Domains:
s3.example.com — S3 API Endpoint (for upload/management tools)
img.example.com — Public Access Domain (for blog/website image references)
admin.example.com — Web Admin Panel (WebUI)

1 Preparing the Configuration File (`garage.toml`)

Create the directory in 1Panel: /opt/garage/config.
Create the file garage.toml with the following content:

TOML

metadata_dir = "/var/lib/garage/meta"
data_dir = "/var/lib/garage/data"
db_engine = "lmdb"

# Must be set to 1 for single-node deployment; adjust as needed for multi-node
replication_factor = 1

# 32-byte random key (generate with: openssl rand -hex 32)
rpc_secret = "c9a4b8d7e6f5a1c2b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6"
rpc_bind_addr = "[::]:3901"
rpc_public_addr = "127.0.0.1:3901"

[s3_api]
s3_region = "garage"
api_bind_addr = "[::]:3900"
root_domain = "s3.example.com" # Enter your API domain

[s3_web]
bind_addr = "[::]:3902"
root_domain = "img.example.com" # Enter your public access domain
index = "index.html"

[admin]
api_bind_addr = "[::]:3903"
metrics_token = "change_me_please" # Token for metrics scraping
admin_token = "change_me_please"   # Admin token, automatically read by WebUI

CodeBlock Loading...

2 Writing the Compose File (`docker-compose.yml`)

Key Points:

WebUI Configuration Mounting: The WebUI container must mount garage.toml to automatically read the admin_token.
Password Escaping: In YAML, the $ symbol in Bcrypt password hashes must be written as $$.

Create the compose stack garage-stack in 1Panel with the following content:

YAML

services:
  garage:
    image: dxflrs/garage:v2.2.0  # Newer version
    container_name: garage
    restart: always
    network_mode: host           # Host mode, directly uses host ports
    volumes:
      - /opt/garage/config/garage.toml:/etc/garage.toml
      - /opt/garage/meta:/var/lib/garage/meta
      - /opt/garage/data:/var/lib/garage/data

  garage-webui:
    image: khairul169/garage-webui:latest
    container_name: garage-webui
    restart: always
    network_mode: host           # WebUI also uses Host mode for easy communication
    volumes:
      # Must mount the config file, otherwise WebUI cannot auto-authenticate
      - /opt/garage/config/garage.toml:/etc/garage.toml:ro
    environment:
      API_BASE_URL: "http://127.0.0.1:3903" 
      S3_ENDPOINT_URL: "http://127.0.0.1:3900"
      # Native login config: username:Bcrypt_hash (note the $$ escaping)
      # Generate with: python3 -c "import bcrypt; print(bcrypt.hashpw(b'your_password', bcrypt.gensalt()).decode())"
      # The example password below is 123456
      AUTH_USER_PASS: 'admin:$$2b$$12$$zm7W20msXJc5fVgj.fjGR.GfGQS2M1abvQf5k.aWZTQBZGv4QexpC'

CodeBlock Loading...

Start the compose stack and make sure both containers show as "Running".

3 Initializing the Node Layout

A freshly started Garage is in an "unassigned role" state and must be initialized.

Check the Node ID:
Run the following in the 1Panel terminal or via SSH:

BASH

docker exec -it garage /garage status

CodeBlock Loading...

Copy the displayed Node ID, e.g., a8795c63e0c82b0b.

Assign Space and Apply Configuration:

BASH

# Assign 500GB of logical space (does not immediately consume disk space)
docker exec -it garage /garage layout assign -z dc1 -c 500G <your_NodeID>

# Apply changes
docker exec -it garage /garage layout apply --version 1

CodeBlock Loading...

At this point, refreshing the WebUI should show a green Healthy status.

4 Creating a Bucket and Configuring Permissions

To use it as an image hosting service, we need to create a bucket and allow public access.

1. Create a Bucket

In the WebUI, click Buckets -> Create Bucket and name it photo.

2. Bind a Public Domain (Alias) & Enable Website Mode

This is the key to making images directly accessible via https://img.example.com/xxx.jpg.

BASH

# 1. Bind a domain alias (let Garage know this domain corresponds to the photo bucket)
docker exec -it garage /garage bucket alias set photo img.example.com

# 2. Enable website mode (allow anonymous GET requests)
docker exec -it garage /garage bucket website --allow photo --index index.html

CodeBlock Loading...

You can also set the Alias and enable Website directly in the WebUI.

3. Create an API Key

In the WebUI, click Keys -> Create Key (name it something like blog-key).
Immediately save the Access Key ID and Secret Access Key that appear.
Click Permissions on the right side of the Key, and check the Read/Write permissions for the photo bucket.
- Or authorize via command line: docker exec -it garage /garage bucket allow --read --write --key blog-key photo

5 Reverse Proxy and HTTPS Configuration (1Panel)

We need to set up three reverse proxies in 1Panel's "Websites" feature:

Domain	Proxy Target	Purpose
`s3.example.com`	`http://127.0.0.1:3900`	S3 API (use this in PicList/Lsky)
`admin.example.com`	`http://127.0.0.1:3903`	WebUI Admin Panel
`img.example.com`	`http://127.0.0.1:3902`	Public Image Access (note the port is 3902)

Remember to apply for and enable HTTPS certificates for all domains.

Security Tip: When using Host mode, it is recommended to only allow ports 80/443 for Nginx in 1Panel's firewall or your cloud provider's security group. Do not directly expose Garage's ports 3900-3903 to the public. Force all requests to go through the Nginx reverse proxy for better security.

6 Solving CORS Cross-Origin Issues

If you reference images on a blog or other website, the browser will block cross-origin requests. We need to force CORS headers in the Nginx configuration for img.example.com.

In 1Panel's website settings -> Configuration File, find the location / block and add the following:

NGINX

location / {
  
    #  CORS Configuration 
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
    
    #  Other configurations

    }
}

Save and reload Nginx.

7 Client Connection Configuration

The service is now fully ready. Enter the following configuration in your image hosting tool:

S3 Endpoint: https://s3.example.com
Bucket: photo
Access Key ID: (the ID obtained in Step 4)
Secret Access Key: (the Secret obtained in Step 4)
Region: garage (default)
Force Path Style: Enabled (True)
Custom Domain: https://img.example.com

1Panel + Docker: Deploying High-Performance Object Storage Garage (S3 Compatible)

1Panel + Docker: Deploying High-Performance Object Storage Garage (S3 Compatible)

Preface

0 Prerequisites

1 Preparing the Configuration File (garage.toml)

2 Writing the Compose File (docker-compose.yml)

3 Initializing the Node Layout

4 Creating a Bucket and Configuring Permissions

1. Create a Bucket

2. Bind a Public Domain (Alias) & Enable Website Mode

3. Create an API Key

5 Reverse Proxy and HTTPS Configuration (1Panel)

6 Solving CORS Cross-Origin Issues

7 Client Connection Configuration

Preface

0 Prerequisites

1 Preparing the Configuration File (garage.toml)

2 Writing the Compose File (docker-compose.yml)

3 Initializing the Node Layout

4 Creating a Bucket and Configuring Permissions

1. Create a Bucket

2. Bind a Public Domain (Alias) & Enable Website Mode

3. Create an API Key

5 Reverse Proxy and HTTPS Configuration (1Panel)

6 Solving CORS Cross-Origin Issues

7 Client Connection Configuration

1 Preparing the Configuration File (`garage.toml`)

2 Writing the Compose File (`docker-compose.yml`)

1 Preparing the Configuration File (`garage.toml`)

2 Writing the Compose File (`docker-compose.yml`)