Use more secure TLS settings for the HTTP server
This commit is contained in:
Matthew Penner
parent
0a612a71d9
commit
9ec323350e
100
cmd/root.go
100
cmd/root.go
|
|
@ -6,6 +6,7 @@ import (
|
|||
"github.com/NYTimes/logrotate"
|
||||
"github.com/apex/log/handlers/multi"
|
||||
"github.com/gammazero/workerpool"
|
||||
"golang.org/x/crypto/acme"
|
||||
"net/http"
|
||||
"os"
|
||||
"path"
|
||||
|
|
@ -132,14 +133,15 @@ func rootCmdRun(*cobra.Command, []string) {
|
|||
config.SetDebugViaFlag(debug)
|
||||
|
||||
if err := c.System.ConfigureDirectories(); err != nil {
|
||||
log.Fatal("failed to configure system directories for pterodactyl")
|
||||
panic(err)
|
||||
log.WithError(err).Fatal("failed to configure system directories for pterodactyl")
|
||||
os.Exit(1)
|
||||
return
|
||||
}
|
||||
|
||||
log.WithField("username", c.System.Username).Info("checking for pterodactyl system user")
|
||||
if su, err := c.EnsurePterodactylUser(); err != nil {
|
||||
log.Error("failed to create pterodactyl system user")
|
||||
panic(err)
|
||||
log.WithError(err).Error("failed to create pterodactyl system user")
|
||||
os.Exit(1)
|
||||
return
|
||||
} else {
|
||||
log.WithFields(log.Fields{
|
||||
|
|
@ -217,15 +219,19 @@ func rootCmdRun(*cobra.Command, []string) {
|
|||
|
||||
// Addresses potentially invalid data in the stored file that can cause Wings to lose
|
||||
// track of what the actual server state is.
|
||||
s.SetState(server.ProcessOfflineState)
|
||||
_ = s.SetState(server.ProcessOfflineState)
|
||||
})
|
||||
}
|
||||
|
||||
// Wait until all of the servers are ready to go before we fire up the HTTP server.
|
||||
// Wait until all of the servers are ready to go before we fire up the SFTP and HTTP servers.
|
||||
pool.StopWait()
|
||||
|
||||
// Initalize SFTP.
|
||||
sftp.Initialize(c)
|
||||
// Initialize the SFTP server.
|
||||
if err := sftp.Initialize(c); err != nil {
|
||||
log.WithError(err).Error("failed to initialize the sftp server")
|
||||
os.Exit(1)
|
||||
return
|
||||
}
|
||||
|
||||
// Ensure the archive directory exists.
|
||||
if err := os.MkdirAll(c.System.ArchiveDirectory, 0755); err != nil {
|
||||
|
|
@ -244,9 +250,46 @@ func rootCmdRun(*cobra.Command, []string) {
|
|||
"host_port": c.Api.Port,
|
||||
}).Info("configuring internal webserver")
|
||||
|
||||
// Configure the router.
|
||||
r := router.Configure()
|
||||
addr := fmt.Sprintf("%s:%d", c.Api.Host, c.Api.Port)
|
||||
|
||||
s := &http.Server{
|
||||
Addr: fmt.Sprintf("%s:%d", c.Api.Host, c.Api.Port),
|
||||
Handler: r,
|
||||
|
||||
TLSConfig: &tls.Config{
|
||||
NextProtos: []string{
|
||||
"h2", // enable HTTP/2
|
||||
"http/1.1",
|
||||
},
|
||||
|
||||
// https://blog.cloudflare.com/exposing-go-on-the-internet
|
||||
CipherSuites: []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
},
|
||||
|
||||
PreferServerCipherSuites: true,
|
||||
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS13,
|
||||
|
||||
CurvePreferences: []tls.CurveID{
|
||||
tls.X25519,
|
||||
tls.CurveP256,
|
||||
},
|
||||
// END https://blog.cloudflare.com/exposing-go-on-the-internet
|
||||
},
|
||||
}
|
||||
|
||||
// Check if the server should run with TLS but using autocert.
|
||||
if useAutomaticTls && len(tlsHostname) > 0 {
|
||||
m := autocert.Manager{
|
||||
Prompt: autocert.AcceptTOS,
|
||||
|
|
@ -255,28 +298,43 @@ func rootCmdRun(*cobra.Command, []string) {
|
|||
}
|
||||
|
||||
log.WithField("hostname", tlsHostname).
|
||||
Info("webserver is now listening with auto-TLS enabled; certifcates will be automatically generated by Let's Encrypt")
|
||||
Info("webserver is now listening with auto-TLS enabled; certificates will be automatically generated by Let's Encrypt")
|
||||
|
||||
// We don't use the autotls runner here since we need to specify a port other than 443
|
||||
// to be using for SSL connections for Wings.
|
||||
s := &http.Server{Addr: addr, TLSConfig: m.TLSConfig(), Handler: r}
|
||||
// Hook autocert into the main http server.
|
||||
s.TLSConfig.GetCertificate = m.GetCertificate
|
||||
s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto) // enable tls-alpn ACME challenges
|
||||
|
||||
go http.ListenAndServe(":http", m.HTTPHandler(nil))
|
||||
// Start the autocert server.
|
||||
go func() {
|
||||
if err := http.ListenAndServe(":http", m.HTTPHandler(nil)); err != nil {
|
||||
log.WithError(err).Error("failed to serve autocert http server")
|
||||
}
|
||||
}()
|
||||
|
||||
// Start the main http server with TLS using autocert.
|
||||
if err := s.ListenAndServeTLS("", ""); err != nil {
|
||||
log.WithFields(log.Fields{"auto_tls": true, "tls_hostname": tlsHostname, "error": err}).
|
||||
Fatal("failed to configure HTTP server using auto-tls")
|
||||
os.Exit(1)
|
||||
}
|
||||
} else if c.Api.Ssl.Enabled {
|
||||
if err := r.RunTLS(addr, c.Api.Ssl.CertificateFile, c.Api.Ssl.KeyFile); err != nil {
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Check if main http server should run with TLS.
|
||||
if c.Api.Ssl.Enabled {
|
||||
if err := s.ListenAndServeTLS(c.Api.Ssl.CertificateFile, c.Api.Ssl.KeyFile); err != nil {
|
||||
log.WithFields(log.Fields{"auto_tls": false, "error": err}).Fatal("failed to configure HTTPS server")
|
||||
os.Exit(1)
|
||||
}
|
||||
} else {
|
||||
if err := r.Run(addr); err != nil {
|
||||
log.WithField("error", err).Fatal("failed to configure HTTP server")
|
||||
os.Exit(1)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// Run the main http server without TLS.
|
||||
s.TLSConfig = nil
|
||||
if err := s.ListenAndServe(); err != nil {
|
||||
log.WithField("error", err).Fatal("failed to configure HTTP server")
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user