Skip to content

Commit

Permalink
Merge pull request #25 from synyx/self-signed-ssl-minio
Browse files Browse the repository at this point in the history
Add support for self-signed minio deployments
  • Loading branch information
rzrbld authored Aug 21, 2022
2 parents c290c50 + 1f82b08 commit d393809
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 6 deletions.
93 changes: 87 additions & 6 deletions src/clients/clients.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
package clients

import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"net/http"
"os"

minio "github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"

Expand All @@ -10,14 +17,30 @@ import (
cnf "github.com/rzrbld/adminio-api/config"
)

var MadmClnt, MadmErr = madmin.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl)
var MadmErr error
var MinioErr error
var MinioClnt *minio.Client
var MadmClnt *madmin.AdminClient

func init() {
tr, err := customTransport()
if err != nil {
MadmErr = err
MinioErr = err
return
}

// var MinioClnt, MinioErr = minio.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl)
MinioClnt, MinioErr = minio.New(cnf.Server, &minio.Options{
Creds: credentials.NewStaticV4(cnf.Maccess, cnf.Msecret, ""),
Secure: cnf.Ssl,
Transport: tr,
})

var MinioClnt, MinioErr = minio.New(cnf.Server, &minio.Options{
Creds: credentials.NewStaticV4(cnf.Maccess, cnf.Msecret, ""),
Secure: cnf.Ssl,
})
MadmClnt, MadmErr = madmin.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl)
if err == nil {
MadmClnt.SetCustomTransport(tr)
}
}

func main() {
if MadmErr != nil {
Expand All @@ -28,3 +51,61 @@ func main() {
log.Fatalln("Error while connecting via minio client ", MinioErr)
}
}

func customTransport() (*http.Transport, error) {

if !cnf.Ssl {
return minio.DefaultTransport(cnf.Ssl)
}

tlsConfig := &tls.Config{
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
}

tr, err := minio.DefaultTransport(cnf.Ssl)
if err != nil {
return nil, err
}

if cnf.SSLCACertFile != "" {
minioCACert, err := os.ReadFile(cnf.SSLCACertFile)
if err != nil {
return nil, err
}

if !isValidCertificate(minioCACert) {
return nil, fmt.Errorf("minio CA Cert is not a valid x509 certificate")
}

rootCAs, _ := x509.SystemCertPool()
if rootCAs == nil {
// In some systems (like Windows) system cert pool is
// not supported or no certificates are present on the
// system - so we create a new cert pool.
rootCAs = x509.NewCertPool()
}
rootCAs.AppendCertsFromPEM(minioCACert)
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
tlsConfig.RootCAs = rootCAs
}

if cnf.SSLSkipVerify {
tlsConfig.InsecureSkipVerify = true
}

tr.TLSClientConfig = tlsConfig

return tr, nil
}

func isValidCertificate(c []byte) bool {
p, _ := pem.Decode(c)
if p == nil {
return false
}
_, err := x509.ParseCertificates(p.Bytes)
return err == nil
}
2 changes: 2 additions & 0 deletions src/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ var (
// Enable object locking by default
DefaultObjectLocking, _ = strconv.ParseBool(getEnv("MINIO_DEFAULT_LOCK_OBLECT_ENABLE", "false"))
Ssl, _ = strconv.ParseBool(getEnv("MINIO_SSL", "false"))
SSLSkipVerify, _ = strconv.ParseBool(getEnv("MINIO_SSL_INSECURE", "false"))
SSLCACertFile = getEnv("MINIO_SSL_CACERT", "")
ServerHostPort = getEnv("ADMINIO_HOST_PORT", "localhost:8080")
AdminioCORS = getEnv("ADMINIO_CORS_DOMAIN", "*")
// AES only supports key sizes of 16, 24 or 32 bytes.
Expand Down

0 comments on commit d393809

Please sign in to comment.