Added HTTPS support via a new HTTPS Port configuration option similar to the HTTP Port.

This commit is contained in:
Atin Malaviya 2014-11-14 14:39:19 -05:00
parent 2cdbae5a95
commit 59a68ecc26
5 changed files with 222 additions and 49 deletions

View File

@ -43,7 +43,7 @@ type Command struct {
logOutput io.Writer
agent *Agent
rpcServer *AgentRPC
httpServer *HTTPServer
httpServers []*HTTPServer
dnsServer *DNSServer
}
@ -71,7 +71,7 @@ func (c *Command) readConfig() *Config {
cmdFlags.BoolVar(&cmdConfig.Bootstrap, "bootstrap", false, "enable server bootstrap mode")
cmdFlags.IntVar(&cmdConfig.BootstrapExpect, "bootstrap-expect", 0, "enable automatic bootstrap via expect mode")
cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, RPC)")
cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, HTTPS, RPC)")
cmdFlags.StringVar(&cmdConfig.BindAddr, "bind", "", "address to bind server listeners to")
cmdFlags.StringVar(&cmdConfig.AdvertiseAddr, "advertise", "", "address to advertise instead of bind addr")
@ -278,20 +278,14 @@ func (c *Command) setupAgent(config *Config, logOutput io.Writer, logWriter *log
c.Ui.Output("Starting Consul agent RPC...")
c.rpcServer = NewAgentRPC(agent, rpcListener, logOutput, logWriter)
if config.Ports.HTTP > 0 {
httpAddr, err := config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
if err != nil {
c.Ui.Error(fmt.Sprintf("Invalid HTTP bind address: %s", err))
return err
}
server, err := NewHTTPServer(agent, config.UiDir, config.EnableDebug, logOutput, httpAddr.String())
if config.Ports.HTTP > 0 || config.Ports.HTTPS > 0 {
servers, err := NewHTTPServers(agent, config, logOutput)
if err != nil {
agent.Shutdown()
c.Ui.Error(fmt.Sprintf("Error starting http server: %s", err))
c.Ui.Error(fmt.Sprintf("Error starting http servers:", err))
return err
}
c.httpServer = server
c.httpServers = servers
}
if config.Ports.DNS > 0 {
@ -472,8 +466,10 @@ func (c *Command) Run(args []string) int {
if c.rpcServer != nil {
defer c.rpcServer.Shutdown()
}
if c.httpServer != nil {
defer c.httpServer.Shutdown()
if c.httpServers != nil {
for _, server := range c.httpServers {
defer server.Shutdown()
}
}
// Join startup nodes if specified
@ -502,7 +498,7 @@ func (c *Command) Run(args []string) int {
}
}
// Get the new client listener addr
// Get the new client http listener addr
httpAddr, err := config.ClientListenerAddr(config.Addresses.HTTP, config.Ports.HTTP)
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to determine HTTP address: %v", err))
@ -526,8 +522,8 @@ func (c *Command) Run(args []string) int {
c.Ui.Info(fmt.Sprintf(" Node name: '%s'", config.NodeName))
c.Ui.Info(fmt.Sprintf(" Datacenter: '%s'", config.Datacenter))
c.Ui.Info(fmt.Sprintf(" Server: %v (bootstrap: %v)", config.Server, config.Bootstrap))
c.Ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, DNS: %d, RPC: %d)", config.ClientAddr,
config.Ports.HTTP, config.Ports.DNS, config.Ports.RPC))
c.Ui.Info(fmt.Sprintf(" Client Addr: %v (HTTP: %d, HTTPS: %d, DNS: %d, RPC: %d)", config.ClientAddr,
config.Ports.HTTP, config.Ports.HTTPS, config.Ports.DNS, config.Ports.RPC))
c.Ui.Info(fmt.Sprintf(" Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddr,
config.Ports.SerfLan, config.Ports.SerfWan))
c.Ui.Info(fmt.Sprintf("Gossip encrypt: %v, RPC-TLS: %v, TLS-Incoming: %v",
@ -709,7 +705,7 @@ Options:
-bind=0.0.0.0 Sets the bind address for cluster communication
-bootstrap-expect=0 Sets server to expect bootstrap mode.
-client=127.0.0.1 Sets the address to bind for client access.
This includes RPC, DNS and HTTP
This includes RPC, DNS, HTTP and HTTPS (if configured)
-config-file=foo Path to a JSON file to read configuration from.
This can be specified multiple times.
-config-dir=foo Path to a directory to read configuration files

