From 9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac Mon Sep 17 00:00:00 2001 From: Berck Nash Date: Mon, 14 Mar 2022 17:22:52 -0600 Subject: [PATCH] Add mTLS support for both master and volume http server. --- weed/command/master.go | 43 +++++++++++++++++++++++++---- weed/command/scaffold/security.toml | 6 ++++ weed/command/volume.go | 14 ++++++++-- weed/security/tls.go | 18 ++++++++++++ 4 files changed, 72 insertions(+), 9 deletions(-) diff --git a/weed/command/master.go b/weed/command/master.go index 1d236d532..a9109bdb8 100644 --- a/weed/command/master.go +++ b/weed/command/master.go @@ -1,23 +1,25 @@ package command import ( - "github.com/chrislusf/raft/protobuf" - stats_collect "github.com/chrislusf/seaweedfs/weed/stats" - "github.com/gorilla/mux" - "google.golang.org/grpc/reflection" "net/http" "os" "sort" "strings" "time" + "github.com/chrislusf/raft/protobuf" + stats_collect "github.com/chrislusf/seaweedfs/weed/stats" + "github.com/gorilla/mux" + "github.com/spf13/viper" + "google.golang.org/grpc/reflection" + "github.com/chrislusf/seaweedfs/weed/util/grace" "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb" "github.com/chrislusf/seaweedfs/weed/pb/master_pb" "github.com/chrislusf/seaweedfs/weed/security" - "github.com/chrislusf/seaweedfs/weed/server" + weed_server "github.com/chrislusf/seaweedfs/weed/server" "github.com/chrislusf/seaweedfs/weed/storage/backend" "github.com/chrislusf/seaweedfs/weed/util" ) @@ -138,6 +140,7 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) { if e != nil { glog.Fatalf("Master startup error: %v", e) } + // start raftServer raftServerOption := &weed_server.RaftServerOption{ GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"), @@ -183,11 +186,39 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) { go ms.MasterClient.KeepConnectedToMaster() // start http server + var ( + clientCertFile, + certFile, + keyFile string + ) + useTLS := false + useMTLS := false + + if viper.GetString("https.master.key") != "" { + useTLS = true + certFile = viper.GetString("https.master.cert") + keyFile = viper.GetString("https.master.key") + } + + if viper.GetString("https.master.ca") != "" { + useMTLS = true + clientCertFile = viper.GetString("https.master.ca") + } + httpS := &http.Server{Handler: r} if masterLocalListner != nil { go httpS.Serve(masterLocalListner) } - go httpS.Serve(masterListener) + + if useMTLS { + httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile) + } + + if useTLS { + go httpS.ServeTLS(masterListener, certFile, keyFile) + } else { + go httpS.Serve(masterListener) + } select {} } diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml index 090f4f664..38a803dd6 100644 --- a/weed/command/scaffold/security.toml +++ b/weed/command/scaffold/security.toml @@ -83,7 +83,13 @@ key = "" # this does not work with other clients, e.g., "weed filer|mount" etc, yet. [https.client] enabled = true + [https.volume] cert = "" key = "" +ca = "" +[https.master] +cert = "" +key = "" +ca = "" diff --git a/weed/command/volume.go b/weed/command/volume.go index f3b36fcda..645c698b1 100644 --- a/weed/command/volume.go +++ b/weed/command/volume.go @@ -2,7 +2,6 @@ package command import ( "fmt" - "github.com/chrislusf/seaweedfs/weed/storage/types" "net/http" httppprof "net/http/pprof" "os" @@ -11,6 +10,8 @@ import ( "strings" "time" + "github.com/chrislusf/seaweedfs/weed/storage/types" + "github.com/spf13/viper" "google.golang.org/grpc" @@ -24,7 +25,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/glog" "github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb" - "github.com/chrislusf/seaweedfs/weed/server" + weed_server "github.com/chrislusf/seaweedfs/weed/server" stats_collect "github.com/chrislusf/seaweedfs/weed/stats" "github.com/chrislusf/seaweedfs/weed/storage" "github.com/chrislusf/seaweedfs/weed/util" @@ -371,7 +372,14 @@ func (v VolumeServerOptions) startClusterHttpService(handler http.Handler) httpd StopTimeout: 30 * time.Second, CertFile: certFile, KeyFile: keyFile} - clusterHttpServer := httpDown.Serve(&http.Server{Handler: handler}, listener) + httpS := &http.Server{Handler: handler} + + if viper.GetString("https.volume.ca") != "" { + clientCertFile := viper.GetString("https.volume.ca") + httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile) + } + + clusterHttpServer := httpDown.Serve(httpS, listener) go func() { if e := clusterHttpServer.Wait(); e != nil { glog.Fatalf("Volume server fail to serve: %v", e) diff --git a/weed/security/tls.go b/weed/security/tls.go index 2f01af1e7..79552c026 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "crypto/x509" + "io/ioutil" "os" "strings" @@ -98,6 +99,23 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption { return grpc.WithTransportCredentials(ta) } +func LoadClientTLSHTTP(clientCertFile string) *tls.Config { + clientCerts, err := ioutil.ReadFile(clientCertFile) + if err != nil { + glog.Fatal(err) + } + certPool := x509.NewCertPool() + ok := certPool.AppendCertsFromPEM(clientCerts) + if !ok { + glog.Fatalf("Error processing client certificate in %s\n", clientCertFile) + } + + return &tls.Config{ + ClientCAs: certPool, + ClientAuth: tls.RequireAndVerifyClientCert, + } +} + func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) { p, ok := peer.FromContext(ctx) if !ok {