-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
121 lines (105 loc) · 3.42 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package main
import (
"crypto/tls"
"crypto/x509"
"flag"
"fmt"
"io/ioutil"
"log"
"net/http"
"net/http/httputil"
"net/url"
"path/filepath"
"time"
"github.com/Symantec/keymaster/lib/instrumentedwriter"
"github.com/cviecco/km-reverse-proxy/authnHandler"
"gopkg.in/natefinch/lumberjack.v2"
)
var (
configFilename = flag.String("config", "config.yml", "Configuration filename")
)
type httpLogger struct {
AccessLogger *log.Logger
}
func (l httpLogger) Log(record instrumentedwriter.LogRecord) {
if l.AccessLogger != nil {
l.AccessLogger.Printf("%s - %s [%s] \"%s %s %s\" %d %d \"%s\"\n",
record.Ip, record.Username, record.Time, record.Method,
record.Uri, record.Protocol, record.Status, record.Size, record.UserAgent)
}
}
func getServerFromConfig(staticConfig *StaticConfiguration) (*http.Server, error) {
l := &lumberjack.Logger{
Filename: filepath.Join(staticConfig.Base.LogDirectory, "access"),
MaxSize: 20, // megabytes
MaxBackups: 3,
MaxAge: 28, //days
Compress: true, // disabled by default
}
accessLogger := httpLogger{AccessLogger: log.New(l, "", 0)}
origin, err := url.Parse(staticConfig.Base.ReverseProxyURL)
if err != nil {
panic(err)
}
director := func(req *http.Request) {
req.Header.Add("X-Forwarded-Host", req.Host)
req.Header.Add("X-Origin-Host", origin.Host)
req.URL.Scheme = origin.Scheme
req.URL.Host = origin.Host
}
proxy := &httputil.ReverseProxy{Director: director}
authZ := NewAuthZHandler(proxy, staticConfig.Base.PathConfigLocation, &staticConfig.Ldap)
err = authZ.(*AuthZHandler).LoadConfig()
if err != nil {
panic(err)
}
authN := authnHandler.NewAuthNHandler(authZ, staticConfig.OpenID, staticConfig.Base.SharedSecrets)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
authN.ServeHTTP(w, r)
})
var clientCACertPool *x509.CertPool
if len(staticConfig.Base.ClientCAFilename) > 0 {
clientCACertPool = x509.NewCertPool()
caCert, err := ioutil.ReadFile(staticConfig.Base.ClientCAFilename)
if err != nil {
log.Fatalf("cannot read clientCA file err=%s", err)
}
clientCACertPool.AppendCertsFromPEM(caCert)
}
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
},
ClientAuth: tls.VerifyClientCertIfGiven,
ClientCAs: clientCACertPool,
}
addr := fmt.Sprintf(":%d", staticConfig.Base.ServicePort)
server := &http.Server{
Addr: addr,
//Handler: NewLoggingHandler(http.DefaultServeMux, l),
Handler: instrumentedwriter.NewLoggingHandler(http.DefaultServeMux, accessLogger),
TLSConfig: tlsConfig,
ReadTimeout: 5 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 120 * time.Second,
}
return server, nil
//log.Fatal(server.ListenAndServeTLS(staticConfig.Base.TLSCertFilename, staticConfig.Base.TLSKeyFilename))
}
func main() {
flag.Parse()
staticConfig, err := LoadVerifyConfigFile(*configFilename)
if err != nil {
log.Fatalf("Cannot load Configuration: %s\n", err)
}
server, err := getServerFromConfig(staticConfig)
if err != nil {
log.Fatalf("Cannot initialze server from config: %s\n", err)
}
log.Fatal(server.ListenAndServeTLS(staticConfig.Base.TLSCertFilename, staticConfig.Base.TLSKeyFilename))
}