mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
Add mTLS support for both master and volume http server.
This commit is contained in:
parent
b5b97a4799
commit
9b14f0c81a
|
@ -1,23 +1,25 @@
|
||||||
package command
|
package command
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/chrislusf/raft/protobuf"
|
|
||||||
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
|
|
||||||
"github.com/gorilla/mux"
|
|
||||||
"google.golang.org/grpc/reflection"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/chrislusf/raft/protobuf"
|
||||||
|
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
|
||||||
|
"github.com/gorilla/mux"
|
||||||
|
"github.com/spf13/viper"
|
||||||
|
"google.golang.org/grpc/reflection"
|
||||||
|
|
||||||
"github.com/chrislusf/seaweedfs/weed/util/grace"
|
"github.com/chrislusf/seaweedfs/weed/util/grace"
|
||||||
|
|
||||||
"github.com/chrislusf/seaweedfs/weed/glog"
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
||||||
"github.com/chrislusf/seaweedfs/weed/pb"
|
"github.com/chrislusf/seaweedfs/weed/pb"
|
||||||
"github.com/chrislusf/seaweedfs/weed/pb/master_pb"
|
"github.com/chrislusf/seaweedfs/weed/pb/master_pb"
|
||||||
"github.com/chrislusf/seaweedfs/weed/security"
|
"github.com/chrislusf/seaweedfs/weed/security"
|
||||||
"github.com/chrislusf/seaweedfs/weed/server"
|
weed_server "github.com/chrislusf/seaweedfs/weed/server"
|
||||||
"github.com/chrislusf/seaweedfs/weed/storage/backend"
|
"github.com/chrislusf/seaweedfs/weed/storage/backend"
|
||||||
"github.com/chrislusf/seaweedfs/weed/util"
|
"github.com/chrislusf/seaweedfs/weed/util"
|
||||||
)
|
)
|
||||||
|
@ -138,6 +140,7 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
|
||||||
if e != nil {
|
if e != nil {
|
||||||
glog.Fatalf("Master startup error: %v", e)
|
glog.Fatalf("Master startup error: %v", e)
|
||||||
}
|
}
|
||||||
|
|
||||||
// start raftServer
|
// start raftServer
|
||||||
raftServerOption := &weed_server.RaftServerOption{
|
raftServerOption := &weed_server.RaftServerOption{
|
||||||
GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"),
|
GrpcDialOption: security.LoadClientTLS(util.GetViper(), "grpc.master"),
|
||||||
|
@ -183,11 +186,39 @@ func startMaster(masterOption MasterOptions, masterWhiteList []string) {
|
||||||
go ms.MasterClient.KeepConnectedToMaster()
|
go ms.MasterClient.KeepConnectedToMaster()
|
||||||
|
|
||||||
// start http server
|
// start http server
|
||||||
|
var (
|
||||||
|
clientCertFile,
|
||||||
|
certFile,
|
||||||
|
keyFile string
|
||||||
|
)
|
||||||
|
useTLS := false
|
||||||
|
useMTLS := false
|
||||||
|
|
||||||
|
if viper.GetString("https.master.key") != "" {
|
||||||
|
useTLS = true
|
||||||
|
certFile = viper.GetString("https.master.cert")
|
||||||
|
keyFile = viper.GetString("https.master.key")
|
||||||
|
}
|
||||||
|
|
||||||
|
if viper.GetString("https.master.ca") != "" {
|
||||||
|
useMTLS = true
|
||||||
|
clientCertFile = viper.GetString("https.master.ca")
|
||||||
|
}
|
||||||
|
|
||||||
httpS := &http.Server{Handler: r}
|
httpS := &http.Server{Handler: r}
|
||||||
if masterLocalListner != nil {
|
if masterLocalListner != nil {
|
||||||
go httpS.Serve(masterLocalListner)
|
go httpS.Serve(masterLocalListner)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if useMTLS {
|
||||||
|
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
if useTLS {
|
||||||
|
go httpS.ServeTLS(masterListener, certFile, keyFile)
|
||||||
|
} else {
|
||||||
go httpS.Serve(masterListener)
|
go httpS.Serve(masterListener)
|
||||||
|
}
|
||||||
|
|
||||||
select {}
|
select {}
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,7 +83,13 @@ key = ""
