Added HTTPS support via a new HTTPS Port configuration option similar to the HTTP Port.

2014-11-14 14:39:19 -05:00 · 2014-11-14 14:39:19 -05:00 · 59a68ecc26
parent 2cdbae5a95
commit 59a68ecc26
5 changed files with 222 additions and 49 deletions
--- a/command/agent/command.go
+++ b/command/agent/command.go
@ -43,7 +43,7 @@ type Command struct {
 	logOutput         io.Writer
 	agent             *Agent
 	rpcServer         *AgentRPC
-	httpServer        *HTTPServer
+	httpServers       []*HTTPServer
 	dnsServer         *DNSServer
 }

@ -71,7 +71,7 @@ func (c *Command) readConfig() *Config {
 	cmdFlags.BoolVar(&cmdConfig.Bootstrap, "bootstrap", false, "enable server bootstrap mode")
 	cmdFlags.IntVar(&cmdConfig.BootstrapExpect, "bootstrap-expect", 0, "enable automatic bootstrap via expect mode")

-	cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, RPC)")
+	cmdFlags.StringVar(&cmdConfig.ClientAddr, "client", "", "address to bind client listeners to (DNS, HTTP, HTTPS, RPC)")
 	cmdFlags.StringVar(&cmdConfig.BindAddr, "bind", "", "address to bind server listeners to")
 	cmdFlags.StringVar(&cmdConfig.AdvertiseAddr, "advertise", "", "address to advertise instead of bind addr")

@ -278,20 +278,14 @@ func (c *Command) setupAgent(config *Config, logOutput io.Writer, logWriter *log
 	c.Ui.Output("Starting Consul agent RPC...")
 	c.rpcServer = NewAgentRPC(agent, rpcListener, logOutput, logWriter)

-	if config.Ports.HTTP > 0 {
-		httpAddr, err := config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
-		if err != nil {
-			c.Ui.Error(fmt.Sprintf("Invalid HTTP bind address: %s", err))
-			return err
-		}
-
-		server, err := NewHTTPServer(agent, config.UiDir, config.EnableDebug, logOutput, httpAddr.String())
+	if config.Ports.HTTP > 0 || config.Ports.HTTPS > 0 {
+		servers, err := NewHTTPServers(agent, config, logOutput)
 		if err != nil {
 			agent.Shutdown()
-			c.Ui.Error(fmt.Sprintf("Error starting http server: %s", err))
+			c.Ui.Error(fmt.Sprintf("Error starting http servers:", err))
 			return err
 		}
-		c.httpServer = server
+		c.httpServers = servers
 	}

 	if config.Ports.DNS > 0 {
@ -472,8 +466,10 @@ func (c *Command) Run(args []string) int {
 	if c.rpcServer != nil {
 		defer c.rpcServer.Shutdown()
 	}
-	if c.httpServer != nil {
-		defer c.httpServer.Shutdown()
+	if c.httpServers != nil {
+		for _, server := range c.httpServers {
+			defer server.Shutdown()
+		}
 	}

 	// Join startup nodes if specified
@ -502,7 +498,7 @@ func (c *Command) Run(args []string) int {
 		}
 	}

