scality s3server with_ssl
TRANSCRIPT
March 2nd, 2017Laure Vergeron
Using Scality S3 Server with SSL
Why enable SSL with Scality S3 Server?
Security is a hot topic!
Most modern services require SSL,disabling it can limit your options
If you’re backing up to a remote Server, you probably want to becertain of its identity beforehand
It’s a fun thing to do
It’s super easy
A step by step deployment of Scality S3 Serverwith SSL
Deploying S3 Server
1) Install Docker for your distribution
2) Deploy S3 Server following our instructions for a file backend
3) Run a docker ps to find your S3 Server container’s id:
$> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
894aee038c5e scality/s3server "/usr/src/app/dock..." 3 weeks ago Up 2 weeks 0.0.0.0:8000->8000/tcp s3server
Generate SSL keys and certificates
1) Attach to your container using docker exec$> docker exec -it 894aee038c5e bash
$> openssl genrsa -out ca.key 2048
.................+++
..........................................................................+++e is 65537 (0x10001)
2) Generate a private key for your CSR
3) Generate a self-signed certificate for your local CA
$> openssl req -new -x509 -extensions v3_ca -key ca.key -out ca.crt -days 99999 -subj "/C=US/ST=Country/L=City/O=Organization/CN=scality.test"
Generate SSL keys and certificates
4) Generate a key for S3 Server$> openssl genrsa -out test.key 2048
$> openssl req -new -key test.key -out test.csr -subj "/C=US/ST=Country/L=City/O=Organization CN=*.scality.test"
.................+++
..........................................................................+++e is 65537 (0x10001)
5) Generate a CSR for S3 Server
6) Generate a local CA-signed certificate for S3 Server
$> openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 99999 -sha256
Signature oksubject=/C=US/ST=Country/L=City/O=Organization/CN=*.scality.testGetting CA Private Key
Update S3 Server’s config.json
1) Add a certFilePaths section to the config.json in your container’s home:[...]
"allowFrom": ["127.0.0.1/8", "::1"]},"usEastBehavior": false,"certFilePaths": {
"key": "./test.key", "cert": "./test.crt", "ca": "./ca.crt"
}}
2) Exit from your container and restart it
$> exit$> docker restart s3server
Update your host config
1) Edit your /etc/hosts file to have a localhost line like:127.0.0.1 localhost s3.scality.test
$> docker cp 894aee038c5e:/usr/src/app/ca.crt /root/ca.crt
2) Copy the local CA from your container to your host (use your container’s id)
You’re now ready to test your setup!
Testing Scality S3 Server with SSL
Sample test.js scriptconst AWS = require('aws-sdk');const fs = require('fs');const https = require('https');const httpOptions = {
agent: new https.Agent({ ca: fs.readFileSync('./ca.crt', 'ascii'), // path on your host of the self-signed certificate
}),};const s3 = new AWS.S3({
httpOptions,accessKeyId: 'accessKey1',secretAccessKey: 'verySecretKey1',endpoint: 'https://s3.scality.test:8000', // The endpoint must be s3.scality.test, else SSL will not worksslEnabled: true, // With this setup, you must use path-style bucket
accesss3ForcePathStyle: true,
});const bucket = 'cocoriko';
s3.createBucket({ Bucket: bucket }, err => {if (err) {
return console.log('err createBucket', err);}return s3.deleteBucket({ Bucket: bucket }, err => {
if (err) { return console.log('err deleteBucket', err); } return console.log('SSL is cool!');
});});
Run test.js
1) Using node, simply run$> node test.js
SSL is cool!
2) If all goes well, your output should be
3) If you get an error, you probably missed a step. Please check out our detailed
technical article for hints, and feel free to start a new topic on our forum to gethelp from the S3 Server community!
Enjoy SSL with S3 Server!
For more info, make sure to check out our website,
and our Github and Docker pages.
For any questions, please start a new topic on our forum.
Scality looks forward to your feedback!