Add posibility to serve HTTPS/TLS connection

2020-07-13 18:50:11 +03:00 · 2020-07-13 18:50:11 +03:00 · c38c4ca5db
commit c38c4ca5db
parent b9c4156e5b
4 changed files with 82 additions and 7 deletions
--- a/cert/server.crt
+++ b/cert/server.crt
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAowCCQDXZEH0aQRqFzANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMC
+UlUxFjAUBgNVBAgMDVN0LlBldGVyc2J1cmcxGTAXBgNVBAcMEFNhaW50IFBldGVy
+c2J1cmcxDjAMBgNVBAoMBU5TUENDMREwDwYDVQQLDAhOZW8gU1BDQzERMA8GA1UE
+AwwIbnNwY2MucnUxGzAZBgkqhkiG9w0BCQEWDG9wc0Buc3BjYy5ydTAeFw0yMDA3
+MTMxNTQyMzZaFw0zMDA3MTExNTQyMzZaMIGTMQswCQYDVQQGEwJSVTEWMBQGA1UE
+CAwNU3QuUGV0ZXJzYnVyZzEZMBcGA1UEBwwQU2FpbnQgUGV0ZXJzYnVyZzEOMAwG
+A1UECgwFTlNQQ0MxETAPBgNVBAsMCE5lbyBTUENDMREwDwYDVQQDDAhuc3BjYy5y
+dTEbMBkGCSqGSIb3DQEJARYMb3BzQG5zcGNjLnJ1MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2
+Q5qM8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7Bbuz
+NOchonlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFK
+eeJGtueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl
+xsnnAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tL
+YtUMdLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDEGhAyOtfsNwbZ0oZIw06e0JXCmri+8jsn5Ly/yHU0+ecHgMA5AAQ
+AG2QRpZZtZCtD/Cj4i6nSTWbRhS0FgqY998p5Lnh/AXTZHBx0t3LKJupN59CIjCK
+1eMEfQChoAZg66oO/obAFkq72gj8gpagMY9vFNVcszmse3FWrvlKmO1TwTEh+CzM
+7wbmiL/ujm0lIf44pp0U4qYFcSimSDqbwOfeDPif9lMinzylDxMfaAKBHBHPj5Vt
+fX8dgf6MIqyz51u/2G0gHfXMDxXec8huYKt2EtPyavh6kFxxGvcA15m6seJTcu+h
+6WzeQFa2NBg7Z3ai4DiPXirNtcHWeqxK
+-----END CERTIFICATE-----
--- a/cert/server.key
+++ b/cert/server.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2Q5qM
+8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7BbuzNOch
+onlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFKeeJG
+tueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl+xsn
+nAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tLYtUM
+dLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABAoIBAEIp3mJEjPgNOdDf
+NlEYpdfxLStOQIKMo0bdXAOBToOc28SAjDTGGSflFGIIQWwF+Vq3meRzfExgyouY
+AG3XwYQcZF4USX4XwG71YUXzQXdiY7ewc3Mos2gxD4kVXYpgwzJtOET2GN72zwAm
+asSXY7GXdesmu8mMYkxzEAKlhFgMj+bGE/4QQUBKG9ylGIdo07zmU6rAsVhnwQTb
+LE3cf+AxCeTVA7OsJCUUR4S9qsgXUN1WeaV8LNg0lYx8UTu1xlbrpSjx7B4eYy6J
+FGJWuT9b3X+cBLcGk3BzheUAfqBG2UFDxUCt0grqmmTBkB850MtCDhffhPjxxrD7
+KrwAcpECgYEA6HApn2VtWI/tDYCbNix6yxeqq73fO3ng6yFry1u7EYvl8hJXBgR4
+b6kAVc3y/9pZO/5D23dHl1PQtnU5401/j6dQrb8A2TMqZ1vA8XIdIMjOiVjZtYMF
+nXzmf78PEbw9jWlDVARJdAwkJeuDI4/HVvgiDAh3zxx5F8uDVP16/r8CgYEA1mXS
+9owfLIPtPSxyMJoGU0jP7OP+HVwlKkXpvg7uBtINKSDW4UU4rnpIGW5MohR3ACWO
+ReFliOnGA5FXBp9GzkbJ+wIYovPIsGuBdxSsBlPY1S0yPlo30hr7E6cK3B3EuxDg
+SkbJcWp2EwXYEIyEcopbVUTTlBO3wmBFgm/Ps+kCgYA/+Kar9OlMR4hRgAS3uzQs
+cx4I2F/46YlKjU8yj9ODd8JYhk2nHVHcQWITO3RWkEyg41DftQtiDbJSlR7SfUDP
+U5gzyW69WISiH7GRgfucS0f0qxx4BVBlULvLitTl5631HnRmSivBIZpNSW01O1v8
+hpwwPaBjww1czCkgGgdg1wKBgQCkaSdTW/bX+z9lpvzWWnc5TN/uSJRpTW1Osphh
+4C8WWeQvwvglfiDOZAWAQv5PWKQ9H4+v9P4Y9TSdLcpv0JrKuqxPabcc1xfyei6o
+89hLbecc6vDZsfOWkowx8Oo6DDX+Qh3Nt+TorXxocBXV8vvqnkEV7ZbWuhwz2gHT
+2gyMaQKBgEE7rNzm8Q03IqQ08eYaRw8gWz8EpLeVebrGqtoH9AR5cd4OeTeZAEqc
+iPehXctke2pUgS47XgG98G7Yg3E9UuOYM+H2nzQCoT7jrM0dZrVGZ0ty7z1a8QGe
+UrjaAC/cyIGdszhf0Rf3qA7450nit9Txh+ilLiumgnUezl+eJXyI
+-----END RSA PRIVATE KEY-----
--- a/cmd/gate/app-settings.go
+++ b/cmd/gate/app-settings.go
@ -55,6 +55,10 @@ const ( // settings
 	cfgKeepaliveTimeout             = "keepalive.timeout"
 	cfgKeepalivePermitWithoutStream = "keepalive.permit_without_stream"