-	// Get the new client listener addr
+	// Get the new client http listener addr
 	httpAddr, err := config.ClientListenerAddr(config.Addresses.HTTP, config.Ports.HTTP)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Failed to determine HTTP address: %v", err))
@ -526,8 +522,8 @@ func (c *Command) Run(args []string) int {
 	c.Ui.Info(fmt.Sprintf("     Node name: '%s'", config.NodeName))
 	c.Ui.Info(fmt.Sprintf("    Datacenter: '%s'", config.Datacenter))
 	c.Ui.Info(fmt.Sprintf("        Server: %v (bootstrap: %v)", config.Server, config.Bootstrap))
-	c.Ui.Info(fmt.Sprintf("   Client Addr: %v (HTTP: %d, DNS: %d, RPC: %d)", config.ClientAddr,
-		config.Ports.HTTP, config.Ports.DNS, config.Ports.RPC))
+	c.Ui.Info(fmt.Sprintf("   Client Addr: %v (HTTP: %d, HTTPS: %d, DNS: %d, RPC: %d)", config.ClientAddr,
+		config.Ports.HTTP, config.Ports.HTTPS, config.Ports.DNS, config.Ports.RPC))
 	c.Ui.Info(fmt.Sprintf("  Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddr,
 		config.Ports.SerfLan, config.Ports.SerfWan))
 	c.Ui.Info(fmt.Sprintf("Gossip encrypt: %v, RPC-TLS: %v, TLS-Incoming: %v",
@ -709,7 +705,7 @@ Options:
  -bind=0.0.0.0            Sets the bind address for cluster communication
  -bootstrap-expect=0      Sets server to expect bootstrap mode.
  -client=127.0.0.1        Sets the address to bind for client access.
-                           This includes RPC, DNS and HTTP
+                           This includes RPC, DNS, HTTP and HTTPS (if configured)
  -config-file=foo         Path to a JSON file to read configuration from.
                           This can be specified multiple times.
  -config-dir=foo          Path to a directory to read configuration files
--- a/command/agent/config.go
+++ b/command/agent/config.go
@ -1,10 +1,13 @@
 package agent

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"os"
 	"path/filepath"
@ -23,6 +26,7 @@ import (
 type PortConfig struct {
 	DNS     int // DNS Query interface
 	HTTP    int // HTTP API
+	HTTPS   int // HTTPS API
 	RPC     int // CLI RPC
 	SerfLan int `mapstructure:"serf_lan"` // LAN gossip (Client + Server)
 	SerfWan int `mapstructure:"serf_wan"` // WAN gossip (Server onlyg)
@ -35,6 +39,7 @@ type PortConfig struct {
 type AddressConfig struct {
 	DNS   string // DNS Query interface
 	HTTP  string // HTTP API
+	HTTPS string // HTTPS API
 	RPC   string // CLI RPC
 }

@ -122,7 +127,7 @@ type Config struct {
 	NodeName string `mapstructure:"node_name"`

 	// ClientAddr is used to control the address we bind to for
-	// client services (DNS, HTTP, RPC)
+	// client services (DNS, HTTP, HTTPS, RPC)
 	ClientAddr string `mapstructure:"client_addr"`

 	// BindAddr is used to control the address we bind to.
@ -332,6 +337,7 @@ func DefaultConfig() *Config {
 		Ports: PortConfig{
 			DNS:     8600,
 			HTTP:    8500,
+			HTTPS:   -1,
 			RPC:     8400,
 			SerfLan: consul.DefaultLANSerfPort,
 			SerfWan: consul.DefaultWANSerfPort,
@ -385,6 +391,77 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
 	return addr.String(), nil
 }

