mirror of https://github.com/status-im/consul.git
Merge pull request #478 from amalaviy/https
Added HTTPS support via a new HTTPS Port configuration option
This commit is contained in:
commit
6be29e17c2
|
@ -43,7 +43,7 @@ type Command struct {
|
||||||
logOutput io.Writer
|
logOutput io.Writer
|
||||||
agent *Agent
|
agent *Agent
|
||||||
rpcServer *AgentRPC
|
rpcServer *AgentRPC
|
||||||
httpServer *HTTPServer
|
httpServers []*HTTPServer
|
||||||
dnsServer *DNSServer
|
dnsServer *DNSServer
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ func (c *Command) readConfig() *Config {
|
||||||
cmdFlags.BoolVar(&cmdConfig.Bootstrap, "bootstrap", false, "enable server bootstrap mode")
|
cmdFlags.BoolVar(&cmdConfig.Bootstrap, "bootstrap", false, "enable server bootstrap mode")
|
||||||
cmdFlags.IntVar(&cmdConfig.BootstrapExpect, "bootstrap-expect", 0, "enable automatic bootstrap via expect mode")
|
cmdFlags.IntVar(&cmdConfig.BootstrapExpect, "bootstrap-expect", 0, "enable automatic bootstrap via expect mode")
|
||||||
|
|
||||||
cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, RPC)")
|
cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, HTTPS, RPC)")
|
||||||
cmdFlags.StringVar(&cmdConfig.BindAddr, "bind", "", "address to bind server listeners to")
|
cmdFlags.StringVar(&cmdConfig.BindAddr, "bind", "", "address to bind server listeners to")
|
||||||
cmdFlags.StringVar(&cmdConfig.AdvertiseAddr, "advertise", "", "address to advertise instead of bind addr")
|
cmdFlags.StringVar(&cmdConfig.AdvertiseAddr, "advertise", "", "address to advertise instead of bind addr")
|
||||||
|
|
||||||
|
@ -296,20 +296,14 @@ func (c *Command) setupAgent(config *Config, logOutput io.Writer, logWriter *log
|
||||||
c.Ui.Output("Starting Consul agent RPC...")
|
c.Ui.Output("Starting Consul agent RPC...")
|
||||||
c.rpcServer = NewAgentRPC(agent, rpcListener, logOutput, logWriter)
|
c.rpcServer = NewAgentRPC(agent, rpcListener, logOutput, logWriter)
|
||||||
|
|
||||||
if config.Ports.HTTP > 0 {
|
if config.Ports.HTTP > 0 || config.Ports.HTTPS > 0 {
|
||||||
httpAddr, err := config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
|
servers, err := NewHTTPServers(agent, config, logOutput)
|
||||||
if err != nil {
|
|
||||||
c.Ui.Error(fmt.Sprintf("Invalid HTTP bind address: %s", err))
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
server, err := NewHTTPServer(agent, config.UiDir, config.EnableDebug, logOutput, httpAddr.String())
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
agent.Shutdown()
|
agent.Shutdown()
|
||||||
c.Ui.Error(fmt.Sprintf("Error starting http server: %s", err))
|
c.Ui.Error(fmt.Sprintf("Error starting http servers:", err))
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
c.httpServer = server
|
c.httpServers = servers
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.Ports.DNS > 0 {
|
if config.Ports.DNS > 0 {
|
||||||
|
@ -537,8 +531,9 @@ func (c *Command) Run(args []string) int {
|
||||||
if c.rpcServer != nil {
|
if c.rpcServer != nil {
|
||||||
defer c.rpcServer.Shutdown()
|
defer c.rpcServer.Shutdown()
|
||||||
}
|
}
|
||||||
if c.httpServer != nil {
|
|
||||||
defer c.httpServer.Shutdown()
|
for _, server := range c.httpServers {
|
||||||
|
defer server.Shutdown()
|
||||||
}
|
}
|
||||||
|
|
||||||
// Join startup nodes if specified
|
// Join startup nodes if specified
|
||||||
|
@ -573,7 +568,7 @@ func (c *Command) Run(args []string) int {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the new client listener addr
|
// Get the new client http listener addr
|
||||||
httpAddr, err := config.ClientListenerAddr(config.Addresses.HTTP, config.Ports.HTTP)
|
httpAddr, err := config.ClientListenerAddr(config.Addresses.HTTP, config.Ports.HTTP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Ui.Error(fmt.Sprintf("Failed to determine HTTP address: %v", err))
|
c.Ui.Error(fmt.Sprintf("Failed to determine HTTP address: %v", err))
|
||||||
|
@ -597,8 +592,8 @@ func (c *Command) Run(args []string) int {
|
||||||
c.Ui.Info(fmt.Sprintf(" Node name: '%s'", config.NodeName))
|
c.Ui.Info(fmt.Sprintf(" Node name: '%s'", config.NodeName))
|
||||||
c.Ui.Info(fmt.Sprintf(" Datacenter: '%s'", config.Datacenter))
|
c.Ui.Info(fmt.Sprintf(" Datacenter: '%s'", config.Datacenter))
|
||||||
c.Ui.Info(fmt.Sprintf(" Server: %v (bootstrap: %v)", config.Server, config.Bootstrap))
|
c.Ui.Info(fmt.Sprintf(" Server: %v (bootstrap: %v)", config.Server, config.Bootstrap))
|
||||||
c.Ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, DNS: %d, RPC: %d)", config.ClientAddr,
|
c.Ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, HTTPS: %d, DNS: %d, RPC: %d)", config.ClientAddr,
|
||||||
config.Ports.HTTP, config.Ports.DNS, config.Ports.RPC))
|
config.Ports.HTTP, config.Ports.HTTPS, config.Ports.DNS, config.Ports.RPC))
|
||||||
c.Ui.Info(fmt.Sprintf(" Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddr,
|
c.Ui.Info(fmt.Sprintf(" Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddr,
|
||||||
config.Ports.SerfLan, config.Ports.SerfWan))
|
config.Ports.SerfLan, config.Ports.SerfWan))
|
||||||
c.Ui.Info(fmt.Sprintf("Gossip encrypt: %v, RPC-TLS: %v, TLS-Incoming: %v",
|
c.Ui.Info(fmt.Sprintf("Gossip encrypt: %v, RPC-TLS: %v, TLS-Incoming: %v",
|
||||||
|
@ -786,7 +781,7 @@ Options:
|
||||||
-bind=0.0.0.0 Sets the bind address for cluster communication
|
-bind=0.0.0.0 Sets the bind address for cluster communication
|
||||||
-bootstrap-expect=0 Sets server to expect bootstrap mode.
