* Caddy (умеет обновлять сертификаты)
* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

До появления Let's Encrypt эти **HTTPS-сертификаты** продавались доверенными третьими сторонами.

Процесс получения таких сертификатов был неудобным, требовал бумажной волокиты, а сами сертификаты были довольно дорогими.

Затем появился **[Let's Encrypt](https://letsencrypt.org/)**.

    private static final String USER_REALM = "EXAMPLE.COM";
    private static final int ENCRYPTION_TYPE = 23; // aes128-cts-hmac-sha1-96
    private static final byte[] ENCRYPTED_DATA = "encrypted-data".getBytes();

    @BeforeEach
    void setUp() {
        keys = new KerberosKey[] { kerberosKey };
    }

    /**
     * Creates a byte array representing a Kerberos ticket for testing purposes.

你可以用作 TLS 终止代理的一些选项包括：

* Traefik（也可以处理证书更新）
* Caddy（也可以处理证书更新）
* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

在 Let's Encrypt 之前，这些 **HTTPS 证书** 由受信任的第三方出售。

过去，获得这些证书的过程非常繁琐，需要大量的文书工作，而且证书非常昂贵。

但随后 **[Let's Encrypt](https://letsencrypt.org/)** 创建了。

它是 Linux 基金会的一个项目。 它以自动方式免费提供 **HTTPS 证书**。 这些证书可以使用所有符合标准的安全加密，并且有效期很短（大约 3 个月），因此**安全性实际上更好**，因为它们的生命周期缩短了。

./mc ready myminio1
./mc ready myminio2
sleep 1

./mc mb myminio1/testbucket/ --with-lock
./mc mb myminio2/testbucket/ --with-lock

./mc encrypt set sse-s3 my-minio-key myminio1/testbucket/
./mc encrypt set sse-s3 my-minio-key myminio2/testbucket/

./mc replicate add myminio1/testbucket --remote-bucket http://minioadmin:minioadmin@localhost:9101/testbucket --priority 1

	exit 1
fi

got_checksum=$(./mc cat myminio/versioned/dsync/drwmutex.go | md5sum)
if [ "${expected_checksum}" != "${got_checksum}" ]; then
	echo "BUG: decommission failed on encrypted objects: expected ${expected_checksum} got ${got_checksum}"
	exit 1
fi

./mc ls -r myminio/versioned >decommissioned_ns.txt
./mc ls -r --versions myminio/versioned >decommissioned_ns_versions.txt

	if err != nil {
		return nil, err
	}
	return io.ReadAll(plaintext)
}

// Encrypt encrypts the plaintext with a key managed by KMS.
// The context is bound to the returned ciphertext.
//
// The same context must be provided when decrypting the
// ciphertext.
func Encrypt(k *kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) {
	algorithm := sio.AES_256_GCM
	if !sioutil.NativeAES() {

				if err != nil {
					errs[idx] = err
					return
				}

				// do not try to verify encrypted content/
				hr, err = hash.NewReader(ctx, encrd, -1, "", "", -1)
				if err != nil {
					errs[idx] = err
					return
				}

				reader, err = reader.WithEncryption(hr, &objectEncryptionKey)

import java.util.List;

import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.apache.maven.settings.building.SettingsProblem;

/**
 * Collects the output of the settings decrypter.
 *
 * @deprecated since 4.0.0
 */
@Deprecated(since = "4.0.0")
class DefaultSettingsDecryptionResult implements SettingsDecryptionResult {

    private List<Server> servers;

    private List<Proxy> proxies;

    }

    /**
     * Stores a web authentication configuration.
     * Parameters are encrypted before storage.
     *
     * @param webAuthentication The web authentication configuration to store
     */
    public void store(final WebAuthentication webAuthentication) {
        webAuthentication.setParameters(ParameterUtil.encrypt(webAuthentication.getParameters()));
        webAuthenticationBhv.insertOrUpdate(webAuthentication, op -> {

import java.util.List;

import org.apache.maven.settings.Proxy;
import org.apache.maven.settings.Server;
import org.apache.maven.settings.building.SettingsProblem;

/**
 * Collects the output of the settings decrypter.
 *
 * @deprecated since 4.0.0
 */
@Deprecated(since = "4.0.0")
public interface SettingsDecryptionResult {

    /**