+// AppendCA opens and parses the CA file and adds the certificates to
+// the provided CertPool.
+func (c *Config) AppendCA(pool *x509.CertPool) error {
+	if c.CAFile == "" {
+		return nil
+	}
+
+	// Read the file
+	data, err := ioutil.ReadFile(c.CAFile)
+	if err != nil {
+		return fmt.Errorf("Failed to read CA file: %v", err)
+	}
+
+	if !pool.AppendCertsFromPEM(data) {
+		return fmt.Errorf("Failed to parse any CA certificates")
+	}
+
+	return nil
+}
+
+// KeyPair is used to open and parse a certificate and key file
+func (c *Config) KeyPair() (*tls.Certificate, error) {
+	if c.CertFile == "" || c.KeyFile == "" {
+		return nil, nil
+	}
+	cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to load cert/key pair: %v", err)
+	}
+	return &cert, err
+}
+
+// IncomingTLSConfig generates a TLS configuration for incoming requests
+func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
+	// Create the tlsConfig
+	tlsConfig := &tls.Config{
+		ServerName: c.ServerName,
+		ClientCAs:  x509.NewCertPool(),
+		ClientAuth: tls.NoClientCert,
+	}
+	if tlsConfig.ServerName == "" {
+		tlsConfig.ServerName = c.NodeName
+	}
+
+	// Parse the CA cert if any
+	err := c.AppendCA(tlsConfig.ClientCAs)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add cert/key
+	cert, err := c.KeyPair()
+	if err != nil {
+		return nil, err
+	} else if cert != nil {
+		tlsConfig.Certificates = []tls.Certificate{*cert}
+	}
+
+	// Check if we require verification
+	if c.VerifyIncoming {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		if c.CAFile == "" {
+			return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
+		}
+		if cert == nil {
+			return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!")
+		}
+	}
+	return tlsConfig, nil
+}
+
 // DecodeConfig reads the configuration from the given reader in JSON
 // format and decodes it into a proper Config structure.
 func DecodeConfig(r io.Reader) (*Config, error) {
@ -711,6 +788,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.Ports.HTTP != 0 {
 		result.Ports.HTTP = b.Ports.HTTP
 	}
+	if b.Ports.HTTPS != 0 {
+		result.Ports.HTTPS = b.Ports.HTTPS
+	}
 	if b.Ports.RPC != 0 {
 		result.Ports.RPC = b.Ports.RPC
 	}
@ -729,6 +809,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.Addresses.HTTP != "" {
 		result.Addresses.HTTP = b.Addresses.HTTP
 	}
+	if b.Addresses.HTTPS != "" {
+		result.Addresses.HTTPS = b.Addresses.HTTPS
+	}
 	if b.Addresses.RPC != "" {
 		result.Addresses.RPC = b.Addresses.RPC
 	}
--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@ -137,7 +137,7 @@ func TestDecodeConfig(t *testing.T) {
 	}

 	// RPC configs
-	input = `{"ports": {"http": 1234, "rpc": 8100}, "client_addr": "0.0.0.0"}`
+	input = `{"ports": {"http": 1234, "https": 1243, "rpc": 8100}, "client_addr": "0.0.0.0"}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
 	if err != nil {
 		t.Fatalf("err: %s", err)
@ -151,6 +151,10 @@ func TestDecodeConfig(t *testing.T) {
 		t.Fatalf("bad: %#v", config)
 	}

+	if config.Ports.HTTPS != 1243 {
+		t.Fatalf("bad: %#v", config)
+	}
+
 	if config.Ports.RPC != 8100 {
 		t.Fatalf("bad: %#v", config)
 	}
@ -494,7 +498,7 @@ func TestDecodeConfig(t *testing.T) {
 	}

 	// Address overrides
-	input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "rpc": "127.0.0.1"}}`
+	input = `{"addresses": {"dns": "0.0.0.0", "http": "127.0.0.1", "https": "127.0.0.1", "rpc": "127.0.0.1"}}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
 	if err != nil {
 		t.Fatalf("err: %s", err)
@ -506,6 +510,9 @@ func TestDecodeConfig(t *testing.T) {
 	if config.Addresses.HTTP != "127.0.0.1" {
 		t.Fatalf("bad: %#v", config)
 	}
+	if config.Addresses.HTTPS != "127.0.0.1" {
+		t.Fatalf("bad: %#v", config)
+	}
 	if config.Addresses.RPC != "127.0.0.1" {
 		t.Fatalf("bad: %#v", config)
 	}
@ -842,11 +849,13 @@ func TestMergeConfig(t *testing.T) {
 			SerfLan: 4,
 			SerfWan: 5,
 			Server:  6,
+			HTTPS:   7,
 		},
 		Addresses: AddressConfig{
 			DNS:   "127.0.0.1",
 			HTTP:  "127.0.0.2",
 			RPC:   "127.0.0.3",
+			HTTPS: "127.0.0.4",
 		},
 		Server:                 true,
 		LeaveOnTerm:            true,
--- a/command/agent/http.go
+++ b/command/agent/http.go
@ -1,6 +1,7 @@
 package agent

 import (
+	"crypto/tls"
 	"encoding/json"
 	"io"
 	"log"
@ -23,38 +24,121 @@ type HTTPServer struct {
 	listener net.Listener
 	logger   *log.Logger
 	uiDir    string
+	addr     string
 }

