Skip to content
Yann Defretin edited this page Apr 21, 2023 · 4 revisions

S3Proxy has SSL support working both with Docker or without Docker.

You first need to configure a keystore holding your certificates and pass it to S3Proxy.

Create a keystore

To setup the keystore, do

$ keytool -keystore keystore.jks -alias aws -genkey -keyalg RSA

Use *.s3.amazonaws.com as the CN if you wish to proxy access to Amazon S3 itself. Applications will reject the self-signed certificate, unless you import it to the application's trusted store. If the application is written in Java, you can do:

$ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt
$ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts

SSL without Docker

S3Proxy can listen on HTTPS by setting the secure-endpoint An example:

s3proxy.secure-endpoint=https://0.0.0.0:443
s3proxy.keystore-path=keystore.jks
s3proxy.keystore-password=password

SSL with Docker

You need to configure the following environment variables:

  • S3PROXY_SECURE_ENDPOINT ;
  • S3PROXY_KEYSTORE_PATH ;
  • S3PROXY_KEYSTORE_PASSWORD.

SSL with Kubernetes

You need to create or update the secret with your S3Proxy configuration, example:

apiVersion: v1
kind: Secret
metadata:
  name: s3proxy
  namespace: default
stringData:
  [...]
  S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443"
  S3PROXY_KEYSTORE_PATH: "tls/keystore.jks"
  S3PROXY_KEYSTORE_PASSWORD: password

You also need to create a secret that will contain the keystore file:

kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml

Then you will have a deployment like this:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: s3proxy
  namespace: default
  labels:
    app: s3proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: s3proxy
  template:
    metadata:
      labels:
        app: s3proxy
    spec:
      containers:
        - name: s3proxy
          image: gaul/s3proxy
          ports:
            - name: https
              containerPort: 443
          envFrom:
            - secretRef:
                name: s3proxy
          resources:
            requests:
              cpu: 1
              memory: "1Gi"
            limits:
              memory: "1Gi"
          volumeMounts:
          - name: keystore
            mountPath: /opt/s3proxy/tls
      volumes:
        - name: keystore
          secret:
            secretName: s3proxy-keystore
            items:
              - key: keystore.jks
                path: keystore.jks