123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 |
- # Put this file to one of the location, with descending priority
- # ./security.toml
- # $HOME/.seaweedfs/security.toml
- # /etc/seaweedfs/security.toml
- # this file is read by master, volume server, and filer
- # comma separated origins allowed to make requests to the filer and s3 gateway.
- # enter in this format: https://domain.com, or http://localhost:port
- [cors.allowed_origins]
- values = "*"
- # this jwt signing key is read by master and volume server, and it is used for write operations:
- # - the Master server generates the JWT, which can be used to write a certain file on a volume server
- # - the Volume server validates the JWT on writing
- # the jwt defaults to expire after 10 seconds.
- [jwt.signing]
- key = ""
- expires_after_seconds = 10 # seconds
- # by default, if the signing key above is set, the Volume UI over HTTP is disabled.
- # by setting ui.access to true, you can re-enable the Volume UI. Despite
- # some information leakage (as the UI is not authenticated), this should not
- # pose a security risk.
- [access]
- ui = false
- # by default the filer UI is enabled. This can be a security risk if the filer is exposed to the public
- # and the JWT for reads is not set. If you don't want the public to have access to the objects in your
- # storage, and you haven't set the JWT for reads it is wise to disable access to directory metadata.
- # This disables access to the Filer UI, and will no longer return directory metadata in GET requests.
- [filer.expose_directory_metadata]
- enabled = true
- # this jwt signing key is read by master and volume server, and it is used for read operations:
- # - the Master server generates the JWT, which can be used to read a certain file on a volume server
- # - the Volume server validates the JWT on reading
- # NOTE: jwt for read is only supported with master+volume setup. Filer does not support this mode.
- [jwt.signing.read]
- key = ""
- expires_after_seconds = 10 # seconds
- # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
- # - f.e. the S3 API Shim generates the JWT
- # - the Filer server validates the JWT on writing
- # the jwt defaults to expire after 10 seconds.
- [jwt.filer_signing]
- key = ""
- expires_after_seconds = 10 # seconds
- # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
- # - f.e. the S3 API Shim generates the JWT
- # - the Filer server validates the JWT on writing
- # the jwt defaults to expire after 10 seconds.
- [jwt.filer_signing.read]
- key = ""
- expires_after_seconds = 10 # seconds
- # all grpc tls authentications are mutual
- # the values for the following ca, cert, and key are paths to the PERM files.
- # the host name is not checked, so the PERM files can be shared.
- [grpc]
- ca = ""
- # Set wildcard domain for enable TLS authentication by common names
- allowed_wildcard_domain = "" # .mycompany.com
- [grpc.volume]
- cert = ""
- key = ""
- allowed_commonNames = "" # comma-separated SSL certificate common names
- [grpc.master]
- cert = ""
- key = ""
- allowed_commonNames = "" # comma-separated SSL certificate common names
- [grpc.filer]
- cert = ""
- key = ""
- allowed_commonNames = "" # comma-separated SSL certificate common names
- [grpc.s3]
- cert = ""
- key = ""
- allowed_commonNames = "" # comma-separated SSL certificate common names
- [grpc.msg_broker]
- cert = ""
- key = ""
- allowed_commonNames = "" # comma-separated SSL certificate common names
- # use this for any place needs a grpc client
- # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
- [grpc.client]
- cert = ""
- key = ""
- # https client for master|volume|filer|etc connection
- # It is necessary that the parameters [https.volume]|[https.master]|[https.filer] are set
- [https.client]
- enabled = true
- cert = ""
- key = ""
- ca = ""
- # volume server https options
- [https.volume]
- cert = ""
- key = ""
- ca = ""
- # master server https options
- [https.master]
- cert = ""
- key = ""
- ca = ""
- # filer server https options
- [https.filer]
- cert = ""
- key = ""
- ca = ""
- # disable_tls_verify_client_cert = true|false (default: false)
|