View File

@ -1,10 +1,13 @@
package agent
import (
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net"
"os"
"path/filepath"
@ -23,6 +26,7 @@ import (
type PortConfig struct {
DNS int // DNS Query interface
HTTP int // HTTP API
HTTPS int // HTTPS API
RPC int // CLI RPC
SerfLan int `mapstructure:"serf_lan"` // LAN gossip (Client + Server)
SerfWan int `mapstructure:"serf_wan"` // WAN gossip (Server onlyg)
@ -35,6 +39,7 @@ type PortConfig struct {
type AddressConfig struct {
DNS string // DNS Query interface
HTTP string // HTTP API
HTTPS string // HTTPS API
RPC string // CLI RPC
}
@ -122,7 +127,7 @@ type Config struct {
NodeName string `mapstructure:"node_name"`
// ClientAddr is used to control the address we bind to for
// client services (DNS, HTTP, RPC)
// client services (DNS, HTTP, HTTPS, RPC)
ClientAddr string `mapstructure:"client_addr"`
// BindAddr is used to control the address we bind to.
@ -332,6 +337,7 @@ func DefaultConfig() *Config {
Ports: PortConfig{
DNS: 8600,
HTTP: 8500,
HTTPS: -1,
RPC: 8400,
SerfLan: consul.DefaultLANSerfPort,
SerfWan: consul.DefaultWANSerfPort,
@ -385,6 +391,77 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
return addr.String(), nil
}
// AppendCA opens and parses the CA file and adds the certificates to
// the provided CertPool.
func (c *Config) AppendCA(pool *x509.CertPool) error {
if c.CAFile == "" {
return nil
}
// Read the file
data, err := ioutil.ReadFile(c.CAFile)
if err != nil {
return fmt.Errorf("Failed to read CA file: %v", err)
}
if !pool.AppendCertsFromPEM(data) {
return fmt.Errorf("Failed to parse any CA certificates")
}
return nil
}
// KeyPair is used to open and parse a certificate and key file
func (c *Config) KeyPair() (*tls.Certificate, error) {
if c.CertFile == "" || c.KeyFile == "" {
return nil, nil
}
cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
if err != nil {
return nil, fmt.Errorf("Failed to load cert/key pair: %v", err)
}
return &cert, err
}
// IncomingTLSConfig generates a TLS configuration for incoming requests
func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
// Create the tlsConfig
tlsConfig := &tls.Config{
ServerName: c.ServerName,
ClientCAs: x509.NewCertPool(),
ClientAuth: tls.NoClientCert,
}
if tlsConfig.ServerName == "" {
tlsConfig.ServerName = c.NodeName
}
// Parse the CA cert if any
err := c.AppendCA(tlsConfig.ClientCAs)
if err != nil {
return nil, err
}
// Add cert/key
cert, err := c.KeyPair()
if err != nil {
return nil, err
} else if cert != nil {
tlsConfig.Certificates = []tls.Certificate{*cert}
}
// Check if we require verification
if c.VerifyIncoming {
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
if c.CAFile == "" {
return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
}
if cert == nil {
return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!")
}
}
return tlsConfig, nil
}
// DecodeConfig reads the configuration from the given reader in JSON
// format and decodes it into a proper Config structure.
func DecodeConfig(r io.Reader) (*Config, error) {
@ -711,6 +788,9 @@ func MergeConfig(a, b *Config) *Config {
if b.Ports.HTTP != 0 {
result.Ports.HTTP = b.Ports.HTTP
}
if b.Ports.HTTPS != 0 {
result.Ports.HTTPS = b.Ports.HTTPS
}
if b.Ports.RPC != 0 {
result.Ports.RPC = b.Ports.RPC
}
@ -729,6 +809,9 @@ func MergeConfig(a, b *Config) *Config {
if b.Addresses.HTTP != "" {
result.Addresses.HTTP = b.Addresses.HTTP
}
if b.Addresses.HTTPS != "" {
result.Addresses.HTTPS = b.Addresses.HTTPS
}
if b.Addresses.RPC != "" {
result.Addresses.RPC = b.Addresses.RPC
}

View File

@ -137,7 +137,7 @@ func TestDecodeConfig(t *testing.T) {
}
// RPC configs
input = `{"ports": {"http": 1234, "rpc": 8100}, "client_addr": "0.0.0.0"}`
input = `{"ports": {"http": 1234, "https": 1243, "rpc": 8100}, "client_addr": "0.0.0.0"}`
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
if err != nil {
t.Fatalf("err: %s", err)
@ -151,6 +151,10 @@ func TestDecodeConfig(t *testing.T) {
t.Fatalf("bad: %#v", config)
}
if config.Ports.HTTPS != 1243 {
t.Fatalf("bad: %#v", config)
}
if config.Ports.RPC != 8100 {
t.Fatalf("bad: %#v", config)
}
@ -494,7 +498,7 @@ func TestDecodeConfig(t *testing.T) {
}
// Address overrides
input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "rpc": "127.0.0.1"}}`
input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "https": "127.0.0.1", "rpc": "127.0.0.1"}}`
config, err = DecodeConfig(bytes.NewReader([]byte(input)))
if err != nil {
t.Fatalf("err: %s", err)
@ -506,6 +510,9 @@ func TestDecodeConfig(t *testing.T) {
if config.Addresses.HTTP != "127.0.0.1" {
t.Fatalf("bad: %#v", config)
}
if config.Addresses.HTTPS != "127.0.0.1" {
t.Fatalf("bad: %#v", config)
}
if config.Addresses.RPC != "127.0.0.1" {
t.Fatalf("bad: %#v", config)
}
@ -842,11 +849,13 @@ func TestMergeConfig(t *testing.T) {
SerfLan: 4,
SerfWan: 5,
Server: 6,
HTTPS: 7,
},
Addresses: AddressConfig{
DNS: "127.0.0.1",
HTTP: "127.0.0.2",
RPC: "127.0.0.3",
HTTPS: "127.0.0.4",
},
Server: true,
LeaveOnTerm: true,