|
-bootstrap-expect=0 Sets server to expect bootstrap mode.
|
||||||
-client=127.0.0.1 Sets the address to bind for client access.
|
-client=127.0.0.1 Sets the address to bind for client access.
|
||||||
This includes RPC, DNS and HTTP
|
This includes RPC, DNS, HTTP and HTTPS (if configured)
|
||||||
-config-file=foo Path to a JSON file to read configuration from.
|
-config-file=foo Path to a JSON file to read configuration from.
|
||||||
This can be specified multiple times.
|
This can be specified multiple times.
|
||||||
-config-dir=foo Path to a directory to read configuration files
|
-config-dir=foo Path to a directory to read configuration files
|
||||||
|
|
|
@ -23,6 +23,7 @@ import (
|
||||||
type PortConfig struct {
|
type PortConfig struct {
|
||||||
DNS int // DNS Query interface
|
DNS int // DNS Query interface
|
||||||
HTTP int // HTTP API
|
HTTP int // HTTP API
|
||||||
|
HTTPS int // HTTPS API
|
||||||
RPC int // CLI RPC
|
RPC int // CLI RPC
|
||||||
SerfLan int `mapstructure:"serf_lan"` // LAN gossip (Client + Server)
|
SerfLan int `mapstructure:"serf_lan"` // LAN gossip (Client + Server)
|
||||||
SerfWan int `mapstructure:"serf_wan"` // WAN gossip (Server onlyg)
|
SerfWan int `mapstructure:"serf_wan"` // WAN gossip (Server onlyg)
|
||||||
|
@ -35,6 +36,7 @@ type PortConfig struct {
|
||||||
type AddressConfig struct {
|
type AddressConfig struct {
|
||||||
DNS string // DNS Query interface
|
DNS string // DNS Query interface
|
||||||
HTTP string // HTTP API
|
HTTP string // HTTP API
|
||||||
|
HTTPS string // HTTPS API
|
||||||
RPC string // CLI RPC
|
RPC string // CLI RPC
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -122,7 +124,7 @@ type Config struct {
|
||||||
NodeName string `mapstructure:"node_name"`
|
NodeName string `mapstructure:"node_name"`
|
||||||
|
|
||||||
// ClientAddr is used to control the address we bind to for
|
// ClientAddr is used to control the address we bind to for
|
||||||
// client services (DNS, HTTP, RPC)
|
// client services (DNS, HTTP, HTTPS, RPC)
|
||||||
ClientAddr string `mapstructure:"client_addr"`
|
ClientAddr string `mapstructure:"client_addr"`
|
||||||
|
|
||||||
// BindAddr is used to control the address we bind to.
|
// BindAddr is used to control the address we bind to.
