Browse Source

Added tls for http handlers (#5764)

* Added https handler for filer

* Added example for security.toml
pull/5768/head
vadimartynov 5 months ago
committed by GitHub
parent
commit
de60f383de
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 81
      weed/command/filer.go
  2. 11
      weed/command/scaffold/security.toml

81
weed/command/filer.go

@ -1,6 +1,9 @@
package command package command
import ( import (
"context"
"crypto/tls"
"crypto/x509"
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
@ -10,8 +13,6 @@ import (
"strings" "strings"
"time" "time"
"google.golang.org/grpc/reflection"
"github.com/seaweedfs/seaweedfs/weed/filer" "github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/pb" "github.com/seaweedfs/seaweedfs/weed/pb"
@ -20,6 +21,10 @@ import (
weed_server "github.com/seaweedfs/seaweedfs/weed/server" weed_server "github.com/seaweedfs/seaweedfs/weed/server"
stats_collect "github.com/seaweedfs/seaweedfs/weed/stats" stats_collect "github.com/seaweedfs/seaweedfs/weed/stats"
"github.com/seaweedfs/seaweedfs/weed/util" "github.com/seaweedfs/seaweedfs/weed/util"
"github.com/spf13/viper"
"google.golang.org/grpc/credentials/tls/certprovider"
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/reflection"
) )
var ( var (
@ -63,6 +68,7 @@ type FilerOptions struct {
diskType *string diskType *string
allowedOrigins *string allowedOrigins *string
exposeDirectoryData *bool exposeDirectoryData *bool
certProvider certprovider.Provider
} }
func init() { func init() {
@ -220,6 +226,12 @@ func runFiler(cmd *Command, args []string) bool {
return true return true
} }
// GetCertificateWithUpdate Auto refreshing TSL certificate
func (fo *FilerOptions) GetCertificateWithUpdate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
certs, err := fo.certProvider.KeyMaterial(context.Background())
return &certs.Certs[0], err
}
func (fo *FilerOptions) startFiler() { func (fo *FilerOptions) startFiler() {
defaultMux := http.NewServeMux() defaultMux := http.NewServeMux()
@ -329,15 +341,62 @@ func (fo *FilerOptions) startFiler() {
httpS.Serve(filerSocketListener) httpS.Serve(filerSocketListener)
}() }()
} }
if filerLocalListener != nil {
go func() {
if err := httpS.Serve(filerLocalListener); err != nil {
glog.Errorf("Filer Fail to serve: %v", e)
if viper.GetString("https.filer.key") != "" {
certFile := viper.GetString("https.filer.cert")
keyFile := viper.GetString("https.filer.key")
caCertFile := viper.GetString("https.filer.ca")
disbaleTlsVerifyClientCert := viper.GetBool("https.filer.disable_tls_verify_client_cert")
pemfileOptions := pemfile.Options{
CertFile: certFile,
KeyFile: keyFile,
RefreshDuration: security.CredRefreshingInterval,
}
if fo.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil {
glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err)
}
caCertPool := x509.NewCertPool()
if caCertFile != "" {
caCertFile, err := os.ReadFile(caCertFile)
if err != nil {
glog.Fatalf("error reading CA certificate: %v", err)
} }
}()
}
if err := httpS.Serve(filerListener); err != nil {
glog.Fatalf("Filer Fail to serve: %v", e)
}
caCertPool.AppendCertsFromPEM(caCertFile)
}
clientAuth := tls.NoClientCert
if !disbaleTlsVerifyClientCert {
clientAuth = tls.RequireAndVerifyClientCert
}
httpS.TLSConfig = &tls.Config{
GetCertificate: fo.GetCertificateWithUpdate,
ClientAuth: clientAuth,
ClientCAs: caCertPool,
}
if filerLocalListener != nil {
go func() {
if err := httpS.ServeTLS(filerLocalListener, "", ""); err != nil {
glog.Errorf("Filer Fail to serve: %v", e)
}
}()
}
if err := httpS.ServeTLS(filerListener, "", ""); err != nil {
glog.Fatalf("Filer Fail to serve: %v", e)
}
} else {
if filerLocalListener != nil {
go func() {
if err := httpS.Serve(filerLocalListener); err != nil {
glog.Errorf("Filer Fail to serve: %v", e)
}
}()
}
if err := httpS.Serve(filerListener); err != nil {
glog.Fatalf("Filer Fail to serve: %v", e)
}
}
} }

11
weed/command/scaffold/security.toml

@ -94,19 +94,26 @@ allowed_commonNames = "" # comma-separated SSL certificate common names
[grpc.client] [grpc.client]
cert = "" cert = ""
key = "" key = ""
# volume server https options
# Note: work in progress! # Note: work in progress!
# this does not work with other clients, e.g., "weed filer|mount" etc, yet. # this does not work with other clients, e.g., "weed filer|mount" etc, yet.
[https.client] [https.client]
enabled = true enabled = true
# volume server https options
[https.volume] [https.volume]
cert = "" cert = ""
key = "" key = ""
ca = "" ca = ""
# master server https options
[https.master] [https.master]
cert = "" cert = ""
key = "" key = ""
ca = "" ca = ""
# filer server https options
[https.filer]
cert = ""
key = ""
ca = ""
# disable_tls_verify_client_cert = true|false (default: false)
Loading…
Cancel
Save