New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP: Add TLS version configurability for grafana server #67482
HTTP: Add TLS version configurability for grafana server #67482
Conversation
Add TLS version and cipher configurability for grafana server. Also backward compatibility is supported. Two new parameters min_tls_version and tls_ciphers are added to the [server] section.
Add TLS version and cipher configurability for grafana server. Also backward compatibility is supported. Two new parameters min_tls_version and tls_ciphers are added to the [server] section.
…enkatbvc/grafana into add_tlsversion_configurability
…enkatbvc/grafana into add_tlsversion_configurability
…enkatbvc/grafana into add_tlsversion_configurability
…enkatbvc/grafana into add_tlsversion_configurability
@torkelo How do i add the following labels: |
Hi All, |
@@ -189,6 +189,22 @@ Folder that contains [provisioning]({{< relref "../../administration/provisionin | |||
|
|||
`http`,`https`,`h2` or `socket` | |||
|
|||
### min_tls_version | |||
|
|||
Minimum TLS version that needs to be used in TLS Handshake. Possible Values are TLS1.2 and TLS1.3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minimum TLS version that needs to be used in TLS Handshake. Possible Values are TLS1.2 and TLS1.3. | |
The TLS Handshake requires a minimum TLS version. The available options are TLS1.2 and TLS1.3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs approved.
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
@torkelo @suntala @zserge @danielkenlee @sakjur Can you please review and provide your comments |
This is fairly low prio right now, it missed our Grafana 10.0 window and it'd at best make it into 10.1. I don't know if I think we should do this at all, I'm all for configuring the minimum TLS version (after all, if all your users are using modern browsers, it makes sense to only permit TLS 1.3), but for exact ciphersuites, I'm skeptical. Partly because we're unable to configure the ciphersuites for TLS 1.3 because that's not supported by Go upstream (golang/go#29349) and partly because detailed configuration of TLS is sort of what reverse proxies such as nginx and Caddy excels at. Quick review: |
Configurability of cipher suites I'd suggest not making cipher suites configurable and trusting Go upstream |
@sakjur @TomsioncatiGraf Thanks for your comments. I have started with only make tls version configurable. But when i checked at the ldap.toml these were made configurable. So i thought it may be a good idea to configure. |
@venkatbvc If we can start with just the TLS version, that’d be something I’d approve 🙂 |
@sakjur Thanks. I will publish changes only for tls version. tls_ciphers i can do later if required |
Changes to be committed: modified: conf/defaults.ini modified: conf/sample.ini modified: docs/sources/setup-grafana/configure-grafana/_index.md modified: pkg/api/http_server.go modified: pkg/setting/setting.go modified: pkg/setting/setting_test.go modified: pkg/util/tls.go modified: pkg/util/tls_test.go
…enkatbvc/grafana into add_tlsversion_configurability
@sakjur pushed code only for configuring tls version. Please check |
@venkatbvc Thank you! I'll put this on my todo to review 🙂 |
2 questions, as I stumbled on this PR while trying to configure ciphers to be used.
|
@rpasche Initially, i have made tls version and ciphers configurable. Later, it was found that tlsCiphers setting have issues(Check this comment: #67482 (comment)) . So removed setting the TLS ciphers. only TLS version is configurable now. // CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of |
@venkatbvc thank you for this explanation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested this locally and it works great, thanks for your contribution 🎉
Backend: Add TLS version configurability for grafana server. Also backward compatibility is supported. A new parameter min_tls_version are added to the [server] section.
What is this feature?
Currently TLS version and ciphers are hardcoded for http_server. This PR adds configurability from the user point of view.
Why do we need this feature?
User doesn't flexibility to add ciphers and fix version of TLS that needs to be used.
Who is this feature for?
For all
Special notes for your reviewer:
Please check that: