SeaweedFS安全配置（Security Configuration）

详细配置参考：

Security - Security Configuration - 《SeaweedFS Wiki》 - 书栈网 · BookStack

生产配置文件：security.toml

 weed scaffold -config=security > security.toml

1、获取certstrap

1.1 方式一：

go get github.com/square/certstrap

go 安装命令

yum install golang -y

1.2 方式二：

git clone https://github.com/square/certstrap

git 安装命令

yum install git -y

构建操作

cd certstrap/
go build

设置代理，可以访问到国内资源。

go env -w GOPROXY=https://goproxy.cn,direct

密码配置为：#eY79Db

2、生成秘钥

/certstrap/certstrap init --common-name "SeaweedFS CA"

/certstrap/certstrap request-cert --common-name master
/certstrap/certstrap request-cert --common-name volume

/certstrap/certstrap sign --CA "SeaweedFS CA" master
/certstrap/certstrap sign --CA "SeaweedFS CA" volume

修改配置文件：security.toml

# Put this file to one of the location, with descending priority
#    ./security.toml
#    $HOME/.seaweedfs/security.toml
#    /etc/seaweedfs/security.toml
# this file is read by master, volume server, and filer

# this jwt signing key is read by master and volume server, and it is used for write operations:
# - the Master server generates the JWT, which can be used to write a certain file on a volume server
# - the Volume server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.signing]
key = "m#09Yn"
expires_after_seconds = 300           # seconds

# by default, if the signing key above is set, the Volume UI over HTTP is disabled.
# by setting ui.access to true, you can re-enable the Volume UI. Despite
# some information leakage (as the UI is not authenticated), this should not
# pose a security risk.
[access]
ui = false

# this jwt signing key is read by master and volume server, and it is used for read operations:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading
# NOTE: jwt for read is only supported with master+volume setup. Filer does not support this mode.
[jwt.signing.read]
key = "m#09Yn"
expires_after_seconds = 300           # seconds

# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing]
key = ""
expires_after_seconds = 10           # seconds

# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing.read]
key = ""
expires_after_seconds = 10           # seconds

# all grpc tls authentications are mutual
# the values for the following ca, cert, and key are paths to the PERM files.
# the host name is not checked, so the PERM files can be shared.
[grpc]
ca = "/opt/seaweedfs/out/SeaweedFS_CA.crt"
# Set wildcard domain for enable TLS authentication by common names
allowed_wildcard_domain = "" # .mycompany.com

[grpc.volume]
cert = "/opt/seaweedfs/out/volume.crt"
key = "/opt/seaweedfs/out/volume.key"
allowed_commonNames = ""    # comma-separated SSL certificate common names

[grpc.master]
cert = "/opt/seaweedfs/out/master.crt"
key = "/opt/seaweedfs/out/master.key"
allowed_commonNames = ""    # comma-separated SSL certificate common names

[grpc.filer]
cert = "/opt/seaweedfs/out/filer.crt"
key = "/opt/seaweedfs/out/filer.key"
allowed_commonNames = ""    # comma-separated SSL certificate common names

[grpc.msg_broker]
cert = ""
key = ""
allowed_commonNames = ""    # comma-separated SSL certificate common names

# use this for any place needs a grpc client
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
[grpc.client]
cert = "/opt/seaweedfs/out/client.crt"
key = "/opt/seaweedfs/out/client.key"

# volume server https options
# Note: work in progress!
#     this does not work with other clients, e.g., "weed filer|mount" etc, yet.
[https.client]
enabled = true

[https.volume]
cert = ""
key = ""
ca = ""

[https.master]
cert = ""
key = ""
ca = ""