View File

@ -1,6 +1,7 @@
package agent
import (
"crypto/tls"
"encoding/json"
"io"
"log"
@ -23,39 +24,122 @@ type HTTPServer struct {
listener net.Listener
logger *log.Logger
uiDir string
addr string
}
// NewHTTPServer starts a new HTTP server to provide an interface to
// NewHTTPServers starts new HTTP servers to provide an interface to
// the agent.
func NewHTTPServer(agent *Agent, uiDir string, enableDebug bool, logOutput io.Writer, bind string) (*HTTPServer, error) {
// Create the mux
mux := http.NewServeMux()
func NewHTTPServers(agent *Agent, config *Config, logOutput io.Writer) ([]*HTTPServer, error) {
var tlsConfig *tls.Config
var list net.Listener
var httpAddr *net.TCPAddr
var err error
var servers []*HTTPServer
// Create listener
list, err := net.Listen("tcp", bind)
if config.Ports.HTTPS > 0 {
httpAddr, err = config.ClientListener(config.Addresses.HTTPS, config.Ports.HTTPS)
if err != nil {
return nil, err
}
tlsConfig, err = config.IncomingTLSConfig()
if err != nil {
return nil, err
}
ln, err := net.Listen("tcp", httpAddr.String())
if err != nil {
return nil, err
}
list = tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig)
// Create the mux
mux := http.NewServeMux()
// Create the server
srv := &HTTPServer{
agent: agent,
mux: mux,
listener: list,
logger: log.New(logOutput, "", log.LstdFlags),
uiDir: uiDir,
uiDir: config.UiDir,
addr: httpAddr.String(),
}
srv.registerHandlers(enableDebug)
srv.registerHandlers(config.EnableDebug)
// Start the server
go http.Serve(list, mux)
return srv, nil
servers := make([]*HTTPServer, 1)
servers[0] = srv
}
if config.Ports.HTTP > 0 {
httpAddr, err = config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
if err != nil {
return nil, err
}
// Create non-TLS listener
list, err = net.Listen("tcp", httpAddr.String())
if err != nil {
return nil, err
}
// Create the mux
mux := http.NewServeMux()
// Create the server
srv := &HTTPServer{
agent: agent,
mux: mux,
listener: list,
logger: log.New(logOutput, "", log.LstdFlags),
uiDir: config.UiDir,
addr: httpAddr.String(),
}
srv.registerHandlers(config.EnableDebug)
// Start the server
go http.Serve(list, mux)
if servers != nil {
// we already have the https server in servers, append
servers = append(servers, srv)
} else {
servers := make([]*HTTPServer, 1)
servers[0] = srv
}
}
return servers, nil
}
// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
// connections. It's used by NewHttpServer so
// dead TCP connections eventually go away.
type tcpKeepAliveListener struct {
*net.TCPListener
}
func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
tc, err := ln.AcceptTCP()
if err != nil {
return
}
tc.SetKeepAlive(true)
tc.SetKeepAlivePeriod(3 * time.Minute)
return tc, nil
}
// Shutdown is used to shutdown the HTTP server
func (s *HTTPServer) Shutdown() {
if s != nil {
s.logger.Printf("[DEBUG] http: Shutting down http server(%v)", s.addr)
s.listener.Close()
}
}
// registerHandlers is used to attach our handlers to the mux
func (s *HTTPServer) registerHandlers(enableDebug bool) {

View File

@ -316,6 +316,7 @@ definitions support being updated during a reload.
for the following keys:
* `dns` - The DNS server, -1 to disable. Default 8600.
* `http` - The HTTP api, -1 to disable. Default 8500.
* `https` - The HTTPS api, -1 to disable. Default -1 (disabled).
* `rpc` - The RPC endpoint. Default 8400.
* `serf_lan` - The Serf LAN port. Default 8301.
* `serf_wan` - The Serf WAN port. Default 8302.