func ListenAndServe(c *cluster.Cluster, s *scheduler.Scheduler, addr, version string, enableCors bool, tlsConfig *tls.Config) error {
context := &context{
cluster: c,
scheduler: s,
version: version,
eventsHandler: NewEventsHandler(),
}
c.Events(context.eventsHandler)
r, err := createRouter(context, enableCors)
if err != nil {
return err
}
server := &http.Server{
Addr: addr,
Handler: r,
}
l, err := net.Listen("tcp", addr)
if err != nil {
return err
}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"http/1.1"}
l = tls.NewListener(l, tlsConfig)
}
return server.Serve(l)
}
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also
// uses ThrottledListen to limit the number of open HTTP connections.
func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler, readTimeout *int, writeTimeout *int) error {
var config *tls.Config
if certFile != nil {
config = &tls.Config{}
config.MinVersion = tls.VersionTLS10 // Disable SSLv3 due to POODLE vulnerability
config.NextProtos = []string{"http/1.1"}
config.Certificates = make([]tls.Certificate, 1)
var err error
config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
return err
}
}
listener, err := ThrottledListen("tcp", addr, connLimit)
if err != nil {
return err
}
if config != nil {
listener = tls.NewListener(listener, config)
}
defer listener.Close()
server := &http.Server{Addr: addr, Handler: handler}
if readTimeout != nil {
server.ReadTimeout = time.Duration(*readTimeout) * time.Second
}
if writeTimeout != nil {
server.WriteTimeout = time.Duration(*writeTimeout) * time.Second
}
return server.Serve(listener)
}
func newListener(proto, addr string, tlsConfig *tls.Config) (net.Listener, error) {
var (
l net.Listener
err error
)
switch proto {
case "unix", "unixpacket":
// Unix sockets must be unlink()ed before being reused again
if err := syscall.Unlink(addr); err != nil && !os.IsNotExist(err) {
return nil, err
}
l, err = net.Listen(proto, addr)
case "tcp":
l, err = net.Listen(proto, addr)
default:
return nil, fmt.Errorf("unsupported protocol: %q", proto)
}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"http/1.1"}
l = tls.NewListener(l, tlsConfig)
}
return l, err
}
//run starts the webserver
func (v *Vault) startServer() error {
glog.Infof("Starting local server\n")
router := gin.New()
//TODO initialize configurations, correct middlewares, https/http
router.Use(ginglog.Logger(5)) //5 seconds
router.Use(gin.Recovery())
//setting up https by default
var tlsConfig = tls.Config{}
keypair, err := tls.LoadX509KeyPair(v.config["tlsCertfilePath"], v.config["tlsKeyfilePath"])
if err != nil {
fmt.Printf("ERR: Could not load X509 KeyPair, caused by: %s\n", err)
os.Exit(1) //exit explicitely as we choose a fail fast approach
}
tlsConfig.Certificates = []tls.Certificate{keypair}
tlsConfig.NextProtos = []string{"http/1.1"}
tlsConfig.Rand = rand.Reader
router.GET("/secret/:appID", v.getSecret)
serve := &http.Server{
Addr: fmt.Sprintf(":%s", v.config["serverPort"]),
Handler: router,
TLSConfig: &tlsConfig,
}
err = serve.ListenAndServe()
if err != nil {
glog.Errorf("Cannot start server for Cubbyhole tokens distribution\n")
}
return err
}
//httpServer 启动http服务器并监听
func (ser *Server) httpServer(l net.Listener) {
var (
addr = l.Addr().String()
err error
)
httpServer := &http.Server{
Addr: addr,
Handler: http.HandlerFunc(ser.httpHandler),
TLSConfig: ser.TLSConfig,
}
httpServer.SetKeepAlivesEnabled(true)
addrs := strings.Split(addr, ":")
if addrs[1] == "443" || addrs[1] == "https" {
tlsConfig := new(tls.Config)
if httpServer.TLSConfig != nil {
*tlsConfig = *httpServer.TLSConfig
}
if tlsConfig.NextProtos == nil {
tlsConfig.NextProtos = []string{"http/1.1"}
}
l = tls.NewListener(l, tlsConfig)
}
err = httpServer.Serve(l)
CheckErr("服务器停止", err)
}
// Enable HTTP2ForTLSConfig explicitly enables http/2 for a TLS Config. This is due to changes in Go 1.7 where
// http servers are no longer automatically configured to enable http/2 if the server's TLSConfig is set.
