security.toml 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. # Put this file to one of the location, with descending priority
  2. # ./security.toml
  3. # $HOME/.seaweedfs/security.toml
  4. # /etc/seaweedfs/security.toml
  5. # this file is read by master, volume server, and filer
  6. # comma separated origins allowed to make requests to the filer and s3 gateway.
  7. # enter in this format: https://domain.com, or http://localhost:port
  8. [cors.allowed_origins]
  9. values = "*"
  10. # this jwt signing key is read by master and volume server, and it is used for write operations:
  11. # - the Master server generates the JWT, which can be used to write a certain file on a volume server
  12. # - the Volume server validates the JWT on writing
  13. # the jwt defaults to expire after 10 seconds.
  14. [jwt.signing]
  15. key = ""
  16. expires_after_seconds = 10 # seconds
  17. # by default, if the signing key above is set, the Volume UI over HTTP is disabled.
  18. # by setting ui.access to true, you can re-enable the Volume UI. Despite
  19. # some information leakage (as the UI is not authenticated), this should not
  20. # pose a security risk.
  21. [access]
  22. ui = false
  23. # by default the filer UI is enabled. This can be a security risk if the filer is exposed to the public
  24. # and the JWT for reads is not set. If you don't want the public to have access to the objects in your
  25. # storage, and you haven't set the JWT for reads it is wise to disable access to directory metadata.
  26. # This disables access to the Filer UI, and will no longer return directory metadata in GET requests.
  27. [filer.expose_directory_metadata]
  28. enabled = true
  29. # this jwt signing key is read by master and volume server, and it is used for read operations:
  30. # - the Master server generates the JWT, which can be used to read a certain file on a volume server
  31. # - the Volume server validates the JWT on reading
  32. # NOTE: jwt for read is only supported with master+volume setup. Filer does not support this mode.
  33. [jwt.signing.read]
  34. key = ""
  35. expires_after_seconds = 10 # seconds
  36. # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
  37. # - f.e. the S3 API Shim generates the JWT
  38. # - the Filer server validates the JWT on writing
  39. # the jwt defaults to expire after 10 seconds.
  40. [jwt.filer_signing]
  41. key = ""
  42. expires_after_seconds = 10 # seconds
  43. # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
  44. # - f.e. the S3 API Shim generates the JWT
  45. # - the Filer server validates the JWT on writing
  46. # the jwt defaults to expire after 10 seconds.
  47. [jwt.filer_signing.read]
  48. key = ""
  49. expires_after_seconds = 10 # seconds
  50. # all grpc tls authentications are mutual
  51. # the values for the following ca, cert, and key are paths to the PERM files.
  52. # the host name is not checked, so the PERM files can be shared.
  53. [grpc]
  54. ca = ""
  55. # Set wildcard domain for enable TLS authentication by common names
  56. allowed_wildcard_domain = "" # .mycompany.com
  57. [grpc.volume]
  58. cert = ""
  59. key = ""
  60. allowed_commonNames = "" # comma-separated SSL certificate common names
  61. [grpc.master]
  62. cert = ""
  63. key = ""
  64. allowed_commonNames = "" # comma-separated SSL certificate common names
  65. [grpc.filer]
  66. cert = ""
  67. key = ""
  68. allowed_commonNames = "" # comma-separated SSL certificate common names
  69. [grpc.s3]
  70. cert = ""
  71. key = ""
  72. allowed_commonNames = "" # comma-separated SSL certificate common names
  73. [grpc.msg_broker]
  74. cert = ""
  75. key = ""
  76. allowed_commonNames = "" # comma-separated SSL certificate common names
  77. # use this for any place needs a grpc client
  78. # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
  79. [grpc.client]
  80. cert = ""
  81. key = ""
  82. # https client for master|volume|filer|etc connection
  83. # It is necessary that the parameters [https.volume]|[https.master]|[https.filer] are set
  84. [https.client]
  85. enabled = true
  86. cert = ""
  87. key = ""
  88. ca = ""
  89. # volume server https options
  90. [https.volume]
  91. cert = ""
  92. key = ""
  93. ca = ""
  94. # master server https options
  95. [https.master]
  96. cert = ""
  97. key = ""
  98. ca = ""
  99. # filer server https options
  100. [https.filer]
  101. cert = ""
  102. key = ""
  103. ca = ""
  104. # disable_tls_verify_client_cert = true|false (default: false)