+	// HTTPS/TLS:
+	cfgTLSKeyFile  = "tls.key_file"
+	cfgTLSCertFile = "tls.cert_file"
+
 	// Timeouts
 	cfgConnectionTTL  = "con_ttl"
 	cfgConnectTimeout = "connect_timeout"
--- a/cmd/gate/app.go
+++ b/cmd/gate/app.go
@ -24,6 +24,7 @@ type (
 		cli pool.Pool
 		log *zap.Logger
 		cfg *viper.Viper
+		tls *tlsConfig
 		obj minio.ObjectLayer

 		conTimeout time.Duration
@ -34,6 +35,11 @@ type (
 		webDone chan struct{}
 		wrkDone chan struct{}
 	}
+
+	tlsConfig struct {
+		KeyFile  string
+		CertFile string
+	}
 )

 func newApp(l *zap.Logger, v *viper.Viper) *App {
@ -41,6 +47,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
 		err error
 		wif string
 		cli pool.Pool
+		tls *tlsConfig
 		uid refs.OwnerID
 		obj minio.ObjectLayer

@ -52,6 +59,13 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
 		reqTimeout = defaultRequestTimeout
 	)

+	if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) {
+		tls = &tlsConfig{
+			KeyFile:  v.GetString(cfgTLSKeyFile),
+			CertFile: v.GetString(cfgTLSCertFile),
+		}
+	}
+
 	if v := v.GetDuration(cfgConnectTimeout); v > 0 {
 		conTimeout = v
 	}
@ -133,6 +147,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App {
 		log: l,
 		cfg: v,
 		obj: obj,
+		tls: tls,

 		webDone: make(chan struct{}, 1),
 		wrkDone: make(chan struct{}, 1),
@ -188,15 +203,22 @@ func (a *App) Server(ctx context.Context) {
 		a.log.Info("starting server",
 			zap.String("bind", addr))

-		// var (
-		// 	keyPath  string
-		// 	certPath string
-		// )
-
+		switch a.tls {
+		case nil:
 			if err = srv.Serve(lis); err != nil && err != http.ErrServerClosed {
 				a.log.Fatal("listen and serve",
 					zap.Error(err))
 			}
+		default:
+			a.log.Info("using certificate",
+				zap.String("key", a.tls.KeyFile),
+				zap.String("cert", a.tls.CertFile))
+
+			if err = srv.ServeTLS(lis, a.tls.CertFile, a.tls.KeyFile); err != nil && err != http.ErrServerClosed {
+				a.log.Fatal("listen and serve",
+					zap.Error(err))
+			}
+		}
 	}()

 	<-ctx.Done()