|
||||||
|
@ -351,6 +353,7 @@ func DefaultConfig() *Config {
|
||||||
Ports: PortConfig{
|
Ports: PortConfig{
|
||||||
DNS: 8600,
|
DNS: 8600,
|
||||||
HTTP: 8500,
|
HTTP: 8500,
|
||||||
|
HTTPS: -1,
|
||||||
RPC: 8400,
|
RPC: 8400,
|
||||||
SerfLan: consul.DefaultLANSerfPort,
|
SerfLan: consul.DefaultLANSerfPort,
|
||||||
SerfWan: consul.DefaultWANSerfPort,
|
SerfWan: consul.DefaultWANSerfPort,
|
||||||
|
@ -739,6 +742,9 @@ func MergeConfig(a, b *Config) *Config {
|
||||||
if b.Ports.HTTP != 0 {
|
if b.Ports.HTTP != 0 {
|
||||||
result.Ports.HTTP = b.Ports.HTTP
|
result.Ports.HTTP = b.Ports.HTTP
|
||||||
}
|
}
|
||||||
|
if b.Ports.HTTPS != 0 {
|
||||||
|
result.Ports.HTTPS = b.Ports.HTTPS
|
||||||
|
}
|
||||||
if b.Ports.RPC != 0 {
|
if b.Ports.RPC != 0 {
|
||||||
result.Ports.RPC = b.Ports.RPC
|
result.Ports.RPC = b.Ports.RPC
|
||||||
}
|
}
|
||||||
|
@ -757,6 +763,9 @@ func MergeConfig(a, b *Config) *Config {
|
||||||
if b.Addresses.HTTP != "" {
|
if b.Addresses.HTTP != "" {
|
||||||
result.Addresses.HTTP = b.Addresses.HTTP
|
result.Addresses.HTTP = b.Addresses.HTTP
|
||||||
}
|
}
|
||||||
|
if b.Addresses.HTTPS != "" {
|
||||||
|
result.Addresses.HTTPS = b.Addresses.HTTPS
|
||||||
|
}
|
||||||
if b.Addresses.RPC != "" {
|
if b.Addresses.RPC != "" {
|
||||||
result.Addresses.RPC = b.Addresses.RPC
|
result.Addresses.RPC = b.Addresses.RPC
|
||||||
}
|
}
|
||||||
|
|
|
@ -137,7 +137,7 @@ func TestDecodeConfig(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// RPC configs
|
// RPC configs
|
||||||
input = `{"ports": {"http": 1234, "rpc": 8100}, "client_addr": "0.0.0.0"}`
|
input = `{"ports": {"http": 1234, "https": 1243, "rpc": 8100}, "client_addr": "0.0.0.0"}`
|
||||||
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
|
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
|
@ -151,6 +151,10 @@ func TestDecodeConfig(t *testing.T) {
|
||||||
t.Fatalf("bad: %#v", config)
|
t.Fatalf("bad: %#v", config)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.Ports.HTTPS != 1243 {
|
||||||
|
t.Fatalf("bad: %#v", config)
|
||||||
|
}
|
||||||
|
|
||||||
if config.Ports.RPC != 8100 {
|
if config.Ports.RPC != 8100 {
|
||||||
t.Fatalf("bad: %#v", config)
|
t.Fatalf("bad: %#v", config)
|
||||||
}
|
}
|
||||||
|
@ -553,7 +557,7 @@ func TestDecodeConfig(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Address overrides
|
// Address overrides
|
||||||
input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "rpc": "127.0.0.1"}}`
|
input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "https": "127.0.0.1", "rpc": "127.0.0.1"}}`
|
||||||
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
|
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
|
@ -565,6 +569,9 @@ func TestDecodeConfig(t *testing.T) {
|
||||||
if config.Addresses.HTTP != "127.0.0.1" {
|
if config.Addresses.HTTP != "127.0.0.1" {
|
||||||
t.Fatalf("bad: %#v", config)
|
t.Fatalf("bad: %#v", config)
|
||||||
}
|
}
|
||||||
|
if config.Addresses.HTTPS != "127.0.0.1" {
|
||||||
|
t.Fatalf("bad: %#v", config)
|
||||||
|
}
|
||||||
if config.Addresses.RPC != "127.0.0.1" {
|
if config.Addresses.RPC != "127.0.0.1" {
|
||||||
t.Fatalf("bad: %#v", config)
|
t.Fatalf("bad: %#v", config)
|
||||||
}
|
}
|
||||||
|
@ -901,11 +908,13 @@ func TestMergeConfig(t *testing.T) {
|
||||||
SerfLan: 4,
|
SerfLan: 4,
|
||||||
SerfWan: 5,
|
SerfWan: 5,
|
||||||
Server: 6,
|
Server: 6,
|
||||||
|
HTTPS: 7,
|
||||||
},
|
},
|
||||||
Addresses: AddressConfig{
|
Addresses: AddressConfig{
|
||||||
DNS: "127.0.0.1",
|
DNS: "127.0.0.1",
|
||||||
HTTP: "127.0.0.2",
|
HTTP: "127.0.0.2",
|
||||||
RPC: "127.0.0.3",
|
RPC: "127.0.0.3",
|
||||||
|
HTTPS: "127.0.0.4",
|
||||||
},
|
},
|
||||||
Server: true,
|
Server: true,
|
||||||
LeaveOnTerm: true,
|
LeaveOnTerm: true,
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
package agent
|
package agent
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"log"
|
"log"
|
||||||
"net"
|
"net"
|
||||||
|
@ -12,6 +14,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/consul/structs"
|
"github.com/hashicorp/consul/consul/structs"
|
||||||
|
"github.com/hashicorp/consul/tlsutil"
|
||||||
"github.com/mitchellh/mapstructure"
|
"github.com/mitchellh/mapstructure"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -23,38 +26,132 @@ type HTTPServer struct {
|
||||||
listener net.Listener
|
listener net.Listener
|
||||||
logger *log.Logger
|
logger *log.Logger
|
||||||
uiDir string
|
uiDir string
|
||||||
|
addr string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewHTTPServer starts a new HTTP server to provide an interface to
|
// NewHTTPServers starts new HTTP servers to provide an interface to
|
||||||
// the agent.
|
// the agent.
