Created Security Configuration (markdown)

2024-01-19 02:48:24 +00:00 · 2019-02-19 21:01:53 -08:00 · 2019-02-19 21:01:53 -08:00 · 7004dc290d
parent 322b48b5a4
commit 7004dc290d
1 changed files with 91 additions and 0 deletions
--- a/Security-Configuration.md
+++ b/Security-Configuration.md
@ -0,0 +1,91 @@
+
+
+The first step is generating `security.toml` file via `weed scaffold -config=security`:
+
+```
+$ weed scaffold -config=security
+
+# Put this file to one of the location, with descending priority
+#    ./security.toml
+#    $HOME/.seaweedfs/security.toml
+#    /etc/seaweedfs/security.toml
+# this file is read by master, volume server, and filer
+
+# the jwt signing key is read by master and volume server
+# a jwt expires in 10 seconds
+[jwt.signing]
+key = ""
+
+# volume server also uses grpc that should be secured.
+
+# all grpc tls authentications are mutual
+[grpc]
+ca = ""
+
+[grpc.volume]
+cert = ""
+key = ""
+
+[grpc.master]
+cert = ""
+key = ""
+
+[grpc.filer]
+cert = ""
+key = ""
+
+# use this for any place needs a grpc client
+# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
+[grpc.client]
+cert = ""
+key = ""
+
+```
+
+The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap`
+
+```
+certstrap init --common-name "SeaweedFS CA"
+certstrap request-cert --common-name volume01
+certstrap request-cert --common-name master01
+certstrap request-cert --common-name filer01
+certstrap request-cert --common-name client01
+certstrap sign --CA "SeaweedFS CA" volume01
+certstrap sign --CA "SeaweedFS CA" master01
+certstrap sign --CA "SeaweedFS CA" filer01
+certstrap sign --CA "SeaweedFS CA" client01
+```
+
+Here is my `security.toml` file content:
+```
+
+# Put this file to one of the location, with descending priority
+#    ./security.toml
+#    $HOME/.seaweedfs/security.toml
+#    /etc/seaweedfs/security.toml
+
+[jwt.signing]
+key = "blahblahblahblah"
+
+# all grpc tls authentications are mutual 
+[grpc]
+ca = "/Users/chris/.seaweedfs/out/SeaweedFS_CA.crt"
+
+[grpc.volume]
+cert = "/Users/chris/.seaweedfs/out/volume01.crt"
+key  = "/Users/chris/.seaweedfs/out/volume01.key"
+
+[grpc.master]
+cert = "/Users/chris/.seaweedfs/out/master01.crt"
+key  = "/Users/chris/.seaweedfs/out/master01.key"
+
+[grpc.filer]
+cert = "/Users/chris/.seaweedfs/out/filer01.crt"
+key  = "/Users/chris/.seaweedfs/out/filer01.key"
+
+[grpc.client]
+cert = "/Users/chris/.seaweedfs/out/client01.crt"
+key  = "/Users/chris/.seaweedfs/out/client01.key"
+
+
+```