10

使用TLS安全的访问MinIO服务

 3 years ago
source link: https://docs.min.io/cn/how-to-secure-access-to-minio-server-with-tls.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

使用TLS安全的访问Minio服务

本文,我们讲介绍如何在Linux和Windows上配置Minio服务使用TLS。

1. 前提条件

2. 配置已存在的证书

如果你已经有私钥和公钥证书,你需要将它们拷贝到Minio的config/certs文件夹,分别取名为private.keypublic.crt

如果这个证书是被证书机构签发的,public.crt应该是服务器的证书,任何中间体的证书以及CA的根证书的级联。

3. 生成证书

Linux

Minio在Linux只支持使用PEM格式的key/certificate。

使用 Let's Encrypt

更多信息,请访问 这里

使用 generate_cert.go (self-signed certificate)

你需要下载 generate_cert.go,它是一个简单的go工具,可以生成自签名的证书,不过大多数情况下用着都是木有问题的。

generate_cert.go 已经提供了带有DNS和IP条目的SAN证书:

Copygo run generate_cert.go -ca --host "10.10.0.3"

使用 OpenSSL:

生成私钥:

Copyopenssl genrsa -out private.key 2048

生成自签名证书:

Copyopenssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=domain"

Windows

Minio在Windows上只支持PEM格式的key/certificate,目前不支持PFX证书。

安装 GnuTLS

下载并解压GnuTLS

确保将解压后的binary路径加入到系统路径中。

Copysetx path "%path%;C:\Users\MyUser\Downloads\gnutls-3.4.9-w64\bin"

你可能需要重启powershell控制台来使其生效。

生成private.key

运行下面的命令来生成 private.key

Copycerttool.exe --generate-privkey --outfile private.key

生成public.crt

创建文件cert.cnf,填写必要信息来生成证书。

Copy# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "Example Inc."

# The organizational unit of the subject.
#unit = "sleeping dept."

# The state of the certificate owner.
state = "Example"

# The country of the subject. Two letter code.
country = "EX"

# The common name of the certificate owner.
cn = "Sally Certowner"

# In how many days, counting from today, this certificate will expire.
expiration_days = 365

# X.509 v3 extensions

# DNS name(s) of the server
dns_name = "localhost"

# (Optional) Server IP address
ip_address = "127.0.0.1"

# Whether this certificate will be used for a TLS server
tls_www_server

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key

生成公钥证书

Copycerttool.exe --generate-self-signed --load-privkey private.key --template cert.cnf --outfile public.crt

4. 安装第三方CAs

Minio可以配置成连接其它服务,不管是Minio节点还是像NATs、Redis这些。如果这些服务用的不是在已知证书机构注册的证书,你可以让Minio服务信任这些CA,怎么做呢,将这些证书放到Minio配置路径下(~/.minio/certs/CAs/ Linux 或者 C:\Users\<Username>\.minio\certs\CAs Windows).


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK