Add mTLS support for both master and volume http server.

author: Berck Nash <berck@cloudflare.com> 2022-03-14 17:22:52 -0600
committer: Berck Nash <berck@cloudflare.com> 2022-03-16 09:52:17 -0600
commit: 9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac (patch)
tree: 416bd650c36851ed7603c74bc86308a24f214221 /weed/security/tls.go
parent: b5b97a4799e1929bb22d816aca450ea18f7ec08e (diff)
download: seaweedfs-9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac.tar.xz
seaweedfs-9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/weed/security/tls.go b/weed/security/tls.go
index 2f01af1e7..79552c026 100644
--- a/weed/security/tls.go
+++ b/weed/security/tls.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"io/ioutil"
 	"os"
 	"strings"
 
@@ -98,6 +99,23 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
 	return grpc.WithTransportCredentials(ta)
 }
 
+func LoadClientTLSHTTP(clientCertFile string) *tls.Config {
+	clientCerts, err := ioutil.ReadFile(clientCertFile)
+	if err != nil {
+		glog.Fatal(err)
+	}
+	certPool := x509.NewCertPool()
+	ok := certPool.AppendCertsFromPEM(clientCerts)
+	if !ok {
+		glog.Fatalf("Error processing client certificate in %s\n", clientCertFile)
+	}
+
+	return &tls.Config{
+		ClientCAs:  certPool,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+	}
+}
+
 func (a Authenticator) Authenticate(ctx context.Context) (newCtx context.Context, err error) {
 	p, ok := peer.FromContext(ctx)
 	if !ok {
author	Berck Nash <berck@cloudflare.com>	2022-03-14 17:22:52 -0600
committer	Berck Nash <berck@cloudflare.com>	2022-03-16 09:52:17 -0600
commit	9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac (patch)
tree	416bd650c36851ed7603c74bc86308a24f214221 /weed/security/tls.go
parent	b5b97a4799e1929bb22d816aca450ea18f7ec08e (diff)
download	seaweedfs-9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac.tar.xz seaweedfs-9b14f0c81a9348ccb8a79ffcf9cdbc7033d00fac.zip