Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add insecure_skip_verify option for HTTPS client in security.toml (#8781) 

* Add -insecureSkipVerify flag and config option for filer.sync HTTPS connections

When using filer.sync between clusters with different CAs (e.g., separate
OpenShift clusters), TLS certificate verification fails with "x509:
certificate signed by unknown authority". This adds two ways to skip TLS
certificate verification:

1. CLI flag: `weed filer.sync -insecureSkipVerify ...`
2. Config option: `insecure_skip_verify = true` under [https.client] in
   security.toml

Closes #8778

* Add insecure_skip_verify option for HTTPS client in security.toml

When using filer.sync between clusters with different CAs (e.g., separate
OpenShift clusters), TLS certificate verification fails. Adding
insecure_skip_verify = true under [https.client] in security.toml allows
skipping TLS certificate verification.

The option is read during global HTTP client initialization so it applies
to all HTTPS connections including filer.sync proxy reads and writes.

Closes #8778

---------

Co-authored-by: Copilot <copilot@github.com>
pull/8784/head
Chris Lu 1 day ago
committed by GitHub
parent
aa12b51cbf
commit
92c2fc0d52
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 8 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      weed/command/scaffold/security.toml
  2. 7
      weed/util/http/client/http_client.go

1
weed/command/scaffold/security.toml
View File

@ -135,6 +135,7 @@ enabled = false # Set to true to enable HTTPS for all outgoing HTTP client conn
cert = "" # Client certificate for mTLS (optional if server doesn't require client cert)
key = "" # Client key for mTLS (optional if server doesn't require client cert)
ca = "" # CA certificate to verify server certificates (required when enabled=true)
insecure_skip_verify = false # Skip TLS certificate verification (NOT recommended for production)
# Volume server HTTPS options (server-side)
# Enables HTTPS for incoming HTTP connections to volume server

7
weed/util/http/client/http_client.go
View File

@ -126,6 +126,13 @@ func NewHttpClient(clientName ClientName, opts ...HttpClientOpt) (*HTTPClient, e
tlsConfig.Certificates = append(tlsConfig.Certificates, *clientCertPair)
}
}
if getBoolOptionFromSecurityConfiguration(clientName, "insecure_skip_verify") {
if tlsConfig == nil {
tlsConfig = &tls.Config{}
}
tlsConfig.InsecureSkipVerify = true
}
}
httpClient.Transport = &http.Transport{

Write Preview
Loading…
Cancel
Save