From de60f383de3202b2e5aaa57b9766376cd5b9b129 Mon Sep 17 00:00:00 2001 From: vadimartynov <166398828+vadimartynov@users.noreply.github.com> Date: Thu, 11 Jul 2024 18:53:18 +0400 Subject: [PATCH] Added tls for http handlers (#5764) * Added https handler for filer * Added example for security.toml --- weed/command/filer.go | 81 +++++++++++++++++++++++++---- weed/command/scaffold/security.toml | 11 +++- 2 files changed, 79 insertions(+), 13 deletions(-) diff --git a/weed/command/filer.go b/weed/command/filer.go index 1d8a6c4b8..6478493b6 100644 --- a/weed/command/filer.go +++ b/weed/command/filer.go @@ -1,6 +1,9 @@ package command import ( + "context" + "crypto/tls" + "crypto/x509" "fmt" "net" "net/http" @@ -10,8 +13,6 @@ import ( "strings" "time" - "google.golang.org/grpc/reflection" - "github.com/seaweedfs/seaweedfs/weed/filer" "github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/pb" @@ -20,6 +21,10 @@ import ( weed_server "github.com/seaweedfs/seaweedfs/weed/server" stats_collect "github.com/seaweedfs/seaweedfs/weed/stats" "github.com/seaweedfs/seaweedfs/weed/util" + "github.com/spf13/viper" + "google.golang.org/grpc/credentials/tls/certprovider" + "google.golang.org/grpc/credentials/tls/certprovider/pemfile" + "google.golang.org/grpc/reflection" ) var ( @@ -63,6 +68,7 @@ type FilerOptions struct { diskType *string allowedOrigins *string exposeDirectoryData *bool + certProvider certprovider.Provider } func init() { @@ -220,6 +226,12 @@ func runFiler(cmd *Command, args []string) bool { return true } +// GetCertificateWithUpdate Auto refreshing TSL certificate +func (fo *FilerOptions) GetCertificateWithUpdate(*tls.ClientHelloInfo) (*tls.Certificate, error) { + certs, err := fo.certProvider.KeyMaterial(context.Background()) + return &certs.Certs[0], err +} + func (fo *FilerOptions) startFiler() { defaultMux := http.NewServeMux() @@ -329,15 +341,62 @@ func (fo *FilerOptions) startFiler() { httpS.Serve(filerSocketListener) }() } - if filerLocalListener != nil { - go func() { - if err := httpS.Serve(filerLocalListener); err != nil { - glog.Errorf("Filer Fail to serve: %v", e) + + if viper.GetString("https.filer.key") != "" { + certFile := viper.GetString("https.filer.cert") + keyFile := viper.GetString("https.filer.key") + caCertFile := viper.GetString("https.filer.ca") + disbaleTlsVerifyClientCert := viper.GetBool("https.filer.disable_tls_verify_client_cert") + + pemfileOptions := pemfile.Options{ + CertFile: certFile, + KeyFile: keyFile, + RefreshDuration: security.CredRefreshingInterval, + } + if fo.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil { + glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err) + } + + caCertPool := x509.NewCertPool() + if caCertFile != "" { + caCertFile, err := os.ReadFile(caCertFile) + if err != nil { + glog.Fatalf("error reading CA certificate: %v", err) } - }() - } - if err := httpS.Serve(filerListener); err != nil { - glog.Fatalf("Filer Fail to serve: %v", e) - } + caCertPool.AppendCertsFromPEM(caCertFile) + } + clientAuth := tls.NoClientCert + if !disbaleTlsVerifyClientCert { + clientAuth = tls.RequireAndVerifyClientCert + } + + httpS.TLSConfig = &tls.Config{ + GetCertificate: fo.GetCertificateWithUpdate, + ClientAuth: clientAuth, + ClientCAs: caCertPool, + } + + if filerLocalListener != nil { + go func() { + if err := httpS.ServeTLS(filerLocalListener, "", ""); err != nil { + glog.Errorf("Filer Fail to serve: %v", e) + } + }() + } + if err := httpS.ServeTLS(filerListener, "", ""); err != nil { + glog.Fatalf("Filer Fail to serve: %v", e) + } + } else { + if filerLocalListener != nil { + go func() { + if err := httpS.Serve(filerLocalListener); err != nil { + glog.Errorf("Filer Fail to serve: %v", e) + } + }() + } + if err := httpS.Serve(filerListener); err != nil { + glog.Fatalf("Filer Fail to serve: %v", e) + } + } } diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml index c5b2a563c..687854264 100644 --- a/weed/command/scaffold/security.toml +++ b/weed/command/scaffold/security.toml @@ -94,19 +94,26 @@ allowed_commonNames = "" # comma-separated SSL certificate common names [grpc.client] cert = "" key = "" - -# volume server https options # Note: work in progress! # this does not work with other clients, e.g., "weed filer|mount" etc, yet. [https.client] enabled = true +# volume server https options [https.volume] cert = "" key = "" ca = "" +# master server https options [https.master] cert = "" key = "" ca = "" + +# filer server https options +[https.filer] +cert = "" +key = "" +ca = "" +# disable_tls_verify_client_cert = true|false (default: false)