-// NewHTTPServer starts a new HTTP server to provide an interface to
+// NewHTTPServers starts new HTTP servers to provide an interface to
 // the agent.
-func NewHTTPServer(agent *Agent, uiDir string, enableDebug bool, logOutput io.Writer, bind string) (*HTTPServer, error) {
-	// Create the mux
-	mux := http.NewServeMux()
+func NewHTTPServers(agent *Agent, config *Config, logOutput io.Writer) ([]*HTTPServer, error) {
+	var tlsConfig *tls.Config
+	var list net.Listener
+	var httpAddr *net.TCPAddr
+	var err error
+	var servers []*HTTPServer

-	// Create listener
-	list, err := net.Listen("tcp", bind)
+	if config.Ports.HTTPS > 0 {
+		httpAddr, err = config.ClientListener(config.Addresses.HTTPS, config.Ports.HTTPS)
 		if err != nil {
 			return nil, err
 		}

+		tlsConfig, err = config.IncomingTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+
+		ln, err := net.Listen("tcp", httpAddr.String())
+		if err != nil {
+			return nil, err
+		}
+
+		list = tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig)
+
+		// Create the mux
+		mux := http.NewServeMux()
+
 		// Create the server
 		srv := &HTTPServer{
 			agent:    agent,
 			mux:      mux,
 			listener: list,
 			logger:   log.New(logOutput, "", log.LstdFlags),
-		uiDir:    uiDir,
+			uiDir:    config.UiDir,
+			addr:     httpAddr.String(),
 		}
-	srv.registerHandlers(enableDebug)
+		srv.registerHandlers(config.EnableDebug)

 		// Start the server
 		go http.Serve(list, mux)
-	return srv, nil
+
+		servers := make([]*HTTPServer, 1)
+		servers[0] = srv
+	}
+
+	if config.Ports.HTTP > 0 {
+		httpAddr, err = config.ClientListener(config.Addresses.HTTP, config.Ports.HTTP)
+		if err != nil {
+			return nil, err
+		}
+
+		// Create non-TLS listener
+		list, err = net.Listen("tcp", httpAddr.String())
+		if err != nil {
+			return nil, err
+		}
+
+		// Create the mux
+		mux := http.NewServeMux()
+
+		// Create the server
+		srv := &HTTPServer{
+			agent:    agent,
+			mux:      mux,
+			listener: list,
+			logger:   log.New(logOutput, "", log.LstdFlags),
+			uiDir:    config.UiDir,
+			addr:     httpAddr.String(),
+		}
+		srv.registerHandlers(config.EnableDebug)
+
+		// Start the server
+		go http.Serve(list, mux)
+
+		if servers != nil {
+			// we already have the https server in servers, append
+			servers = append(servers, srv)
+		} else {
+			servers := make([]*HTTPServer, 1)
+			servers[0] = srv
+		}
+	}
+
+	return servers, nil
+}
+
+// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
+// connections. It's used by NewHttpServer so
+// dead TCP connections eventually go away.
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return
+	}
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(3 * time.Minute)
+	return tc, nil
 }

 // Shutdown is used to shutdown the HTTP server
 func (s *HTTPServer) Shutdown() {
+	if s != nil {
+		s.logger.Printf("[DEBUG] http: Shutting down http server(%v)", s.addr)
 		s.listener.Close()
+	}
 }

 // registerHandlers is used to attach our handlers to the mux
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@ -316,6 +316,7 @@ definitions support being updated during a reload.
   for the following keys:
    * `dns` - The DNS server, -1 to disable. Default 8600.
    * `http` - The HTTP api, -1 to disable. Default 8500.
+    * `https` - The HTTPS api, -1 to disable. Default -1 (disabled).
    * `rpc` - The RPC endpoint. Default 8400.
    * `serf_lan` - The Serf LAN port. Default 8301.
    * `serf_wan` - The Serf WAN port. Default 8302.