Added tls for http handlers (#5764)

* Added https handler for filer * Added example for security.toml
2025-09-23 07:33:34 +08:00 · 2024-07-11 18:53:18 +04:00
parent 2addcd1623
commit de60f383de
2 changed files with 80 additions and 14 deletions
--- a/weed/command/filer.go
+++ b/weed/command/filer.go
@@ -1,6 +1,9 @@
 package command
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -10,8 +13,6 @@ import (
 	"strings"
 	"time"
 	"google.golang.org/grpc/reflection"
 	"github.com/seaweedfs/seaweedfs/weed/filer"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb"
@@ -20,6 +21,10 @@ import (
 	weed_server "github.com/seaweedfs/seaweedfs/weed/server"
 	stats_collect "github.com/seaweedfs/seaweedfs/weed/stats"
 	"github.com/seaweedfs/seaweedfs/weed/util"
 	"github.com/spf13/viper"
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
 	"google.golang.org/grpc/reflection"
 )
 var (
@@ -63,6 +68,7 @@ type FilerOptions struct {
 	diskType                *string
 	allowedOrigins          *string
 	exposeDirectoryData     *bool
 	certProvider            certprovider.Provider
 }
 func init() {
@@ -220,6 +226,12 @@ func runFiler(cmd *Command, args []string) bool {
 	return true
 }
 // GetCertificateWithUpdate Auto refreshing TSL certificate
 func (fo *FilerOptions) GetCertificateWithUpdate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 	certs, err := fo.certProvider.KeyMaterial(context.Background())
 	return &certs.Certs[0], err
 }
 func (fo *FilerOptions) startFiler() {
 	defaultMux := http.NewServeMux()
@@ -329,6 +341,53 @@ func (fo *FilerOptions) startFiler() {
 			httpS.Serve(filerSocketListener)
 		}()
 	}
 	if viper.GetString("https.filer.key") != "" {
 		certFile := viper.GetString("https.filer.cert")
 		keyFile := viper.GetString("https.filer.key")
 		caCertFile := viper.GetString("https.filer.ca")
 		disbaleTlsVerifyClientCert := viper.GetBool("https.filer.disable_tls_verify_client_cert")
 		pemfileOptions := pemfile.Options{
 			CertFile:        certFile,
 			KeyFile:         keyFile,
 			RefreshDuration: security.CredRefreshingInterval,
 		}
 		if fo.certProvider, err = pemfile.NewProvider(pemfileOptions); err != nil {
 			glog.Fatalf("pemfile.NewProvider(%v) failed: %v", pemfileOptions, err)
 		}
 		caCertPool := x509.NewCertPool()
 		if caCertFile != "" {
 			caCertFile, err := os.ReadFile(caCertFile)
 			if err != nil {
 				glog.Fatalf("error reading CA certificate: %v", err)
 			}
 			caCertPool.AppendCertsFromPEM(caCertFile)
 		}
 		clientAuth := tls.NoClientCert
 		if !disbaleTlsVerifyClientCert {
 			clientAuth = tls.RequireAndVerifyClientCert
 		}
 		httpS.TLSConfig = &tls.Config{
 			GetCertificate: fo.GetCertificateWithUpdate,
 			ClientAuth:     clientAuth,
 			ClientCAs:      caCertPool,
 		}
 		if filerLocalListener != nil {
 			go func() {
 				if err := httpS.ServeTLS(filerLocalListener, "", ""); err != nil {
 					glog.Errorf("Filer Fail to serve: %v", e)
 				}
 			}()
 		}
 		if err := httpS.ServeTLS(filerListener, "", ""); err != nil {
 			glog.Fatalf("Filer Fail to serve: %v", e)
 		}
 	} else {
 		if filerLocalListener != nil {
 			go func() {
 				if err := httpS.Serve(filerLocalListener); err != nil {
@@ -339,5 +398,5 @@ func (fo *FilerOptions) startFiler() {
 		if err := httpS.Serve(filerListener); err != nil {
 			glog.Fatalf("Filer Fail to serve: %v", e)
 		}
-
+	}
 }
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -94,19 +94,26 @@ allowed_commonNames = ""    # comma-separated SSL certificate common names
 [grpc.client]
 cert = ""
 key = ""
 # volume server https options
 # Note: work in progress!
 #     this does not work with other clients, e.g., "weed filer|mount" etc, yet.
 [https.client]
 enabled = true
 # volume server https options
 [https.volume]
 cert = ""
 key = ""
 ca = ""
 # master server https options
 [https.master]
 cert = ""
 key = ""
 ca = ""
 # filer server https options
 [https.filer]
 cert = ""
 key = ""
 ca = ""
 # disable_tls_verify_client_cert = true|false (default: false)