From 6cd2e0fc2e0f2624a23c8076ee5cd0b59c6a89c0 Mon Sep 17 00:00:00 2001 From: Gavin Towey Date: Mon, 16 Dec 2019 15:04:40 -0800 Subject: [PATCH] Add TLS options for http server --- .gitignore | 2 ++ conf/freno.conf.ssl.json | 9 +++++++ go/cmd/freno/main.go | 53 ++++++++++++++++++++++++++++++++++++++-- go/config/config.go | 4 +++ 4 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 conf/freno.conf.ssl.json diff --git a/.gitignore b/.gitignore index a5d0c2ef..b2d674a2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ bin/ main conf/freno.local.conf.json .vendor/ +server.crt +server.key diff --git a/conf/freno.conf.ssl.json b/conf/freno.conf.ssl.json new file mode 100644 index 00000000..ed9eecfe --- /dev/null +++ b/conf/freno.conf.ssl.json @@ -0,0 +1,9 @@ +{ + "ListenPort": 8088, + "RaftBind": "127.0.0.1:10008", + "RaftDataDir": "/tmp", + "RaftNodes": [], + "UseSSL": true, + "SSLPrivateKeyFile": "server.key", + "SSLCertFile": "server.crt" +} diff --git a/go/cmd/freno/main.go b/go/cmd/freno/main.go index 7122de92..0dbe46fa 100644 --- a/go/cmd/freno/main.go +++ b/go/cmd/freno/main.go @@ -1,6 +1,7 @@ package main import ( + "crypto/tls" "flag" "fmt" gohttp "net/http" @@ -9,6 +10,7 @@ import ( "github.com/github/freno/go/config" "github.com/github/freno/go/group" "github.com/github/freno/go/http" + "github.com/github/freno/go/throttle" "github.com/outbrain/golib/log" ) @@ -122,8 +124,55 @@ func httpServe() error { api := http.NewAPIImpl(throttlerCheck, consensusServiceProvider.GetConsensusService()) router := http.ConfigureRoutes(api) port := config.Settings().ListenPort - log.Infof("Starting server in port %d", port) - return gohttp.ListenAndServe(fmt.Sprintf(":%d", port), router) + + if config.Settings().UseSSL { + log.Infof("Starting HTTPS server on port %d", port) + + keyFile := config.Settings().SSLPrivateKeyFile + cert := config.Settings().SSLCertFile + log.Infof("Using SSLCertFile: %s", cert) + log.Infof("Using SSLPrivateKeyFile: %s", keyFile) + + tlsConfig := NewTLSConfig(config.Settings()) + srv := &gohttp.Server{ + Addr: fmt.Sprintf(":%d", port), + Handler: router, + TLSConfig: tlsConfig, + TLSNextProto: make(map[string]func(*gohttp.Server, *tls.Conn, gohttp.Handler), 0), + } + if err = srv.ListenAndServeTLS(cert, keyFile); err != nil { + log.Fatale(err) + } + } else { + log.Infof("Starting HTTP server on port %d", port) + err := gohttp.ListenAndServe(fmt.Sprintf(":%d", port), router) + if err != nil { + log.Fatale(err) + } + } + return nil +} + +// NewTLSConfig returns an initialized TLS configuration +func NewTLSConfig(conf *config.ConfigurationSettings) *tls.Config { + return &tls.Config{ + MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + InsecureSkipVerify: conf.SSLSkipVerify, + } } func printHelp() { diff --git a/go/config/config.go b/go/config/config.go index 7639692c..eed48357 100644 --- a/go/config/config.go +++ b/go/config/config.go @@ -109,6 +109,10 @@ type ConfigurationSettings struct { MemcacheServers []string // if given, freno will report to aggregated values to given memcache MemcachePath string // use as prefix to metric path in memcache key, e.g. if `MemcachePath` is "myprefix" the key would be "myprefix/mysql/maincluster". Default: "freno" Stores StoresSettings + UseSSL bool + SSLCertFile string + SSLPrivateKeyFile string + SSLSkipVerify bool } func newConfigurationSettings() *ConfigurationSettings {