2 files changed, 20 insertions, 4 deletions

diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go
index cb0a726ce..9e45d7381 100644
--- a/weed/command/scaffold.go
+++ b/weed/command/scaffold.go
@@ -255,8 +255,6 @@ directory = "/"                # destination directory
 [jwt.signing]
 key = ""
 
-# volume server also uses grpc that should be secured.
-
 # all grpc tls authentications are mutual
 # the values for the following ca, cert, and key are paths to the PERM files.
 [grpc]
@@ -280,5 +278,16 @@ key  = ""
 cert = ""
 key  = ""
 
+
+# volume server https options
+# Note: work in progress!
+#     this does not work with other clients, e.g., "weed filer|mount" etc, yet.
+[https.client]
+enabled = true
+[https.volume]
+cert = ""
+key  = ""
+
+
 `
 )
diff --git a/weed/command/volume.go b/weed/command/volume.go
index 32ec7819b..2ee6bb11a 100644
--- a/weed/command/volume.go
+++ b/weed/command/volume.go
@@ -195,8 +195,15 @@ func (v VolumeServerOptions) startVolumeServer(volumeFolders, maxVolumeCounts, v
 	reflection.Register(grpcS)
 	go grpcS.Serve(grpcL)
 
-	if e := http.Serve(listener, volumeMux); e != nil {
-		glog.Fatalf("Volume server fail to serve: %v", e)
+	if viper.GetString("https.volume.key") != "" {
+		if e := http.ServeTLS(listener, volumeMux,
+			viper.GetString("https.volume.cert"), viper.GetString("https.volume.key")); e != nil {
+			glog.Fatalf("Volume server fail to serve: %v", e)
+		}
+	} else {
+		if e := http.Serve(listener, volumeMux); e != nil {
+			glog.Fatalf("Volume server fail to serve: %v", e)
+		}
 	}
 
 }