// See https://github.com/golang/go/issues/15908
func enableHTTP2ForTLSConfig(t *tls.Config) {
if TLSConfigHasHTTP2Enabled(t) {
return
}
t.NextProtos = append(t.NextProtos, "h2")
}
func (t *Transport) newTLSConfig(host string) *tls.Config {
cfg := new(tls.Config)
if t.TLSClientConfig != nil {
*cfg = *t.TLSClientConfig
}
cfg.NextProtos = []string{NextProtoTLS} // TODO: don't override if already in list
cfg.ServerName = host
return cfg
}
// NewTCPSocket creates a TCP socket listener with the specified address and
// and the specified tls configuration. If TLSConfig is set, will encapsulate the
// TCP listener inside a TLS one.
// The channel passed is used to activate the listenbuffer when the caller is ready
// to accept connections.
func NewTCPSocket(addr string, tlsConfig *tls.Config, activate <-chan struct{}) (net.Listener, error) {
l, err := listenbuffer.NewListenBuffer("tcp", addr, activate)
if err != nil {
return nil, err
}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"http/1.1"}
l = tls.NewListener(l, tlsConfig)
}
return l, nil
}
// NewTCPSocket creates a TCP socket listener with the specified address and
// and the specified tls configuration. If TLSConfig is set, will encapsulate the
// TCP listener inside a TLS one.
func NewTCPSocket(addr string, tlsConfig *tls.Config) (net.Listener, error) {
l, err := net.Listen("tcp", addr)
if err != nil {
return nil, err
}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"http/1.1"}
l = tls.NewListener(l, tlsConfig)
}
return l, nil
}
func (t *Transport) newTLSConfig(host string) *tls.Config {
cfg := new(tls.Config)
if t.TLSClientConfig != nil {
*cfg = *t.TLSClientConfig
}
if !strSliceContains(cfg.NextProtos, NextProtoTLS) {
cfg.NextProtos = append([]string{NextProtoTLS}, cfg.NextProtos...)
}
if cfg.ServerName == "" {
cfg.ServerName = host
}
return cfg
}
func (this *Server) Run(mode string, addr string, port int) error {
var tlsConfig *tls.Config
var err error
if mode == "https" {
tlsConfig = &tls.Config{}
if tlsConfig.NextProtos == nil {
tlsConfig.NextProtos = []string{"http/1.1"}
}
tlsConfig.Certificates = make([]tls.Certificate, 1)
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(SslCertificate, SslCertificateKey)
if err != nil {
return err
}
}
listenUnix := false
if strings.HasPrefix(addr, "unix:") {
listenUnix = true
addr = addr[5:]
}
if listenUnix {
os.Remove(addr)
this.listener, err = net.Listen("unix", addr)
if err == nil {
os.Chmod(addr, os.FileMode(0666))
defer os.Remove(addr)
}
} else {
listenAddr := net.JoinHostPort(addr, fmt.Sprintf("%d", port))
this.listener, err = net.Listen("tcp", listenAddr)
}
if err != nil {
return err
}
// defer this.listener.Close()
this.RunMode = mode
switch mode {
case "http":
http.Serve(this.listener, this.router)
case "fcgi":
fcgi.Serve(this.listener, this.router)
case "https":
http.Serve(tls.NewListener(this.listener, tlsConfig), this.router)
default:
http.Serve(this.listener, this.router)
}
return nil
}
func newListener(proto, addr string, tlsConfig *tls.Config) (net.Listener, error) {
l, err := net.Listen(proto, addr)
if err != nil {
if strings.Contains(err.Error(), "address already in use") && strings.Contains(addr, DefaultDockerPort) {
return nil, fmt.Errorf("%s: is Docker already running on this machine? Try using a different port", err)
}
return nil, err
}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"http/1.1"}
l = tls.NewListener(l, tlsConfig)
}
return l, nil
}
// Listen listens for incoming TLS connections and
// returns a Listener that accepts SPDY sessions.
