move tls.cert and tls.key (and all TLS/HTTPS features) to nginx

CHANGELOG.md

@@ -25,6 +25,7 @@ All notable changes to Sourcegraph are documented in this file.
 
 - Removed the `httpStrictTransportSecurity` site configuration option. Use [nginx configuration](https://docs.sourcegraph.com/admin/nginx) for this instead.
 - Removed the `tls.letsencrypt` site configuration option. Use [nginx configuration](https://docs.sourcegraph.com/admin/nginx) for this instead.
+- Removed the `tls.cert` and `tls.key` site configuration options. Use [nginx configuration](https://docs.sourcegraph.com/admin/nginx) for this instead.
 
 ### Removed
 

cmd/frontend/internal/cli/serve_cmd.go

@@ -2,7 +2,6 @@ package cli
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"log"
 	"net"
@@ -39,15 +38,11 @@ var (
 	printLogo, _ = strconv.ParseBool(env.Get("LOGO", "false", "print Sourcegraph logo upon startup"))
 
 	httpAddr         = env.Get("SRC_HTTP_ADDR", ":3080", "HTTP listen address for app and HTTP API")
-	httpsAddr        = env.Get("SRC_HTTPS_ADDR", ":3443", "HTTPS (TLS) listen address for app and HTTP API. Only used if manual tls cert and key are specified.")
 	httpAddrInternal = env.Get("SRC_HTTP_ADDR_INTERNAL", ":3090", "HTTP listen address for internal HTTP API. This should never be exposed externally, as it lacks certain authz checks.")
 
 	externalURL             = conf.GetTODO().ExternalURL
 	disableBrowserExtension = conf.GetTODO().DisableBrowserExtension
 
-	tlsCert = conf.GetTODO().TlsCert
-	tlsKey  = conf.GetTODO().TlsKey
-
 	// dev browser browser extension ID. You can find this by going to chrome://extensions
 	devExtension = "chrome-extension://mjloopldincgoefbghiiekkofoicdkbf"
 	// production browser extension ID. This is found by viewing our extension in the chrome store.
@@ -151,12 +146,6 @@ func Main() error {
 		hooks.AfterDBInit()
 	}
 
-	tlsCertAndKey := tlsCert != "" && tlsKey != ""
-	useTLS := httpsAddr != "" && (tlsCertAndKey || globals.ExternalURL.Scheme == "https")
-	if useTLS && globals.ExternalURL.Scheme == "http" {
-		log15.Warn("TLS is enabled but app url scheme is http", "externalURL", globals.ExternalURL)
-	}
-
 	// Create the external HTTP handler.
 	externalHandler, err := newExternalHTTPHandler(context.Background())
 	if err != nil {
@@ -169,48 +158,17 @@ func Main() error {
 	// serve will serve externalHandler on l. It additionally handles graceful restarts.
 	srv := &httpServers{}
 
-	// Start HTTPS server.
-	if useTLS {
-		cert, err := tls.X509KeyPair([]byte(tlsCert), []byte(tlsKey))
-		if err != nil {
-			return err
-		}
-		tlsConf := &tls.Config{
-			NextProtos:   []string{"h2", "http/1.1"},
-			Certificates: []tls.Certificate{cert},
-		}
-
-		l, err := net.Listen("tcp", httpsAddr)
-		if err != nil {
-			// Fatal if we manually specified TLS
-			log.Fatalf("Could not bind to address %s: %v", httpsAddr, err)
-		}
-
-		if l != nil {
-			l = tls.NewListener(l, tlsConf)
-			log15.Debug("HTTPS running", "on", l.Addr())
-			srv.GoServe(l, &http.Server{
-				Handler:      externalHandler,
-				ReadTimeout:  75 * time.Second,
-				WriteTimeout: 60 * time.Second,
-			})
-		}
-	}
-
 	// Start HTTP server.
-	if httpAddr != "" {
-		l, err := net.Listen("tcp", httpAddr)
-		if err != nil {
-			return err
-		}
-
-		log15.Debug("HTTP running", "on", httpAddr)
-		srv.GoServe(l, &http.Server{
-			Handler:      externalHandler,
-			ReadTimeout:  75 * time.Second,
-			WriteTimeout: 60 * time.Second,
-		})
+	l, err := net.Listen("tcp", httpAddr)
+	if err != nil {
+		return err
 	}
+	log15.Debug("HTTP running", "on", httpAddr)
+	srv.GoServe(l, &http.Server{
+		Handler:      externalHandler,
+		ReadTimeout:  75 * time.Second,
+		WriteTimeout: 60 * time.Second,
+	})
 
 	if httpAddrInternal != "" {
 		l, err := net.Listen("tcp", httpAddrInternal)

doc/admin/index.md

@@ -11,7 +11,6 @@ Site administrators are the admins responsible for deploying, managing, and conf
   - [Updating to a new version of Sourcegraph](updates.md)
   - [nginx HTTP server configuration](nginx.md)
   - [Setting the URL for your instance](url.md)
-  - [TLS/SSL configuration](tls_ssl.md)
   - [Monitoring and tracing](monitoring_and_tracing.md)
   - [Repository permissions](repo/permissions.md)
   - [Using external databases (PostgreSQL and Redis)](external_database.md)

doc/admin/install/docker/aws.md

@@ -43,7 +43,7 @@ If you're just starting out, we recommend [installing Sourcegraph locally](index
 
