-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
optional https port for s3 #4482
Conversation
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
if s3ApiLocalListener != nil { | ||
if *s3opt.portHttps == 0 { | ||
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the message should be "http port"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Should be http because this message in blok with tls key exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | |
glog.V(0).Infof("Start Seaweed S3 API Server %s at http port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrislusf I didn’t successfully name the variable portHttps
, but if it differs from 0 to zero, it means you need to run TLS on a separate port and in this code block only TLS is always started, so the message will always be https
logging on start
I0525 10:51:35.310073 s3.go:263 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at https port 443
I0525 10:51:35.310119 s3.go:281 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at http port 8080
@chrislusf Hey, is this getting better? |
} | ||
} else { | ||
} | ||
if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what is the intent here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what is the intent here
@chrislusf The general idea is to run the s3 http server simultaneously on http and https different ports, while remaining backwards compatible when using a common port for http + TLS
Accordingly, this line allows you to start an http server without TLS on the "main" port, when TLS is already running on another https port
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you see this comment ?
@chrislusf ping |
comments were not addressed yet. |
Ok. translated into resolved. |
They are marked as resolved. but no actual changes made. |
# Conflicts: # weed/command/s3.go
@chrislusf How about a separate TLS port ? |
I suspect you did not see my comments which were marked as resolved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try finish
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
if s3ApiLocalListener != nil { | ||
if *s3opt.portHttps == 0 { | ||
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Should be http because this message in blok with tls key exist.
} | ||
} else { | ||
} | ||
if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what is the intent here
@chrislusf The general idea is to run the s3 http server simultaneously on http and https different ports, while remaining backwards compatible when using a common port for http + TLS
Accordingly, this line allows you to start an http server without TLS on the "main" port, when TLS is already running on another https port
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
if s3ApiLocalListener != nil { | ||
if *s3opt.portHttps == 0 { | ||
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrislusf I didn’t successfully name the variable portHttps
, but if it differs from 0 to zero, it means you need to run TLS on a separate port and in this code block only TLS is always started, so the message will always be https
logging on start
I0525 10:51:35.310073 s3.go:263 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at https port 443
I0525 10:51:35.310119 s3.go:281 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at http port 8080
} | ||
} else { | ||
} | ||
if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you see this comment ?
It looks like I created a review and until I finished it all the messages were in the pending status |
#4482 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
seaweedfs#4482 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
What problem are we solving?
In kubernetes, traffic can be delivered through ingress, which itself allows you to do TLS and through the internal k8s service directly to the s3 api application and I would like to have additional https with TLS
It will also help to encrypt traffic if it not needs to be sent past the ingress #4479
How are we solving the problem?
optional https port for s3 api
How is the PR tested?
local with param
-s3.port=8333 -s3.port.https=8433 -s3.key.file=/usr/local/share/ca-certificates/tls.key -s3.cert.file=/usr/local/share/ca-certificates/tls.crt
local with param
-s3.port=8333 -s3.key.file=/usr/local/share/ca-certificates/tls.key -s3.cert.file=/usr/local/share/ca-certificates/tls.crt
local with param
-s3.port=8333
Checks