|
||||||
func NewHTTPServer(agent *Agent, uiDir string, enableDebug bool, logOutput io.Writer, bind string) (*HTTPServer, error) {
|
func NewHTTPServers(agent *Agent, config *Config, logOutput io.Writer) ([]*HTTPServer, error) {
|
||||||
// Create the mux
|
var tlsConfig *tls.Config
|
||||||
mux := http.NewServeMux()
|
var list net.Listener
|
||||||
|
var httpAddr *net.TCPAddr
|
||||||
|
var err error
|
||||||
|
var servers []*HTTPServer
|
||||||
|
|
||||||
// Create listener
|
if config.Ports.HTTPS > 0 {
|
||||||
list, err := net.Listen("tcp", bind)
|
httpAddr, err = config.ClientListener(config.Addresses.HTTPS, config.Ports.HTTPS)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsConf := &tlsutil.Config{
|
||||||
|
VerifyIncoming: config.VerifyIncoming,
|
||||||
|
VerifyOutgoing: config.VerifyOutgoing,
|
||||||
|
CAFile: config.CAFile,
|
||||||
|
CertFile: config.CertFile,
|
||||||
|
KeyFile: config.KeyFile,
|
||||||
|
NodeName: config.NodeName,
|
||||||
|
ServerName: config.ServerName}
|
||||||
|
|
||||||
|
tlsConfig, err = tlsConf.IncomingTLSConfig()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
ln, err := net.Listen("tcp", httpAddr.String())
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
list = tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig)
|
||||||
|
|
||||||
|
// Create the mux
|
||||||
|
mux := http.NewServeMux()
|
||||||
|
|
||||||
// Create the server
|
// Create the server
|
||||||
srv := &HTTPServer{
|
srv := &HTTPServer{
|
||||||
agent: agent,
|
agent: agent,
|
||||||
mux: mux,
|
mux: mux,
|
||||||
listener: list,
|
listener: list,
|
||||||
logger: log.New(logOutput, "", log.LstdFlags),
|
logger: log.New(logOutput, "", log.LstdFlags),
|
||||||
uiDir: uiDir,
|
uiDir: config.UiDir,
|
||||||
|
addr: httpAddr.String(),
|
||||||
}
|
}
|
||||||
srv.registerHandlers(enableDebug)
|
srv.registerHandlers(config.EnableDebug)
|
||||||
|
|
||||||
// Start the server
|
// Start the server
|
||||||
go http.Serve(list, mux)
|
go http.Serve(list, mux)
|
||||||
return srv, nil
|
|
||||||
|
servers := make([]*HTTPServer, 1)
|
||||||
|
servers[0] = srv
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.Ports.HTTP > 0 {
|
||||||
|
httpAddr, err = config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to get ClientListener address:port: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create non-TLS listener
|
||||||
|
ln, err := net.Listen("tcp", httpAddr.String())
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to get Listen on %s: %v", httpAddr.String(), err)
|
||||||
|
}
|
||||||
|
|
||||||
|
list = tcpKeepAliveListener{ln.(*net.TCPListener)}
|
||||||
|
|
||||||
|
// Create the mux
|
||||||
|
mux := http.NewServeMux()
|
||||||
|
|
||||||
|
// Create the server
|
||||||
|
srv := &HTTPServer{
|
||||||
|
agent: agent,
|
||||||
|
mux: mux,
|
||||||
|
listener: list,
|
||||||
|
logger: log.New(logOutput, "", log.LstdFlags),
|
||||||
|
uiDir: config.UiDir,
|
||||||
|
addr: httpAddr.String(),
|
||||||
|
}
|
||||||
|
srv.registerHandlers(config.EnableDebug)
|
||||||
|
|
||||||
|
// Start the server
|
||||||
|
go http.Serve(list, mux)
|
||||||
|
|
||||||
|
if servers != nil {
|
||||||
|
// we already have the https server in servers, append
|
||||||
|
servers = append(servers, srv)
|
||||||
|
} else {
|
||||||
|
servers := make([]*HTTPServer, 1)
|
||||||
|
servers[0] = srv
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return servers, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
|
||||||
|
// connections. It's used by NewHttpServer so
|
||||||
|
// dead TCP connections eventually go away.