func ListenTLS(addr, certFile, keyFile string) (*Listener, error) {
var config tls.Config
config.NextProtos = []string{"rspdy/3"}
var err error
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
l, err := tls.Listen("tcp", addr, &config)
if err != nil {
return nil, err
}
return &Listener{l}, nil
}
// make tls.Config with spdy/3 npn
func ConfigTLS(addr, certFile, keyFile string) (*tls.Config, error) {
if addr == "" {
addr = ":https"
}
var config *tls.Config = &tls.Config{}
config.NextProtos = []string{"spdy/3"}
var err error
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
return config, nil
}
// ListenAndServeTLSWithSNI serves TLS with Server Name Indication (SNI) support, which allows
// multiple sites (different hostnames) to be served from the same address. This method is
// adapted directly from the std lib's net/http ListenAndServeTLS function, which was
// written by the Go Authors. It has been modified to support multiple certificate/key pairs.
func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error {
addr := srv.Addr
if addr == "" {
addr = ":https"
}
config := new(tls.Config)
if srv.TLSConfig != nil {
*config = *srv.TLSConfig
}
if config.NextProtos == nil {
config.NextProtos = []string{"http/1.1"}
}
// Here we diverge from the stdlib a bit by loading multiple certs/key pairs
// then we map the server names to their certs
var err error
config.Certificates = make([]tls.Certificate, len(tlsConfigs))
for i, tlsConfig := range tlsConfigs {
config.Certificates[i], err = tls.LoadX509KeyPair(tlsConfig.Certificate, tlsConfig.Key)
if err != nil {
return err
}
}
config.BuildNameToCertificate()
// Customize our TLS configuration
config.MinVersion = tlsConfigs[0].ProtocolMinVersion
config.MaxVersion = tlsConfigs[0].ProtocolMaxVersion
config.CipherSuites = tlsConfigs[0].Ciphers
config.PreferServerCipherSuites = tlsConfigs[0].PreferServerCipherSuites
// TLS client authentication, if user enabled it
err = setupClientAuth(tlsConfigs, config)
if err != nil {
return err
}
// Create listener and we're on our way
conn, err := net.Listen("tcp", addr)
if err != nil {
return err
}
tlsListener := tls.NewListener(conn, config)
return srv.Serve(tlsListener)
}
// DialAndServeTLS dials a TLS connection, then serves incoming HTTP
// requests. If h is nil, it uses http.DefaultHandler.
// If config.NextProtos is nil, it uses "rspdy/3".
func DialAndServeTLS(network, addr string, config *tls.Config, h http.Handler) error {
var srv spdy.Server
srv.Handler = h
config1 := new(tls.Config)
if config != nil {
*config1 = *config
}
if config1.NextProtos == nil {
config1.NextProtos = []string{"rspdy/3"}
}
// TODO(kr): cert stuff
conn, err := tls.Dial(network, addr, config1)
if err != nil {
return err
}
return srv.ServeConn(conn)
}
func main() {
var err error
flag.Parse()
session.LoadConfig()
var tlsc tls.Config
tlsc.NextProtos = []string{"http/1.1"}
tlsc.Certificates = make([]tls.Certificate, 1)
if tlsc.Certificates[0], err = tls.X509KeyPair(session.Conf.HttpsCert, session.Conf.HttpsKey); err != nil {
panic("Error attempting to use HttpsCert and HttpsKey to create a certificate: " + err.Error())
}
// verify the HttpsCert
asn1, _ := pem.Decode(session.Conf.HttpsCert)
cert, err := x509.ParseCertificate(asn1.Bytes)
if err != nil {
panic(fmt.Sprintf("Error parsing cert data: %s\n", err))
}
var vo x509.VerifyOptions
chains, err := cert.Verify(vo)
if err != nil {
panic(fmt.Sprintf("Error verifying: %s", err))
}
if len(chains) <= 0 {
panic(fmt.Sprintf("Configured HttpsCert did not verify: %s\n", err))
}
// set up the handler and start the server
http.HandleFunc("/session/", session.Handler)
addr := fmt.Sprintf("%s:%d", session.Conf.HttpsHost, session.Conf.HttpsPort)
tlsServer := &http.Server{Addr: addr, TLSConfig: &tlsc}
