optional https port for s3 #4482
Conversation
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
| if s3ApiLocalListener != nil { | ||
| if *s3opt.portHttps == 0 { | ||
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
the message should be "http port"?
There was a problem hiding this comment.
No. Should be http because this message in blok with tls key exist.
There was a problem hiding this comment.
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | |
| glog.V(0).Infof("Start Seaweed S3 API Server %s at http port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
@chrislusf I didn’t successfully name the variable portHttps, but if it differs from 0 to zero, it means you need to run TLS on a separate port and in this code block only TLS is always started, so the message will always be https
logging on start
I0525 10:51:35.310073 s3.go:263 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at https port 443
I0525 10:51:35.310119 s3.go:281 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at http port 8080
|
@chrislusf Hey, is this getting better? |
| } | ||
| } else { | ||
| } | ||
| if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
not sure what is the intent here
There was a problem hiding this comment.
not sure what is the intent here
@chrislusf The general idea is to run the s3 http server simultaneously on http and https different ports, while remaining backwards compatible when using a common port for http + TLS
Accordingly, this line allows you to start an http server without TLS on the "main" port, when TLS is already running on another https port
There was a problem hiding this comment.
Did you see this comment ?
|
@chrislusf ping |
comments were not addressed yet. |
Ok. translated into resolved. |
They are marked as resolved. but no actual changes made. |
# Conflicts: # weed/command/s3.go
|
@chrislusf How about a separate TLS port ? |
|
I suspect you did not see my comments which were marked as resolved. |
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
| if s3ApiLocalListener != nil { | ||
| if *s3opt.portHttps == 0 { | ||
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
No. Should be http because this message in blok with tls key exist.
| } | ||
| } else { | ||
| } | ||
| if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
not sure what is the intent here
@chrislusf The general idea is to run the s3 http server simultaneously on http and https different ports, while remaining backwards compatible when using a common port for http + TLS
Accordingly, this line allows you to start an http server without TLS on the "main" port, when TLS is already running on another https port
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) | ||
| if s3ApiLocalListener != nil { | ||
| if *s3opt.portHttps == 0 { | ||
| glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port) |
There was a problem hiding this comment.
@chrislusf I didn’t successfully name the variable portHttps, but if it differs from 0 to zero, it means you need to run TLS on a separate port and in this code block only TLS is always started, so the message will always be https
logging on start
I0525 10:51:35.310073 s3.go:263 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at https port 443
I0525 10:51:35.310119 s3.go:281 Start Seaweed S3 API Server 30GB 3.51 8e59d8fec at http port 8080
| } | ||
| } else { | ||
| } | ||
| if *s3opt.tlsPrivateKey == "" || *s3opt.portHttps > 0 { |
There was a problem hiding this comment.
Did you see this comment ?
It looks like I created a review and until I finished it all the messages were in the pending status |
#4482 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
seaweedfs#4482 Co-authored-by: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.co>
What problem are we solving?
In kubernetes, traffic can be delivered through ingress, which itself allows you to do TLS and through the internal k8s service directly to the s3 api application and I would like to have additional https with TLS
It will also help to encrypt traffic if it not needs to be sent past the ingress #4479
How are we solving the problem?
optional https port for s3 api
How is the PR tested?
local with param
-s3.port=8333 -s3.port.https=8433 -s3.key.file=/usr/local/share/ca-certificates/tls.key -s3.cert.file=/usr/local/share/ca-certificates/tls.crtlocal with param
-s3.port=8333 -s3.key.file=/usr/local/share/ca-certificates/tls.key -s3.cert.file=/usr/local/share/ca-certificates/tls.crtlocal with param
-s3.port=8333Checks