From 9ec323350ef34e17f47e99f8a5d984348bc13e29 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Tue, 4 Aug 2020 17:19:04 -0600 Subject: [PATCH] Use more secure TLS settings for the HTTP server --- cmd/root.go | 100 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 79 insertions(+), 21 deletions(-) diff --git a/cmd/root.go b/cmd/root.go index f852869..8077adf 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -6,6 +6,7 @@ import ( "github.com/NYTimes/logrotate" "github.com/apex/log/handlers/multi" "github.com/gammazero/workerpool" + "golang.org/x/crypto/acme" "net/http" "os" "path" @@ -132,14 +133,15 @@ func rootCmdRun(*cobra.Command, []string) { config.SetDebugViaFlag(debug) if err := c.System.ConfigureDirectories(); err != nil { - log.Fatal("failed to configure system directories for pterodactyl") - panic(err) + log.WithError(err).Fatal("failed to configure system directories for pterodactyl") + os.Exit(1) + return } log.WithField("username", c.System.Username).Info("checking for pterodactyl system user") if su, err := c.EnsurePterodactylUser(); err != nil { - log.Error("failed to create pterodactyl system user") - panic(err) + log.WithError(err).Error("failed to create pterodactyl system user") + os.Exit(1) return } else { log.WithFields(log.Fields{ @@ -217,15 +219,19 @@ func rootCmdRun(*cobra.Command, []string) { // Addresses potentially invalid data in the stored file that can cause Wings to lose // track of what the actual server state is. - s.SetState(server.ProcessOfflineState) + _ = s.SetState(server.ProcessOfflineState) }) } - // Wait until all of the servers are ready to go before we fire up the HTTP server. + // Wait until all of the servers are ready to go before we fire up the SFTP and HTTP servers. pool.StopWait() - // Initalize SFTP. - sftp.Initialize(c) + // Initialize the SFTP server. + if err := sftp.Initialize(c); err != nil { + log.WithError(err).Error("failed to initialize the sftp server") + os.Exit(1) + return + } // Ensure the archive directory exists. if err := os.MkdirAll(c.System.ArchiveDirectory, 0755); err != nil { @@ -244,9 +250,46 @@ func rootCmdRun(*cobra.Command, []string) { "host_port": c.Api.Port, }).Info("configuring internal webserver") + // Configure the router. r := router.Configure() - addr := fmt.Sprintf("%s:%d", c.Api.Host, c.Api.Port) + s := &http.Server{ + Addr: fmt.Sprintf("%s:%d", c.Api.Host, c.Api.Port), + Handler: r, + + TLSConfig: &tls.Config{ + NextProtos: []string{ + "h2", // enable HTTP/2 + "http/1.1", + }, + + // https://blog.cloudflare.com/exposing-go-on-the-internet + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + }, + + PreferServerCipherSuites: true, + + MinVersion: tls.VersionTLS12, + MaxVersion: tls.VersionTLS13, + + CurvePreferences: []tls.CurveID{ + tls.X25519, + tls.CurveP256, + }, + // END https://blog.cloudflare.com/exposing-go-on-the-internet + }, + } + + // Check if the server should run with TLS but using autocert. if useAutomaticTls && len(tlsHostname) > 0 { m := autocert.Manager{ Prompt: autocert.AcceptTOS, @@ -255,28 +298,43 @@ func rootCmdRun(*cobra.Command, []string) { } log.WithField("hostname", tlsHostname). - Info("webserver is now listening with auto-TLS enabled; certifcates will be automatically generated by Let's Encrypt") + Info("webserver is now listening with auto-TLS enabled; certificates will be automatically generated by Let's Encrypt") - // We don't use the autotls runner here since we need to specify a port other than 443 - // to be using for SSL connections for Wings. - s := &http.Server{Addr: addr, TLSConfig: m.TLSConfig(), Handler: r} + // Hook autocert into the main http server. + s.TLSConfig.GetCertificate = m.GetCertificate + s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto) // enable tls-alpn ACME challenges - go http.ListenAndServe(":http", m.HTTPHandler(nil)) + // Start the autocert server. + go func() { + if err := http.ListenAndServe(":http", m.HTTPHandler(nil)); err != nil { + log.WithError(err).Error("failed to serve autocert http server") + } + }() + + // Start the main http server with TLS using autocert. if err := s.ListenAndServeTLS("", ""); err != nil { log.WithFields(log.Fields{"auto_tls": true, "tls_hostname": tlsHostname, "error": err}). Fatal("failed to configure HTTP server using auto-tls") os.Exit(1) } - } else if c.Api.Ssl.Enabled { - if err := r.RunTLS(addr, c.Api.Ssl.CertificateFile, c.Api.Ssl.KeyFile); err != nil { + + return + } + + // Check if main http server should run with TLS. + if c.Api.Ssl.Enabled { + if err := s.ListenAndServeTLS(c.Api.Ssl.CertificateFile, c.Api.Ssl.KeyFile); err != nil { log.WithFields(log.Fields{"auto_tls": false, "error": err}).Fatal("failed to configure HTTPS server") os.Exit(1) } - } else { - if err := r.Run(addr); err != nil { - log.WithField("error", err).Fatal("failed to configure HTTP server") - os.Exit(1) - } + return + } + + // Run the main http server without TLS. + s.TLSConfig = nil + if err := s.ListenAndServe(); err != nil { + log.WithField("error", err).Fatal("failed to configure HTTP server") + os.Exit(1) } }