conn, err := net.Listen("tcp", addr)
if err != nil {
panic("Error while listening: " + err.Error())
}
tlsListener := tls.NewListener(conn, &tlsc)
tlsServer.Serve(tlsListener)
}
//Runs the web application and serves http requests
func (s *Server) Run(addr string) {
s.initServer()
mux := http.NewServeMux()
if s.profile {
mux.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
mux.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
mux.Handle("/debug/pprof/heap", pprof.Handler("heap"))
mux.Handle("/debug/pprof/block", pprof.Handler("block"))
mux.Handle("/debug/pprof/routine", pprof.Handler("goroutine"))
mux.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
}
mux.Handle("/", s)
var l net.Listener
var err error
if s.Config.TLSConfig != nil {
s.Logger.Printf("web.go serving %s [SSL]", addr)
cert, err := tls.LoadX509KeyPair(s.Config.TLSConfig.Cert, s.Config.TLSConfig.Key)
if err != nil {
log.Fatal("Load tls cert/key:", err)
}
tlsc := tls.Config{}
tlsc.NextProtos = []string{"http/1.1"}
tlsc.Certificates = []tls.Certificate{cert}
l, err = tls.Listen("tcp", addr, &tlsc)
} else {
s.Logger.Printf("web.go serving %s", addr)
l, err = net.Listen("tcp", addr)
}
if err != nil {
log.Fatal("ListenAndServe:", err)
}
if l == nil {
log.Fatal("ListenAndServe failed")
}
s.l = l
err = http.Serve(s.l, mux)
s.l.Close()
}
func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error {
addr := srv.Addr
if addr == "" {
addr = ":https"
}
config := new(tls.Config)
if srv.TLSConfig != nil {
*config = *srv.TLSConfig
}
if config.NextProtos == nil {
config.NextProtos = []string{"http/1.1"}
}
var err error
config.Certificates = make([]tls.Certificate, len(tlsConfigs))
for i, tlsConfig := range tlsConfigs {
config.Certificates[i], err = tls.LoadX509KeyPair(tlsConfig.Certificate, tlsConfig.Key)
if err != nil {
return err
}
}
config.BuildNameToCertificate()
config.MinVersion = tlsConfigs[0].ProtocolMinVersion
config.MaxVersion = tlsConfigs[0].ProtocolMaxVersion
config.CipherSuites = tlsConfigs[0].Ciphers
config.PreferServerCipherSuites = tlsConfigs[0].PreferServerCipherSuites
err = setupClientAuth(tlsConfigs, config)
if err != nil {
return err
}
conn, err := net.Listen("tcp", addr)
if err != nil {
return err
}
tlsListener := tls.NewListener(conn, config)
return srv.Serve(tlsListener)
}
// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
// passed to this process.
// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
func TLSListeners(unsetEnv bool, tlsConfig *tls.Config) ([]net.Listener, error) {
listeners, err := Listeners(unsetEnv)
if listeners == nil || err != nil {
return nil, err
}
if tlsConfig != nil && err == nil {
tlsConfig.NextProtos = []string{"http/1.1"}
for i, l := range listeners {
// Activate TLS only for TCP sockets
if l.Addr().Network() == "tcp" {
listeners[i] = tls.NewListener(l, tlsConfig)
}
}
}
return listeners, err
}
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also
// uses ThrottledListen to limit the number of open HTTP connections.
func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler) error {
var config *tls.Config
if certFile != nil {
config = &tls.Config{}
config.NextProtos = []string{"http/1.1"}
config.Certificates = make([]tls.Certificate, 1)
var err error
config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
return err
}
}
listener, err := ThrottledListen("tcp", addr, connLimit)
if err != nil {
return err
}
if config != nil {
listener = tls.NewListener(listener, config)
}
defer listener.Close()
server := &http.Server{Addr: addr, Handler: handler}
return server.Serve(listener)
}
// ListenAndServeTLSWithConfig binds sockets according to the provided TLS
// config and blocks until the socket closes or an exit signal is received.
