search

jerebear12 / seaweedtest

0 stars 0 forks source link

Seaweed discussion invitation #5

Open LuuucasChen opened 2 months ago

LuuucasChen commented 2 months ago

Hello, recently I've been using Seaweed and noticed several of your pull requests. I feel our use cases are quite similar. Would you be available to discuss further?

jerebear12 commented 2 months ago

Yeah, I'm interested! What would you like to discuss?

LuuucasChen commented 2 months ago

Yeah, I'm interested! What would you like to discuss?

I used SeaweedFS to store internal company files. Now, some of these files need to be accessible over the internet, so I need to implement some security controls. My current idea is to configure an HTTP port for read-only access from the internet, and disable dirListing, and open specific directories through a gateway layer.

I've seen you've been supplementing a lot in terms of security controls. Are you also using SeaweedFS as the storage backend for internet access? Do you have any good suggestions for the configuration I mentioned above? Thanks so much!

LuuucasChen commented 2 months ago

I also noticed your contributions regarding the allowedOrigin configuration. Today, after upgrading the version and testing the configuration, I found that it doesn't seem to be taking effect. I'm not sure where the issue lies.

My configuration is as follows: ./weed filer -master=xxx:9333 -port=8087 -allowedOrigins=10.71.12.32,10.24.3.4 -defaultStoreDir=./filer_path

I intentionally configured an incorrect request Origin, but the request still succeeded.

jerebear12 commented 2 months ago

The company I work for is using SeaweedFS for file storage over the internet, yes. That is why I've been adding security controls to the Filer.

Well, the Filer wasn't really designed to be the forward facing access point from what I can tell. It seems as though it was created to be an internal proxy that supports the S3 gateway which has more public facing options. I would recommend using the S3 gateway if possible as it allows whatever you are using to interface with SeaweedFS to interface with any other S3 compatible store.

Placing the Filer behind a reverse proxy is a good idea. I would not recommend exposing the Filer UI itself to the internet for public use if possible.

It sounds like you want to disallow access to directory listing for some buckets/folders, but not for others, is that true?

The allow origin config may be bugged when it is being set from the console. I thought I had it working and tested, but I do know it works when set in the security.toml file. The wiki explains how to generate this file if you don't have it already.