Skip to content

SSL support

Jump to bottom Edit New page
Yann Defretin edited this page Apr 21, 2023 · 4 revisions

S3Proxy has SSL support working both with Docker or without Docker.

You first need to configure a keystore holding your certificates and pass it to S3Proxy.

Create a keystore

To setup the keystore, do

$ keytool -keystore keystore.jks -alias aws -genkey -keyalg RSA

Use *.s3.amazonaws.com as the CN if you wish to proxy access to Amazon S3 itself. Applications will reject the self-signed certificate, unless you import it to the application's trusted store. If the application is written in Java, you can do:

$ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt $ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts

SSL without Docker

S3Proxy can listen on HTTPS by setting the secure-endpoint An example:

s3proxy.secure-endpoint=https://0.0.0.0:443 s3proxy.keystore-path=keystore.jks s3proxy.keystore-password=password

SSL with Docker

You need to configure the following environment variables:

  • S3PROXY_SECURE_ENDPOINT ;
  • S3PROXY_KEYSTORE_PATH ;
  • S3PROXY_KEYSTORE_PASSWORD.

SSL with Kubernetes

You need to create or update the secret with your S3Proxy configuration, example:

apiVersion: v1 kind: Secret metadata: name: s3proxy namespace: default stringData: [...] S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443" S3PROXY_KEYSTORE_PATH: "tls/keystore.jks" S3PROXY_KEYSTORE_PASSWORD: password

You also need to create a secret that will contain the keystore file:

kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml

Then you will have a deployment like this:

--- apiVersion: apps/v1 kind: Deployment metadata: name: s3proxy namespace: default labels: app: s3proxy spec: replicas: 1 selector: matchLabels: app: s3proxy template: metadata: labels: app: s3proxy spec: containers: - name: s3proxy image: gaul/s3proxy ports: - name: https containerPort: 443 envFrom: - secretRef: name: s3proxy resources: requests: cpu: 1 memory: "1Gi" limits: memory: "1Gi" volumeMounts: - name: keystore mountPath: /opt/s3proxy/tls volumes: - name: keystore secret: secretName: s3proxy-keystore items: - key: keystore.jks path: keystore.jks
Add a custom footer
Add a custom sidebar

Clone this wiki locally