From c38c4ca5dbc24ed8d1ab1b6fde90e55ae38009a8 Mon Sep 17 00:00:00 2001 From: Evgeniy Kulikov Date: Mon, 13 Jul 2020 18:50:11 +0300 Subject: [PATCH] Add posibility to serve HTTPS/TLS connection --- cert/server.crt | 22 ++++++++++++++++++++++ cert/server.key | 27 +++++++++++++++++++++++++++ cmd/gate/app-settings.go | 4 ++++ cmd/gate/app.go | 36 +++++++++++++++++++++++++++++------- 4 files changed, 82 insertions(+), 7 deletions(-) create mode 100644 cert/server.crt create mode 100644 cert/server.key diff --git a/cert/server.crt b/cert/server.crt new file mode 100644 index 0000000..c286881 --- /dev/null +++ b/cert/server.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAowCCQDXZEH0aQRqFzANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMC +UlUxFjAUBgNVBAgMDVN0LlBldGVyc2J1cmcxGTAXBgNVBAcMEFNhaW50IFBldGVy +c2J1cmcxDjAMBgNVBAoMBU5TUENDMREwDwYDVQQLDAhOZW8gU1BDQzERMA8GA1UE +AwwIbnNwY2MucnUxGzAZBgkqhkiG9w0BCQEWDG9wc0Buc3BjYy5ydTAeFw0yMDA3 +MTMxNTQyMzZaFw0zMDA3MTExNTQyMzZaMIGTMQswCQYDVQQGEwJSVTEWMBQGA1UE +CAwNU3QuUGV0ZXJzYnVyZzEZMBcGA1UEBwwQU2FpbnQgUGV0ZXJzYnVyZzEOMAwG +A1UECgwFTlNQQ0MxETAPBgNVBAsMCE5lbyBTUENDMREwDwYDVQQDDAhuc3BjYy5y +dTEbMBkGCSqGSIb3DQEJARYMb3BzQG5zcGNjLnJ1MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2 +Q5qM8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7Bbuz +NOchonlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFK +eeJGtueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl ++xsnnAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tL +YtUMdLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBDEGhAyOtfsNwbZ0oZIw06e0JXCmri+8jsn5Ly/yHU0+ecHgMA5AAQ +AG2QRpZZtZCtD/Cj4i6nSTWbRhS0FgqY998p5Lnh/AXTZHBx0t3LKJupN59CIjCK +1eMEfQChoAZg66oO/obAFkq72gj8gpagMY9vFNVcszmse3FWrvlKmO1TwTEh+CzM +7wbmiL/ujm0lIf44pp0U4qYFcSimSDqbwOfeDPif9lMinzylDxMfaAKBHBHPj5Vt +fX8dgf6MIqyz51u/2G0gHfXMDxXec8huYKt2EtPyavh6kFxxGvcA15m6seJTcu+h +6WzeQFa2NBg7Z3ai4DiPXirNtcHWeqxK +-----END CERTIFICATE----- diff --git a/cert/server.key b/cert/server.key new file mode 100644 index 0000000..bd29be5 --- /dev/null +++ b/cert/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwqo2l4fS0U6wZCLh7VjQn1LXN8pZlVaA62C+g1SwoWV2Q5qM +8FDihWj3UBO3F+6vUVJl8N5S0JroxxU6L48Wmshei145SLSl/F28tsk7BbuzNOch +onlelW77Xr6l7cDJBWUWGkDoq6a/S6w6jjCGhZq+X0gyS5nZ4HTouVNv2oFKeeJG +tueLsS4zoVovrHdLSYdZH9/yC+E1WVCzQB+vdUF/vJLTuULgqncLV0sELmRl+xsn +nAV/REJswtCmKgrmAv9pMebBw5EEgROTGazdToWdD5X44xTlHjUb1bMuF9tLYtUM +dLxXceXZFhYhiTBO7ev9awKaNYslbxh+goJo1wIDAQABAoIBAEIp3mJEjPgNOdDf +NlEYpdfxLStOQIKMo0bdXAOBToOc28SAjDTGGSflFGIIQWwF+Vq3meRzfExgyouY +AG3XwYQcZF4USX4XwG71YUXzQXdiY7ewc3Mos2gxD4kVXYpgwzJtOET2GN72zwAm +asSXY7GXdesmu8mMYkxzEAKlhFgMj+bGE/4QQUBKG9ylGIdo07zmU6rAsVhnwQTb +LE3cf+AxCeTVA7OsJCUUR4S9qsgXUN1WeaV8LNg0lYx8UTu1xlbrpSjx7B4eYy6J +FGJWuT9b3X+cBLcGk3BzheUAfqBG2UFDxUCt0grqmmTBkB850MtCDhffhPjxxrD7 +KrwAcpECgYEA6HApn2VtWI/tDYCbNix6yxeqq73fO3ng6yFry1u7EYvl8hJXBgR4 +b6kAVc3y/9pZO/5D23dHl1PQtnU5401/j6dQrb8A2TMqZ1vA8XIdIMjOiVjZtYMF +nXzmf78PEbw9jWlDVARJdAwkJeuDI4/HVvgiDAh3zxx5F8uDVP16/r8CgYEA1mXS +9owfLIPtPSxyMJoGU0jP7OP+HVwlKkXpvg7uBtINKSDW4UU4rnpIGW5MohR3ACWO +ReFliOnGA5FXBp9GzkbJ+wIYovPIsGuBdxSsBlPY1S0yPlo30hr7E6cK3B3EuxDg +SkbJcWp2EwXYEIyEcopbVUTTlBO3wmBFgm/Ps+kCgYA/+Kar9OlMR4hRgAS3uzQs +cx4I2F/46YlKjU8yj9ODd8JYhk2nHVHcQWITO3RWkEyg41DftQtiDbJSlR7SfUDP +U5gzyW69WISiH7GRgfucS0f0qxx4BVBlULvLitTl5631HnRmSivBIZpNSW01O1v8 +hpwwPaBjww1czCkgGgdg1wKBgQCkaSdTW/bX+z9lpvzWWnc5TN/uSJRpTW1Osphh +4C8WWeQvwvglfiDOZAWAQv5PWKQ9H4+v9P4Y9TSdLcpv0JrKuqxPabcc1xfyei6o +89hLbecc6vDZsfOWkowx8Oo6DDX+Qh3Nt+TorXxocBXV8vvqnkEV7ZbWuhwz2gHT +2gyMaQKBgEE7rNzm8Q03IqQ08eYaRw8gWz8EpLeVebrGqtoH9AR5cd4OeTeZAEqc +iPehXctke2pUgS47XgG98G7Yg3E9UuOYM+H2nzQCoT7jrM0dZrVGZ0ty7z1a8QGe +UrjaAC/cyIGdszhf0Rf3qA7450nit9Txh+ilLiumgnUezl+eJXyI +-----END RSA PRIVATE KEY----- diff --git a/cmd/gate/app-settings.go b/cmd/gate/app-settings.go index 8366707..da3089f 100644 --- a/cmd/gate/app-settings.go +++ b/cmd/gate/app-settings.go @@ -55,6 +55,10 @@ const ( // settings cfgKeepaliveTimeout = "keepalive.timeout" cfgKeepalivePermitWithoutStream = "keepalive.permit_without_stream" + // HTTPS/TLS: + cfgTLSKeyFile = "tls.key_file" + cfgTLSCertFile = "tls.cert_file" + // Timeouts cfgConnectionTTL = "con_ttl" cfgConnectTimeout = "connect_timeout" diff --git a/cmd/gate/app.go b/cmd/gate/app.go index 1129e31..a5c4021 100644 --- a/cmd/gate/app.go +++ b/cmd/gate/app.go @@ -24,6 +24,7 @@ type ( cli pool.Pool log *zap.Logger cfg *viper.Viper + tls *tlsConfig obj minio.ObjectLayer conTimeout time.Duration @@ -34,6 +35,11 @@ type ( webDone chan struct{} wrkDone chan struct{} } + + tlsConfig struct { + KeyFile string + CertFile string + } ) func newApp(l *zap.Logger, v *viper.Viper) *App { @@ -41,6 +47,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { err error wif string cli pool.Pool + tls *tlsConfig uid refs.OwnerID obj minio.ObjectLayer @@ -52,6 +59,13 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { reqTimeout = defaultRequestTimeout ) + if v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) { + tls = &tlsConfig{ + KeyFile: v.GetString(cfgTLSKeyFile), + CertFile: v.GetString(cfgTLSCertFile), + } + } + if v := v.GetDuration(cfgConnectTimeout); v > 0 { conTimeout = v } @@ -133,6 +147,7 @@ func newApp(l *zap.Logger, v *viper.Viper) *App { log: l, cfg: v, obj: obj, + tls: tls, webDone: make(chan struct{}, 1), wrkDone: make(chan struct{}, 1), @@ -188,14 +203,21 @@ func (a *App) Server(ctx context.Context) { a.log.Info("starting server", zap.String("bind", addr)) - // var ( - // keyPath string - // certPath string - // ) + switch a.tls { + case nil: + if err = srv.Serve(lis); err != nil && err != http.ErrServerClosed { + a.log.Fatal("listen and serve", + zap.Error(err)) + } + default: + a.log.Info("using certificate", + zap.String("key", a.tls.KeyFile), + zap.String("cert", a.tls.CertFile)) - if err = srv.Serve(lis); err != nil && err != http.ErrServerClosed { - a.log.Fatal("listen and serve", - zap.Error(err)) + if err = srv.ServeTLS(lis, a.tls.CertFile, a.tls.KeyFile); err != nil && err != http.ErrServerClosed { + a.log.Fatal("listen and serve", + zap.Error(err)) + } } }()