|
||||||
|
type tcpKeepAliveListener struct {
|
||||||
|
*net.TCPListener
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
|
||||||
|
tc, err := ln.AcceptTCP()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
tc.SetKeepAlive(true)
|
||||||
|
tc.SetKeepAlivePeriod(30 * time.Second)
|
||||||
|
return tc, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Shutdown is used to shutdown the HTTP server
|
// Shutdown is used to shutdown the HTTP server
|
||||||
func (s *HTTPServer) Shutdown() {
|
func (s *HTTPServer) Shutdown() {
|
||||||
|
if s != nil {
|
||||||
|
s.logger.Printf("[DEBUG] http: Shutting down http server(%v)", s.addr)
|
||||||
s.listener.Close()
|
s.listener.Close()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// registerHandlers is used to attach our handlers to the mux
|
// registerHandlers is used to attach our handlers to the mux
|
||||||
|
|
|
@ -25,12 +25,18 @@ func makeHTTPServer(t *testing.T) (string, *HTTPServer) {
|
||||||
if err := os.Mkdir(uiDir, 755); err != nil {
|
if err := os.Mkdir(uiDir, 755); err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
conf.Addresses.HTTP = ""
|
||||||
|
conf.Ports.HTTP = agent.config.Ports.HTTP
|
||||||
|
conf.Ports.HTTPS = -1
|
||||||
addr, _ := agent.config.ClientListener("", agent.config.Ports.HTTP)
|
addr, _ := agent.config.ClientListener("", agent.config.Ports.HTTP)
|
||||||
server, err := NewHTTPServer(agent, uiDir, true, agent.logOutput, addr.String())
|
servers, err := NewHTTPServers(agent, conf, agent.logOutput)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
return dir, server
|
if servers == nil || len(servers) == 0 {
|
||||||
|
t.Fatalf(fmt.Sprintf("Could not create HTTP server to listen on: %s", addr.String()))
|
||||||
|
}
|
||||||
|
return dir, servers[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
func encodeReq(obj interface{}) io.ReadCloser {
|
func encodeReq(obj interface{}) io.ReadCloser {
|
||||||
|
|
|
@ -63,19 +63,25 @@ func testAgent(t *testing.T) *agentWrapper {
|
||||||
|
|
||||||
rpc := agent.NewAgentRPC(a, l, mult, lw)
|
rpc := agent.NewAgentRPC(a, l, mult, lw)
|
||||||
|
|
||||||
|
conf.Addresses.HTTP = "127.0.0.1"
|
||||||
httpAddr := fmt.Sprintf("127.0.0.1:%d", conf.Ports.HTTP)
|
httpAddr := fmt.Sprintf("127.0.0.1:%d", conf.Ports.HTTP)
|
||||||
http, err := agent.NewHTTPServer(a, "", false, os.Stderr, httpAddr)
|
http, err := agent.NewHTTPServers(a, conf, os.Stderr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
os.RemoveAll(dir)
|
os.RemoveAll(dir)
|
||||||
t.Fatalf(fmt.Sprintf("err: %v", err))
|
t.Fatalf(fmt.Sprintf("err: %v", err))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if http == nil || len(http) == 0 {
|
||||||
|
os.RemoveAll(dir)
|
||||||
|
t.Fatalf(fmt.Sprintf("Could not create HTTP server to listen on: %s", httpAddr))
|
||||||
|
}
|
||||||
|
|
||||||
return &agentWrapper{
|
return &agentWrapper{
|
||||||
dir: dir,
|
dir: dir,
|
||||||
config: conf,
|
config: conf,
|
||||||
agent: a,
|
agent: a,
|
||||||
rpc: rpc,
|
rpc: rpc,
|
||||||
http: http,
|
http: http[0],
|
||||||
addr: l.Addr().String(),
|
addr: l.Addr().String(),
|
||||||
httpAddr: httpAddr,
|
httpAddr: httpAddr,
|
||||||
}
|
}
|
||||||
|
@ -92,6 +98,7 @@ func nextConfig() *agent.Config {
|
||||||
conf.Server = true
|
conf.Server = true
|
||||||
|
|
||||||
conf.Ports.HTTP = 10000 + 10*idx
|
conf.Ports.HTTP = 10000 + 10*idx
|
||||||
|
conf.Ports.HTTPS = 10401 + 10*idx
|
||||||
conf.Ports.RPC = 10100 + 10*idx
|
conf.Ports.RPC = 10100 + 10*idx
|
||||||
conf.Ports.SerfLan = 10201 + 10*idx
|
conf.Ports.SerfLan = 10201 + 10*idx
|
||||||
conf.Ports.SerfWan = 10202 + 10*idx
|
conf.Ports.SerfWan = 10202 + 10*idx
|
||||||
|
|
|
@ -93,7 +93,7 @@ func NewClient(config *Config) (*Client, error) {
|
||||||
// Create the tlsConfig
|
// Create the tlsConfig
|
||||||
var tlsConfig *tls.Config
|
var tlsConfig *tls.Config
|
||||||
var err error
|
var err error
|
||||||
if tlsConfig, err = config.OutgoingTLSConfig(); err != nil {
|
if tlsConfig, err = config.tlsConfig().OutgoingTLSConfig(); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
180
consul/config.go
180
consul/config.go
|
@ -1,15 +1,13 @@
|
||||||
package consul
|
package consul
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
|
||||||
"crypto/x509"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/tlsutil"
|
||||||
"github.com/hashicorp/memberlist"
|
"github.com/hashicorp/memberlist"
|
||||||
"github.com/hashicorp/raft"
|
"github.com/hashicorp/raft"
|
||||||
"github.com/hashicorp/serf/serf"
|
"github.com/hashicorp/serf/serf"
|
||||||
|
@ -199,169 +197,6 @@ func (c *Config) CheckACL() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// AppendCA opens and parses the CA file and adds the certificates to
|
|
||||||
// the provided CertPool.
|
|
||||||
func (c *Config) AppendCA(pool *x509.CertPool) error {
|
|
||||||
if c.CAFile == "" {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Read the file
|
|
||||||
data, err := ioutil.ReadFile(c.CAFile)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("Failed to read CA file: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !pool.AppendCertsFromPEM(data) {
|
|
||||||
return fmt.Errorf("Failed to parse any CA certificates")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// KeyPair is used to open and parse a certificate and key file
|
|
||||||
func (c *Config) KeyPair() (*tls.Certificate, error) {
|
|
||||||
if c.CertFile == "" || c.KeyFile == "" {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Failed to load cert/key pair: %v", err)
|
|
||||||
}
|
|
||||||
return &cert, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// OutgoingTLSConfig generates a TLS configuration for outgoing
|
|
||||||
// requests. It will return a nil config if this configuration should
|
|
||||||
// not use TLS for outgoing connections.
