kopia lustrzana https://github.com/gaul/s3proxy
Strona:
SSL support
Strony
Client compatibility list
Home
Middleware eventual consistency
Middleware alias blobstore
Middleware bucket locator
Middleware large object mocking
Middleware read only
Middleware regex
Middleware sharded backend
SSL support
Storage backend compatibility
Storage backend examples
Tips
Using S3Proxy in Java projects
4
SSL support
Yann Defretin edytuje tę stronę 2023-04-21 20:49:11 +02:00
S3Proxy has SSL support working both with Docker or without Docker.
You first need to configure a keystore holding your certificates and pass it to S3Proxy.
Create a keystore
To setup the keystore, do
$ keytool -keystore keystore.jks -alias aws -genkey -keyalg RSA
Use *.s3.amazonaws.com
as the CN
if you wish to proxy
access to Amazon S3 itself. Applications will reject the self-signed
certificate, unless you import it to the application's trusted
store. If the application is written in Java, you can do:
$ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt
$ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts
SSL without Docker
S3Proxy can listen on HTTPS by setting the secure-endpoint
An example:
s3proxy.secure-endpoint=https://0.0.0.0:443
s3proxy.keystore-path=keystore.jks
s3proxy.keystore-password=password
SSL with Docker
You need to configure the following environment variables:
S3PROXY_SECURE_ENDPOINT
;S3PROXY_KEYSTORE_PATH
;S3PROXY_KEYSTORE_PASSWORD
.
SSL with Kubernetes
You need to create or update the secret with your S3Proxy configuration, example:
apiVersion: v1
kind: Secret
metadata:
name: s3proxy
namespace: default
stringData:
[...]
S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443"
S3PROXY_KEYSTORE_PATH: "tls/keystore.jks"
S3PROXY_KEYSTORE_PASSWORD: password
You also need to create a secret that will contain the keystore file:
kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml
Then you will have a deployment like this:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: s3proxy
namespace: default
labels:
app: s3proxy
spec:
replicas: 1
selector:
matchLabels:
app: s3proxy
template:
metadata:
labels:
app: s3proxy
spec:
containers:
- name: s3proxy
image: gaul/s3proxy
ports:
- name: https
containerPort: 443
envFrom:
- secretRef:
name: s3proxy
resources:
requests:
cpu: 1
memory: "1Gi"
limits:
memory: "1Gi"
volumeMounts:
- name: keystore
mountPath: /opt/s3proxy/tls
volumes:
- name: keystore
secret:
secretName: s3proxy-keystore
items:
- key: keystore.jks
path: keystore.jks