 - Select **Next: ...** until you get to the **Configure Security Group** page, then add the default **HTTP** rule (port range "80", source "0.0.0.0/0, ::/0")
 - Launch your instance, then navigate to the its public URL.
-- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. See [TLS documentation](../../tls_ssl.md). (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
+- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
 
 ### Option B: use the CLI
 

doc/admin/install/docker/digitalocean.md

@@ -35,7 +35,7 @@ If you're just starting out, we recommend [installing Sourcegraph locally](index
 
 - Launch your instance, then navigate to its IP address.
 
-- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. See "[Using TLS/SSL](../../tls_ssl.md)". (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
+- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
 
 ---
 

doc/admin/install/docker/google_cloud.md

@@ -36,7 +36,7 @@ If you're just starting out, we recommend [installing Sourcegraph locally](index
 
 - Create your VM, then navigate to its public IP address.
 
-- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. See [TLS documentation](../../tls_ssl.md). (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
+- If you have configured a DNS entry for the IP, configure `externalURL` to reflect that. (Note: `externalURL` was called `appURL` in Sourcegraph 2.13 and earlier.)
 
 ---
 

doc/admin/migration/opengrok.md

@@ -86,12 +86,7 @@ Like Oracle OpenGrok, Sourcegraph is self-hosted. You control who can access it.
 - [OpenID Connect user authentication](../auth/index.md#openid-connect) and [SAML user authentication](../auth/index.md#saml) (for Google/G Suite accounts, Okta, OneLogin, etc.)
 - [HTTP user authentication proxies](../auth/index.md#http-authentication-proxies)
 - [Builtin username-password authentication](../auth/index.md#builtin-authentication)
-- [TLS/SSL](../tls_ssl.md) via provided certs/keys, Let's Encrypt, or a reverse proxy
-
-For more information, see the following Sourcegraph documentation pages:
-
-- "[User authentication](../auth/index.md)"
-- "[TLS/SSL](../tls_ssl.md)"
+- [TLS/SSL and other HTTP/HTTPS configuration](../nginx.md)
 
 ### Rolling out Sourcegraph organization-wide
 

doc/admin/site_config/all.md

@@ -19,10 +19,6 @@ For more information, see ["Configuration overview"](index.md).
 
 - [experimentalFeatures](all.md#experimentalfeatures-object)
 
-- [tlsCert](all.md#tlscert-string)
-
-- [tlsKey](all.md#tlskey-string)
-
 - [httpToHttpsRedirect](all.md#httptohttpsredirect)
 
 - [corsOrigin](all.md#corsorigin-string)
@@ -260,30 +256,6 @@ Default: `"disabled"`
 
 Whether indexed search is enabled. If unset Sourcegraph detects the environment to decide if indexed search is enabled. Indexed search is RAM heavy, and is disabled by default in the single docker image. All other environments will have it enabled by default. The size of all your repository working copies is the amount of additional RAM required.
 
-## tlsCert (string)
-
-The contents of the PEM-encoded TLS certificate for the web server (for the web app and API).
-
-See [https://docs.sourcegraph.com/admin/tls_ssl](../tls_ssl.md) for more information.
-
-Additional restrictions:
-
-- Regex pattern: `^-----BEGIN CERTIFICATE-----`
-
-<br/>
-
-## tlsKey (string)
-
-The contents of the PEM-encoded TLS key for the web server (for the web app and API).
-
-See [https://docs.sourcegraph.com/admin/tls_ssl](../tls_ssl.md) for more information.
-
-Additional restrictions:
-
-- Regex pattern: `^-----BEGIN`
-
-<br/>
-
 ## httpToHttpsRedirect
 
 Redirect users from HTTP to HTTPS. Accepted values are "on", "off", and "load-balanced" (boolean values true and false are also accepted and equivalent to "on" and "off" respectively). If "load-balanced" then additionally we use "X-Forwarded-Proto" to determine if on HTTP.