|
|
||||||
func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
|
|
||||||
if !c.VerifyOutgoing {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
// Create the tlsConfig
|
|
||||||
tlsConfig := &tls.Config{
|
|
||||||
RootCAs: x509.NewCertPool(),
|
|
||||||
InsecureSkipVerify: true,
|
|
||||||
}
|
|
||||||
if c.ServerName != "" {
|
|
||||||
tlsConfig.ServerName = c.ServerName
|
|
||||||
tlsConfig.InsecureSkipVerify = false
|
|
||||||
}
|
|
||||||
|
|
||||||
// Ensure we have a CA if VerifyOutgoing is set
|
|
||||||
if c.VerifyOutgoing && c.CAFile == "" {
|
|
||||||
return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Parse the CA cert if any
|
|
||||||
err := c.AppendCA(tlsConfig.RootCAs)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add cert/key
|
|
||||||
cert, err := c.KeyPair()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
} else if cert != nil {
|
|
||||||
tlsConfig.Certificates = []tls.Certificate{*cert}
|
|
||||||
}
|
|
||||||
|
|
||||||
return tlsConfig, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Wrap a net.Conn into a client tls connection, performing any
|
|
||||||
// additional verification as needed.
|
|
||||||
//
|
|
||||||
// As of go 1.3, crypto/tls only supports either doing no certificate
|
|
||||||
// verification, or doing full verification including of the peer's
|
|
||||||
// DNS name. For consul, we want to validate that the certificate is
|
|
||||||
// signed by a known CA, but because consul doesn't use DNS names for
|
|
||||||
// node names, we don't verify the certificate DNS names. Since go 1.3
|
|
||||||
// no longer supports this mode of operation, we have to do it
|
|
||||||
// manually.
|
|
||||||
func wrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) {
|
|
||||||
var err error
|
|
||||||
var tlsConn *tls.Conn
|
|
||||||
|
|
||||||
tlsConn = tls.Client(conn, tlsConfig)
|
|
||||||
|
|
||||||
// If crypto/tls is doing verification, there's no need to do
|
|
||||||
// our own.
|
|
||||||
if tlsConfig.InsecureSkipVerify == false {
|
|
||||||
return tlsConn, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if err = tlsConn.Handshake(); err != nil {
|
|
||||||
tlsConn.Close()
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// The following is lightly-modified from the doFullHandshake
|
|
||||||
// method in crypto/tls's handshake_client.go.
|
|
||||||
opts := x509.VerifyOptions{
|
|
||||||
Roots: tlsConfig.RootCAs,
|
|
||||||
CurrentTime: time.Now(),
|
|
||||||
DNSName: "",
|
|
||||||
Intermediates: x509.NewCertPool(),
|
|
||||||
}
|
|
||||||
|
|
||||||
certs := tlsConn.ConnectionState().PeerCertificates
|
|
||||||
for i, cert := range certs {
|
|
||||||
if i == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
opts.Intermediates.AddCert(cert)
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = certs[0].Verify(opts)
|
|
||||||
if err != nil {
|
|
||||||
tlsConn.Close()
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return tlsConn, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// IncomingTLSConfig generates a TLS configuration for incoming requests
|
|
||||||
func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
|
|
||||||
// Create the tlsConfig
|
|
||||||
tlsConfig := &tls.Config{
|
|
||||||
ServerName: c.ServerName,
|
|
||||||
ClientCAs: x509.NewCertPool(),
|
|
||||||
ClientAuth: tls.NoClientCert,
|
|
||||||
}
|
|
||||||
if tlsConfig.ServerName == "" {
|
|
||||||
tlsConfig.ServerName = c.NodeName
|
|
||||||
}
|
|
||||||
|
|
||||||
// Parse the CA cert if any
|
|
||||||
err := c.AppendCA(tlsConfig.ClientCAs)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add cert/key
|
|
||||||
cert, err := c.KeyPair()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
} else if cert != nil {
|
|
||||||
tlsConfig.Certificates = []tls.Certificate{*cert}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check if we require verification
|
|
||||||
if c.VerifyIncoming {
|
|
||||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
|
||||||
if c.CAFile == "" {
|
|
||||||
return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
|
|
||||||
}
|
|
||||||
if cert == nil {
|
|
||||||
return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return tlsConfig, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// DefaultConfig is used to return a sane default configuration
|
// DefaultConfig is used to return a sane default configuration
|
||||||
func DefaultConfig() *Config {
|
func DefaultConfig() *Config {
|
||||||
hostname, err := os.Hostname()
|
hostname, err := os.Hostname()
|
||||||
|
@ -400,3 +235,16 @@ func DefaultConfig() *Config {
|
||||||
|
|
||||||
return conf
|
return conf
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *Config) tlsConfig() *tlsutil.Config {
|
||||||
|
tlsConf := &tlsutil.Config{
|
||||||
|
VerifyIncoming: c.VerifyIncoming,
|
||||||
|
VerifyOutgoing: c.VerifyOutgoing,
|
||||||
|
CAFile: c.CAFile,
|
||||||
|
CertFile: c.CertFile,
|
||||||
|
KeyFile: c.KeyFile,
|
||||||
|
NodeName: c.NodeName,
|
||||||
|
ServerName: c.ServerName}
|
||||||
|
|
||||||
|
return tlsConf
|
||||||
|
}
|
||||||
|
|
|
@ -11,6 +11,7 @@ import (
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/tlsutil"
|
||||||
"github.com/hashicorp/go-msgpack/codec"
|
"github.com/hashicorp/go-msgpack/codec"
|
||||||
"github.com/hashicorp/yamux"
|
"github.com/hashicorp/yamux"
|
||||||
"github.com/inconshreveable/muxado"
|
"github.com/inconshreveable/muxado"
|
||||||
|
