Enable TLS connections¶
This guide describes how to a TLS-enabled secure Flower server (SuperLink) can be
started and how a Flower client (SuperNode) can establish a secure connections to
it.
보안 연결을 보여주는 전체 코드 예제는 ‘여기 <https://github.com/adap/flower/tree/main/examples/advanced-tensorflow>`_’에서 확인할 수 있습니다.
The code example comes with a README.md file which explains how to start it.
Although it is already TLS-enabled, it might be less descriptive on how it does so.
Stick to this guide for a deeper introduction to the topic.
인증서¶
Using TLS-enabled connections requires certificates to be passed to the server and
client. For the purpose of this guide we are going to generate self-signed certificates.
As this can become quite complex we are going to ask you to run the script in
examples/advanced-tensorflow/certificates/generate.sh with the following command
sequence:
$ cd examples/advanced-tensorflow/certificates && \
./generate.sh
This will generate the certificates in
examples/advanced-tensorflow/.cache/certificates.
The approach for generating TLS certificates in the context of this example can serve as an inspiration and starting point, but it should not be used as a reference for production environments. Please refer to other sources regarding the issue of correctly generating certificates for production environments. For non-critical prototyping or research projects, it might be sufficient to use the self-signed certificates generated using the scripts mentioned in this guide.
서버(SuperLink)¶
Navigate to the examples/advanced-tensorflow folder (here) and use the
following terminal command to start a server (SuperLink) that uses the previously
generated certificates:
$ flower-superlink \
--ssl-ca-certfile .cache/certificates/ca.crt \
--ssl-certfile .cache/certificates/server.pem \
--ssl-keyfile .cache/certificates/server.key
인증서를 제공할 때 서버는 세 가지 인증서 경로의 튜플을 기대합니다: CA 인증서, 서버 인증서 및 서버 개인 키입니다.
Clients (SuperNode)¶
다음 터미널 명령을 사용하여 이전에 생성한 인증서를 사용하는 클라이언트(SuperNode)를 시작합니다:
$ flower-supernode \
--root-certificates .cache/certificates/ca.crt \
--superlink 127.0.0.1:9092 \
--clientappio-api-address 0.0.0.0:9095 \
--node-config="partition-id=0 num-partitions=10"
When setting root_certificates, the client expects a file path to PEM-encoded root
certificates.
In another terminal, start a second SuperNode that uses the same certificates:
$ flower-supernode \
--root-certificates .cache/certificates/ca.crt \
--superlink 127.0.0.1:9092 \
--clientappio-api-address 0.0.0.0:9096 \
--node-config="partition-id=1 num-partitions=10"
Note that in the second SuperNode, if you run both on the same machine, you must specify
a different port for the ClientAppIO API address to avoid clashing with the first
SuperNode.
Executing flwr run with TLS¶
The root certificates used for executing flwr run is specified in the
pyproject.toml of your app.
[tool.flwr.federations.local-deployment]
address = "127.0.0.1:9093"
root-certificates = "./.cache/certificates/ca.crt"
Note that the path to the root-certificates is relative to the root of the project.
Now, you can run the example by executing the following:
$ flwr run . local-deployment --stream
결론¶
You should now have learned how to generate self-signed certificates using the given
script, start an TLS-enabled server and have two clients establish secure connections to
it. You should also have learned how to run your Flower project using flwr run with
TLS enabled.
참고
For running a Docker setup with TLS enabled, please refer to Enable TLS for Secure Connections.
추가 리소스¶
인증서에 대해 더 자세히 알아보고 싶다면 이러한 추가 자료를 참고하세요:
‘암호화하세요 <https://letsencrypt.org/docs/>`_’