|
||||||
# this does not work with other clients, e.g., "weed filer|mount" etc, yet.
|
# this does not work with other clients, e.g., "weed filer|mount" etc, yet.
|
||||||
[https.client]
|
[https.client]
|
||||||
enabled = true
|
enabled = true
|
||||||
|
|
||||||
[https.volume]
|
[https.volume]
|
||||||
cert = ""
|
cert = ""
|
||||||
key = ""
|
key = ""
|
||||||
|
ca = ""
|
||||||
|
|
||||||
|
[https.master]
|
||||||
|
cert = ""
|
||||||
|
key = ""
|
||||||
|
ca = ""
|
||||||
|
|
|
@ -2,7 +2,6 @@ package command
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/chrislusf/seaweedfs/weed/storage/types"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
httppprof "net/http/pprof"
|
httppprof "net/http/pprof"
|
||||||
"os"
|
"os"
|
||||||
|
@ -11,6 +10,8 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/chrislusf/seaweedfs/weed/storage/types"
|
||||||
|
|
||||||
"github.com/spf13/viper"
|
"github.com/spf13/viper"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
|
||||||
|
@ -24,7 +25,7 @@ import (
|
||||||
|
|
||||||
"github.com/chrislusf/seaweedfs/weed/glog"
|
"github.com/chrislusf/seaweedfs/weed/glog"
|
||||||
"github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb"
|
"github.com/chrislusf/seaweedfs/weed/pb/volume_server_pb"
|
||||||
"github.com/chrislusf/seaweedfs/weed/server"
|
weed_server "github.com/chrislusf/seaweedfs/weed/server"
|
||||||
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
|
stats_collect "github.com/chrislusf/seaweedfs/weed/stats"
|
||||||
"github.com/chrislusf/seaweedfs/weed/storage"
|
"github.com/chrislusf/seaweedfs/weed/storage"
|
||||||
"github.com/chrislusf/seaweedfs/weed/util"
|
"github.com/chrislusf/seaweedfs/weed/util"
|
||||||
|
@ -371,7 +372,14 @@ func (v VolumeServerOptions) startClusterHttpService(handler http.Handler) httpd
|
||||||
StopTimeout: 30 * time.Second,
|
StopTimeout: 30 * time.Second,
|
||||||
CertFile: certFile,
|
CertFile: certFile,
|
||||||
KeyFile: keyFile}
|
KeyFile: keyFile}
|
||||||
clusterHttpServer := httpDown.Serve(&http.Server{Handler: handler}, listener)
|
httpS := &http.Server{Handler: handler}
|
||||||
|
|
||||||
|
if viper.GetString("https.volume.ca") != "" {
|
||||||
|
clientCertFile := viper.GetString("https.volume.ca")
|
||||||
|
httpS.TLSConfig = security.LoadClientTLSHTTP(clientCertFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
clusterHttpServer := httpDown.Serve(httpS, listener)
|
||||||
go func() {
|
go func() {
|
||||||
if e := clusterHttpServer.Wait(); e != nil {
|
if e := clusterHttpServer.Wait(); e != nil {
|
||||||
glog.Fatalf("Volume server fail to serve: %v", e)
|
glog.Fatalf("Volume server fail to serve: %v", e)
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
@ -98,6 +99,23 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
|
||||||
return grpc.WithTransportCredentials(ta)
|
return grpc.WithTransportCredentials(ta)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
|
||||||
|
clientCerts, err := ioutil.ReadFile(clientCertFile)
|
||||||
|
if err != nil {
|
||||||
|
glog.Fatal(err)
|
||||||
|
}
|
||||||
|
certPool := x509.NewCertPool()
|
||||||
|
ok := certPool.AppendCertsFromPEM(clientCerts)
|
||||||
|
if !ok {
|
||||||
|
glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
return &tls.Config{
|
||||||
|
ClientCAs: certPool,
|
||||||
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
|
func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
|
||||||
p, ok := peer.FromContext(ctx)
|
p, ok := peer.FromContext(ctx)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
|
Loading…
Reference in a new issue