@ -222,7 +223,7 @@ func (p *ConnPool) getNewConn(addr net.Addr, version int) (*Conn, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wrap the connection in a TLS client
|
// Wrap the connection in a TLS client
|
||||||
tlsConn, err := wrapTLSClient(conn, p.tlsConfig)
|
tlsConn, err := tlsutil.WrapTLSClient(conn, p.tlsConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
conn.Close()
|
conn.Close()
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -3,6 +3,7 @@ package consul
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/hashicorp/consul/tlsutil"
|
||||||
"net"
|
"net"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
@ -94,7 +95,7 @@ func (l *RaftLayer) Dial(address string, timeout time.Duration) (net.Conn, error
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wrap the connection in a TLS client
|
// Wrap the connection in a TLS client
|
||||||
conn, err = wrapTLSClient(conn, l.tlsConfig)
|
conn, err = tlsutil.WrapTLSClient(conn, l.tlsConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -168,13 +168,14 @@ func NewServer(config *Config) (*Server, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the tlsConfig for outgoing connections
|
// Create the tlsConfig for outgoing connections
|
||||||
tlsConfig, err := config.OutgoingTLSConfig()
|
tlsConf := config.tlsConfig()
|
||||||
|
tlsConfig, err := tlsConf.OutgoingTLSConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the incoming tls config
|
// Get the incoming tls config
|
||||||
incomingTLS, err := config.IncomingTLSConfig()
|
incomingTLS, err := tlsConf.IncomingTLSConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,206 @@
|
||||||
|
package tlsutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Config used to create tls.Config
|
||||||
|
type Config struct {
|
||||||
|
// VerifyIncoming is used to verify the authenticity of incoming connections.
|
||||||
|
// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
|
||||||
|
// must match a provided certificate authority. This can be used to force client auth.
|
||||||
|
VerifyIncoming bool
|
||||||
|
|
||||||
|
// VerifyOutgoing is used to verify the authenticity of outgoing connections.
|
||||||
|
// This means that TLS requests are used, and TCP requests are not made. TLS connections
|
||||||
|
// must match a provided certificate authority. This is used to verify authenticity of
|
||||||
|
// server nodes.
|
||||||
|
VerifyOutgoing bool
|
||||||
|
|
||||||
|
// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
|
||||||
|
// or VerifyOutgoing to verify the TLS connection.
|
||||||
|
CAFile string
|
||||||
|
|
||||||
|
// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
|
||||||
|
// Must be provided to serve TLS connections.
|
||||||
|
CertFile string
|
||||||
|
|
||||||
|
// KeyFile is used to provide a TLS key that is used for serving TLS connections.
|
||||||
|
// Must be provided to serve TLS connections.
|
||||||
|
KeyFile string
|
||||||
|
|
||||||
|
// Node name is the name we use to advertise. Defaults to hostname.
|
||||||
|
NodeName string
|
||||||
|
|
||||||
|
// ServerName is used with the TLS certificate to ensure the name we
|
||||||
|
// provide matches the certificate
|
||||||
|
ServerName string
|
||||||
|
}
|
||||||
|
|
||||||
|
// AppendCA opens and parses the CA file and adds the certificates to
|
||||||
|
// the provided CertPool.
|
||||||
|
func (c *Config) AppendCA(pool *x509.CertPool) error {
|
||||||
|
if c.CAFile == "" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read the file
|
||||||
|
data, err := ioutil.ReadFile(c.CAFile)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed to read CA file: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !pool.AppendCertsFromPEM(data) {
|
||||||
|
return fmt.Errorf("Failed to parse any CA certificates")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyPair is used to open and parse a certificate and key file
|
||||||
|
func (c *Config) KeyPair() (*tls.Certificate, error) {
|
||||||
|
if c.CertFile == "" || c.KeyFile == "" {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to load cert/key pair: %v", err)
|
||||||
|
}
|
||||||
|
return &cert, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// OutgoingTLSConfig generates a TLS configuration for outgoing
|
||||||
|
// requests. It will return a nil config if this configuration should
|
||||||
|
// not use TLS for outgoing connections.
|
||||||
|
func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
|
||||||
|
if !c.VerifyOutgoing {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
// Create the tlsConfig
|
||||||
|
tlsConfig := &tls.Config{
|
||||||
|
RootCAs: x509.NewCertPool(),
|
||||||
|
InsecureSkipVerify: true,
|
||||||
|
}
|
||||||
|
if c.ServerName != "" {
|
||||||
|
tlsConfig.ServerName = c.ServerName
|
||||||
|
tlsConfig.InsecureSkipVerify = false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure we have a CA if VerifyOutgoing is set
|
||||||
|
if c.VerifyOutgoing && c.CAFile == "" {
|
||||||
|
return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the CA cert if any
|
||||||
|
err := c.AppendCA(tlsConfig.RootCAs)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add cert/key
|
||||||
|
cert, err := c.KeyPair()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if cert != nil {
|
||||||
|
tlsConfig.Certificates = []tls.Certificate{*cert}
|
||||||
|
}
|
||||||
|
|
||||||
|
return tlsConfig, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wrap a net.Conn into a client tls connection, performing any
|
||||||
|
// additional verification as needed.
