Add Authentication with Filer block

Amazon-S3-API.md

@@ -85,7 +85,7 @@ This is not so ideal. Another approach is to list current directory when deletin
 
 The last approach, which is most efficient, is to maintain counters for each folder, and drop the folder as soon as it becomes empty. This is implemented in [[Cloud Monitoring]].
 
-# Authentication
+# S3 Authentication
 By default, the access key and secret key to access `weed s3` is not authenticated. To enable credential based access, you can choose static or dynamic configuration:
 * **Dynamic Configuration**: setup auth with `s3.configure` in `weed shell`
 * **Static Configuration**: create a config.json file similar to the example below, and specify it via `weed s3 -config=config.json`
@@ -223,3 +223,19 @@ Usually you would also want to have multiple filers. The easiest way is to run f
   weed filer -s3
 
 ```
+
+# Authentication with Filer
+
+You can use mTLS for the gRPC connection between S3-API-Proxy and the filer, as
+explained in [[Security-Configuration]] -
+controlled by the `grpc.*` configuration in `security.toml`.
+
+**Starting with version 2.84, it is also possible to authenticate the HTTP
+operations between the S3-API-Proxy and the Filer (especially
+uploading new files).** This is configured by setting
+`jwt.filer_signing.key` and `jwt.filer_signing.read.key` in
+`security.toml`.
+
+With both configurations (gRPC and JWT), it is possible to have Filer
+and S3 communicate in fully authenticated fashion; so Filer will reject
+any unauthenticated communication.