func (srv *Server) ListenTLSWithConfig(config *tls.Config) error {
addr := srv.Addr
if addr == "" {
addr = ":https"
}
if config == nil {
return errors.New("TLSConfig required")
}
if len(config.Certificates) == 0 {
return errors.New("TLSConfig has no certificate")
}
if config.NextProtos == nil {
config.NextProtos = []string{"http/1.1"}
}
if l, err := srv.socketListen(addr); err == nil {
srv.listener = tls.NewListener(l, config)
} else {
return err
}
return nil
}
func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
if req.URL == nil {
return nil, errors.New("http: nil Request.URL")
}
if req.Header == nil {
return nil, errors.New("http: nil Request.Header")
}
if req.URL.Scheme != "https" {
if t.FallbackClient == nil {
return nil, errors.New(fmt.Sprintf("spdy: no fallback client for scheme %s", req.URL.Scheme))
}
return t.FallbackClient.Do(req)
}
var proxy *url.URL
if t.Proxy != nil {
if proxy, err = t.Proxy(req); err != nil {
return nil, err
}
}
key := connKey(proxy, req)
reconnect:
t.lk.Lock()
c := t.connections[key]
// Try and use an existing connection
if c == nil {
proxySock, err := t.dialProxy(proxy, req.URL.Host)
if err != nil {
t.lk.Unlock()
return nil, err
}
cfg := tls.Config{}
if t.TLSClientConfig != nil {
cfg = *t.TLSClientConfig
}
cfg.NextProtos = []string{"http/1.1", "spdy/3", "spdy/2"}
cfg.ServerName = removePort(req.URL.Host)
tlsSock := tls.Client(proxySock, &cfg)
if err := tlsSock.Handshake(); err != nil {
t.lk.Unlock()
tlsSock.Close()
proxySock.Close()
return nil, err
}
if err := tlsSock.VerifyHostname(cfg.ServerName); err != nil {
t.lk.Unlock()
tlsSock.Close()
proxySock.Close()
return nil, err
}
Log("negotiated protocol %s", tlsSock.ConnectionState().NegotiatedProtocol)
switch tlsSock.ConnectionState().NegotiatedProtocol {
case "http/1.1":
// fallback to a standard HTTPS client
t.lk.Unlock()
client := httputil.NewClientConn(tlsSock, nil)
resp, err := client.Do(req)
client.Close()
tlsSock.Close()
proxySock.Close()
return resp, err
case "spdy/2":
c = NewConnection(tlsSock, nil, 2, false)
case "spdy/3":
c = NewConnection(tlsSock, nil, 3, false)
default:
panic("spdy-internal: unexpected negotiated protocol")
}
if t.connections == nil {
t.connections = make(map[string]*Connection)
}
t.connections[key] = c
go t.runClient(key, c)
}
t.lk.Unlock()
resp, err = c.startRequest(nil, req, &t.RequestExtra)
// In the case that we missed the connection due to being told to go
// away, we need to reconnect. This is due to either the server
// sending us a GO_AWAY or the startRequest going through after the
// socket has already been closed due to an error or timeout.
if err == errGoAway {
goto reconnect
}
return resp, err
}
// newServerTesterInternal creates test context. If frontendTLS is
// true, set up TLS frontend connection. connectPort is the server
// side port where client connection is made.
func newServerTesterInternal(src_args []string, t *testing.T, handler http.Handler, frontendTLS bool, connectPort int, clientConfig *tls.Config) *serverTester {
ts := httptest.NewUnstartedServer(handler)
args := []string{}
backendTLS := false
dns := false
externalDNS := false
acceptProxyProtocol := false
for _, k := range src_args {
switch k {
case "--http2-bridge":
backendTLS = true
case "--dns":
dns = true
case "--external-dns":
dns = true
externalDNS = true
case "--accept-proxy-protocol":
acceptProxyProtocol = true
default:
args = append(args, k)
}
}
if backendTLS {
nghttp2.ConfigureServer(ts.Config, &nghttp2.Server{})
// According to httptest/server.go, we have to set
// NextProtos separately for ts.TLS. NextProtos set
// in nghttp2.ConfigureServer is effectively ignored.
