Skip to content

Adding TLS/HTTPS support to osctrl-admin #173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 31, 2021
Merged

Adding TLS/HTTPS support to osctrl-admin #173

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 38 additions & 11 deletions admin/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package main

import (
"crypto/rsa"
"crypto/tls"
"flag"
"fmt"
"log"
Expand Down Expand Up @@ -67,6 +68,10 @@ const (
jwtConfigurationFile string = "config/jwt.json"
// Default Headers configuration file
headersConfigurationFile string = "config/headers.json"
// Default TLS certificate file
tlsCertificateFile string = "config/tls.crt"
// Default TLS private key file
tlsKeyFile string = "config/tls.key"
)

// Random
Expand Down Expand Up @@ -122,6 +127,9 @@ var (
samlFlag *string
headersFlag *string
jwtFlag *string
tlsServer *bool
tlsCert *string
tlsKey *string
)

// SAML variables
Expand Down Expand Up @@ -194,6 +202,9 @@ func init() {
samlFlag = flag.String("S", samlConfigurationFile, "SAML configuration JSON file to use.")
headersFlag = flag.String("H", headersConfigurationFile, "Headers configuration JSON file to use.")
jwtFlag = flag.String("J", jwtConfigurationFile, "JWT configuration JSON file to use.")
tlsServer = flag.Bool("tls", false, "TLS termination is enabled. It requires certificate and key.")
tlsCert = flag.String("cert", tlsCertificateFile, "Certificate file to be used for TLS.")
tlsKey = flag.String("key", tlsKeyFile, "Private key file to be used for TLS.")
// Parse all flags
flag.Parse()
if *versionFlag {
Expand Down Expand Up @@ -253,16 +264,11 @@ func main() {
log.Fatalf("Failed to connect to backend - %v", err)
}
// Close when exit
//defer db.Close()
defer func() {
if err := db.Close(); err != nil {
log.Fatalf("Failed to close Database handler - %v", err)
}
}()
// Automigrate tables
//if err := automigrateDB(); err != nil {
// log.Fatalf("Failed to AutoMigrate: %v", err)
//}
// Initialize users
adminUsers = users.CreateUserManager(db, &jwtConfig)
// Initialize tags
Expand Down Expand Up @@ -388,14 +394,14 @@ func main() {
ahandlers.WithAdminConfig(&adminConfig),
)

//////////////////////////// ADMIN
// ////////////////////////// ADMIN
if settingsmgr.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Creating router")
}
// Create router for admin
routerAdmin := mux.NewRouter()

/////////////////////////// UNAUTHENTICATED CONTENT
// ///////////////////////// UNAUTHENTICATED CONTENT
if settingsmgr.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Unauthenticated content")
}
Expand All @@ -417,7 +423,7 @@ func main() {
routerAdmin.PathPrefix("/static/").Handler(
http.StripPrefix("/static", http.FileServer(http.Dir(staticFilesFolder))))

/////////////////////////// AUTHENTICATED CONTENT
// ///////////////////////// AUTHENTICATED CONTENT
if settingsmgr.DebugService(settings.ServiceAdmin) {
log.Println("DebugService: Authenticated content")
}
Expand All @@ -438,7 +444,6 @@ func main() {
// Admin: table for platforms
routerAdmin.Handle("/platform/{platform}/{target}", handlerAuthCheck(http.HandlerFunc(handlersAdmin.PlatformHandler))).Methods("GET")
// Admin: dashboard
//routerAdmin.HandleFunc("/dashboard", dashboardHandler).Methods("GET")
routerAdmin.Handle("/dashboard", handlerAuthCheck(http.HandlerFunc(handlersAdmin.RootHandler))).Methods("GET")
// Admin: root
routerAdmin.Handle("/", handlerAuthCheck(http.HandlerFunc(handlersAdmin.RootHandler))).Methods("GET")
Expand Down Expand Up @@ -510,6 +515,28 @@ func main() {

// Launch HTTP server for admin
serviceAdmin := adminConfig.Listener + ":" + adminConfig.Port
log.Printf("%s v%s - HTTP listening %s", serviceName, serviceVersion, serviceAdmin)
log.Fatal(http.ListenAndServe(serviceAdmin, routerAdmin))
if *tlsServer {
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
srv := &http.Server{
Addr: serviceAdmin,
Handler: routerAdmin,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Printf("%s v%s - HTTPS listening %s", serviceName, serviceVersion, serviceAdmin)
log.Fatal(srv.ListenAndServeTLS(*tlsCert, *tlsKey))
} else {
log.Printf("%s v%s - HTTP listening %s", serviceName, serviceVersion, serviceAdmin)
log.Fatal(http.ListenAndServe(serviceAdmin, routerAdmin))
}
}