metrics: only allow http/1.1 request and allowable CipherSuites

pkg/controller/common/metrics.go

@@ -2,8 +2,10 @@ package common
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus"
@@ -74,7 +76,15 @@ func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func
 	glog.Infof("Starting metrics listener on %s", addr)
 	mux := http.NewServeMux()
 	mux.Handle("/metrics", promhttp.Handler())
-	s := http.Server{Addr: addr, Handler: mux}
+	s := http.Server{
+		TLSConfig: &tls.Config{
+			MinVersion:   tls.VersionTLS12,
+			NextProtos:   []string{"http/1.1"},
+			CipherSuites: cipherOrder(),
+		},
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
+		Addr:         addr,
+		Handler:      mux}
 
 	go func() {
 		if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed {
@@ -90,3 +100,43 @@ func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func
 		glog.Infof("Metrics listener successfully stopped")
 	}
 }
+
+func cipherOrder() []uint16 {
+	var first []uint16
+	var second []uint16
+
+	allowable := func(c *tls.CipherSuite) bool {
+		// Disallow block ciphers using straight SHA1
+		// See: https://tools.ietf.org/html/rfc7540#appendix-A
+		if strings.HasSuffix(c.Name, "CBC_SHA") {
+			return false
+		}
+		// 3DES is considered insecure
+		if strings.Contains(c.Name, "3DES") {
+			return false
+		}
+		return true
+	}
+
+	for _, c := range tls.CipherSuites() {
+		for _, v := range c.SupportedVersions {
+			if v == tls.VersionTLS13 {
+				first = append(first, c.ID)
+			}
+			if v == tls.VersionTLS12 && allowable(c) {
+				inFirst := false
+				for _, id := range first {
+					if c.ID == id {
+						inFirst = true
+						break
+					}
+				}
+				if !inFirst {
+					second = append(second, c.ID)
+				}
+			}
+		}
+	}
+
+	return append(first, second...)
+}