|
||||||
|
//
|
||||||
|
// As of go 1.3, crypto/tls only supports either doing no certificate
|
||||||
|
// verification, or doing full verification including of the peer's
|
||||||
|
// DNS name. For consul, we want to validate that the certificate is
|
||||||
|
// signed by a known CA, but because consul doesn't use DNS names for
|
||||||
|
// node names, we don't verify the certificate DNS names. Since go 1.3
|
||||||
|
// no longer supports this mode of operation, we have to do it
|
||||||
|
// manually.
|
||||||
|
func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) {
|
||||||
|
var err error
|
||||||
|
var tlsConn *tls.Conn
|
||||||
|
|
||||||
|
tlsConn = tls.Client(conn, tlsConfig)
|
||||||
|
|
||||||
|
// If crypto/tls is doing verification, there's no need to do
|
||||||
|
// our own.
|
||||||
|
if tlsConfig.InsecureSkipVerify == false {
|
||||||
|
return tlsConn, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = tlsConn.Handshake(); err != nil {
|
||||||
|
tlsConn.Close()
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// The following is lightly-modified from the doFullHandshake
|
||||||
|
// method in crypto/tls's handshake_client.go.
|
||||||
|
opts := x509.VerifyOptions{
|
||||||
|
Roots: tlsConfig.RootCAs,
|
||||||
|
CurrentTime: time.Now(),
|
||||||
|
DNSName: "",
|
||||||
|
Intermediates: x509.NewCertPool(),
|
||||||
|
}
|
||||||
|
|
||||||
|
certs := tlsConn.ConnectionState().PeerCertificates
|
||||||
|
for i, cert := range certs {
|
||||||
|
if i == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
opts.Intermediates.AddCert(cert)
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = certs[0].Verify(opts)
|
||||||
|
if err != nil {
|
||||||
|
tlsConn.Close()
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return tlsConn, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// IncomingTLSConfig generates a TLS configuration for incoming requests
|
||||||
|
func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
|
||||||
|
// Create the tlsConfig
|
||||||
|
tlsConfig := &tls.Config{
|
||||||
|
ServerName: c.ServerName,
|
||||||
|
ClientCAs: x509.NewCertPool(),
|
||||||
|
ClientAuth: tls.NoClientCert,
|
||||||
|
}
|
||||||
|
if tlsConfig.ServerName == "" {
|
||||||
|
tlsConfig.ServerName = c.NodeName
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the CA cert if any
|
||||||
|
err := c.AppendCA(tlsConfig.ClientCAs)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add cert/key
|
||||||
|
cert, err := c.KeyPair()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
} else if cert != nil {
|
||||||
|
tlsConfig.Certificates = []tls.Certificate{*cert}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if we require verification
|
||||||
|
if c.VerifyIncoming {
|
||||||
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
|
if c.CAFile == "" {
|
||||||
|
return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
|
||||||
|
}
|
||||||
|
if cert == nil {
|
||||||
|
return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return tlsConfig, nil
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
package consul
|
package tlsutil
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
@ -204,7 +204,7 @@ func TestConfig_wrapTLS_OK(t *testing.T) {
|
||||||
t.Fatalf("OutgoingTLSConfig err: %v", err)
|
t.Fatalf("OutgoingTLSConfig err: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsClient, err := wrapTLSClient(client, clientConfig)
|
tlsClient, err := WrapTLSClient(client, clientConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("wrapTLS err: %v", err)
|
t.Fatalf("wrapTLS err: %v", err)
|
||||||
} else {
|
} else {
|
||||||
|
@ -237,7 +237,7 @@ func TestConfig_wrapTLS_BadCert(t *testing.T) {
|
||||||
t.Fatalf("OutgoingTLSConfig err: %v", err)
|
t.Fatalf("OutgoingTLSConfig err: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsClient, err := wrapTLSClient(client, clientTLSConfig)
|
tlsClient, err := WrapTLSClient(client, clientTLSConfig)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
t.Fatalf("wrapTLS no err")
|
t.Fatalf("wrapTLS no err")
|
||||||
}
|
}
|
|
@ -331,6 +331,7 @@ definitions support being updated during a reload.
|
||||||
for the following keys:
|
for the following keys:
|
||||||
* `dns` - The DNS server, -1 to disable. Default 8600.
|
* `dns` - The DNS server, -1 to disable. Default 8600.
|
||||||
* `http` - The HTTP api, -1 to disable. Default 8500.
|
* `http` - The HTTP api, -1 to disable. Default 8500.
|
||||||
|
* `https` - The HTTPS api, -1 to disable. Default -1 (disabled).
|
||||||
* `rpc` - The RPC endpoint. Default 8400.
|
* `rpc` - The RPC endpoint. Default 8400.
|
||||||
* `serf_lan` - The Serf LAN port. Default 8301.
|
* `serf_lan` - The Serf LAN port. Default 8301.
|
||||||
* `serf_wan` - The Serf WAN port. Default 8302.
|
* `serf_wan` - The Serf WAN port. Default 8302.
|
||||||
|
|
Loading…
Reference in New Issue