doc/admin/site_config/index.md

@@ -27,6 +27,6 @@ See [all site configuration options](all.md), or read walkthroughs of common con
 - [Configure search scopes](../../user/search/scopes.md)
 - [Integrate with Phabricator](../../integration/phabricator.md)
 - [Add organizations](../../user/organizations.md)
-- [Add a TLS/SSL certificate](../tls_ssl.md)
+- [Set up HTTPS](../nginx.md)
 - [Use a custom domain](../url.md)
 - [Updating Sourcegraph Server](../updates.md)

doc/admin/tls_ssl.md

@@ -1,36 +1,3 @@
 # Securing a Sourcegraph instance with TLS/SSL
 
-If you intend to make your Sourcegraph instance accessible on the Internet or another untrusted network, you should use TLS so that all traffic will be served over HTTPS.
-
-See "[nginx HTTP server settings](nginx.md)" for more information.
-
-## Using your own TLS certificate
-
-### Single-server Sourcegraph deployments
-
-For single-server Docker image deployments, add the following lines to your site configuration. The TLS certificate and private key must be specified as PEM-encoded strings.
-
-> Tip: Use [jq](https://stedolan.github.io/jq/) with the command `jq -R --slurp < /path/to/my/cert-or-key.pem` to obtain the JSON-stringified contents of each PEM file.
-
-```json
-{
-  // ...
-  "tlsCert": "-----BEGIN CERTIFICATE-----\nMIIFdTCCBF2gAWiB...",
-  "tlsKey": "-----BEGIN RSA PRIVATE KEY-----\nMII...",
-  "externalURL": "https://example.com:3443" // Must begin with "https"; replace with the public IP or hostname of your machine
-  // ...
-}
-```
-
-Next, restart your Sourcegraph instance using the same `docker run` [command](install/docker/index.md), but map the host port to the container HTTPS port 7443 (not the HTTP port 7080). In this example, the host port 443 (HTTPS) is mapped to the container's HTTPS port 7443.
-
-```shell
-docker run \
-  --publish 443:7443 --rm \
-  --volume ~/.sourcegraph/config:/etc/sourcegraph \
-  --volume ~/.sourcegraph/data:/var/opt/sourcegraph \
-  --volume /var/run/docker.sock:/var/run/docker.sock \
-  sourcegraph/server:2.13.2
-```
-
-If you are running on cloud infrastructure, you will likely need to add an ingress rule to make port 30443 accessible to the Internet.
+This documentation page has been moved to "[nginx HTTP server settings](nginx.md)". All HTTP and HTTPS configuration options are now handled by nginx, which ships with Sourcegraph.

pkg/conf/client.go

@@ -32,8 +32,7 @@ var defaultClient *client
 // handler) to ensure it responds to configuration changes while the process
 // is running.
 //
-// There are a select few configuration options that do restart the server (for
-// example, TLS or which port the frontend listens on) but these are the
+// There are a select few configuration options that do restart the server, but these are the
 // exception rather than the rule. In general, ANY use of configuration should
 // be done in such a way that it responds to config changes while the process
 // is running.
@@ -52,8 +51,7 @@ func Get() *schema.SiteConfiguration {
 // handler) to ensure it responds to configuration changes while the process
 // is running.
 //
-// There are a select few configuration options that do restart the server (for
-// example, TLS or which port the frontend listens on) but these are the
+// There are a select few configuration options that do restart the server but these are the
 // exception rather than the rule. In general, ANY use of configuration should
 // be done in such a way that it responds to config changes while the process
 // is running.

pkg/conf/parse/env.go

@@ -50,9 +50,6 @@ var legacyEnvToFieldName = map[string]string{
 	"SamlSPCert":                     "SAML_CERT",
 	"SamlSPKey":                      "SAML_KEY",
 	"SearchScopes":                   "SEARCH_SCOPES",
-	// Settings has no env var
-	"TlsCert": "TLS_CERT",
-	"TlsKey":  "TLS_KEY",
 }
 
 // configFromLegacyEnvVars constructs site config JSON from env vars. This is merged into the

pkg/conf/parse/parse.go

@@ -69,15 +69,13 @@ var requireRestart = []string{
 	"searchScopes",
 	"extensions",
 	"disableBrowserExtension",
-	"tlsCert",
 	"update.channel",
 	"useJaeger",
 	"privateArtifactRepoPassword",
 	"disablePublicRepoRedirects",
 	"privateArtifactRepoUsername",
 	"blacklistGoGet",
 	"privateArtifactRepoID",
-	"tlsKey",
 }
 
 // NeedRestartToApply determines if a restart is needed to apply the changes

schema/site.schema.json

@@ -95,18 +95,6 @@
         }
       }
     },
-    "tlsCert": {
-      "description":
-        "The contents of the PEM-encoded TLS certificate for the web server (for the web app and API).\n\nSee https://docs.sourcegraph.com/admin/tls_ssl for more information.",
-      "type": "string",
-      "pattern": "^-----BEGIN CERTIFICATE-----\n"
-    },
-    "tlsKey": {
-      "description":
-        "The contents of the PEM-encoded TLS key for the web server (for the web app and API).\n\nSee https://docs.sourcegraph.com/admin/tls_ssl for more information.",
-      "type": "string",
-      "pattern": "^-----BEGIN "
-    },
     "httpToHttpsRedirect": {
       "description":
         "Redirect users from HTTP to HTTPS. Accepted values are \"on\", \"off\", and \"load-balanced\" (boolean values true and false are also accepted and equivalent to \"on\" and \"off\" respectively). If \"load-balanced\" then additionally we use \"X-Forwarded-Proto\" to determine if on HTTP.",