ts.TLS = new(tls.Config)
ts.TLS.NextProtos = append(ts.TLS.NextProtos, "h2")
ts.StartTLS()
args = append(args, "-k")
} else {
ts.Start()
}
scheme := "http"
if frontendTLS {
scheme = "https"
args = append(args, testDir+"/server.key", testDir+"/server.crt")
}
backendURL, err := url.Parse(ts.URL)
if err != nil {
t.Fatalf("Error parsing URL from httptest.Server: %v", err)
}
// URL.Host looks like "127.0.0.1:8080", but we want
// "127.0.0.1,8080"
b := "-b"
if !externalDNS {
b += fmt.Sprintf("%v;", strings.Replace(backendURL.Host, ":", ",", -1))
} else {
sep := strings.LastIndex(backendURL.Host, ":")
if sep == -1 {
t.Fatalf("backendURL.Host %v does not contain separator ':'", backendURL.Host)
}
// We use awesome service xip.io.
b += fmt.Sprintf("%v.xip.io,%v;", backendURL.Host[:sep], backendURL.Host[sep+1:])
}
if backendTLS {
b += ";proto=h2;tls"
}
if dns {
b += ";dns"
}
noTLS := ";no-tls"
if frontendTLS {
noTLS = ""
}
var proxyProto string
if acceptProxyProtocol {
proxyProto = ";proxyproto"
}
args = append(args, fmt.Sprintf("-f127.0.0.1,%v%v%v", serverPort, noTLS, proxyProto), b,
"--errorlog-file="+logDir+"/log.txt", "-LINFO")
authority := fmt.Sprintf("127.0.0.1:%v", connectPort)
st := &serverTester{
cmd: exec.Command(serverBin, args...),
t: t,
ts: ts,
url: fmt.Sprintf("%v://%v", scheme, authority),
frontendHost: fmt.Sprintf("127.0.0.1:%v", serverPort),
backendHost: backendURL.Host,
nextStreamID: 1,
authority: authority,
frCh: make(chan http2.Frame),
spdyFrCh: make(chan spdy.Frame),
errCh: make(chan error),
}
if err := st.cmd.Start(); err != nil {
st.t.Fatalf("Error starting %v: %v", serverBin, err)
}
retry := 0
for {
time.Sleep(50 * time.Millisecond)
var conn net.Conn
var err error
if frontendTLS {
var tlsConfig *tls.Config
if clientConfig == nil {
tlsConfig = new(tls.Config)
} else {
tlsConfig = clientConfig
}
tlsConfig.InsecureSkipVerify = true
tlsConfig.NextProtos = []string{"h2", "spdy/3.1"}
conn, err = tls.Dial("tcp", authority, tlsConfig)
} else {
conn, err = net.Dial("tcp", authority)
}
if err != nil {
retry += 1
if retry >= 100 {
st.Close()
st.t.Fatalf("Error server is not responding too long; server command-line arguments may be invalid")
}
continue
}
if frontendTLS {
tlsConn := conn.(*tls.Conn)
cs := tlsConn.ConnectionState()
if !cs.NegotiatedProtocolIsMutual {
st.Close()
st.t.Fatalf("Error negotiated next protocol is not mutual")
}
}
st.conn = conn
break
}
st.fr = http2.NewFramer(st.conn, st.conn)
spdyFr, err := spdy.NewFramer(st.conn, st.conn)
if err != nil {
st.Close()
st.t.Fatalf("Error spdy.NewFramer: %v", err)
}
st.spdyFr = spdyFr
st.enc = hpack.NewEncoder(&st.headerBlkBuf)
st.dec = hpack.NewDecoder(4096, func(f hpack.HeaderField) {
st.header.Add(f.Name, f.Value)
})
return st
}
//Run starts Howler
func (svc *Service) Run(cfg ServerSettings) error {
config = cfg // save config in global
// init gin
if !config.Configuration.DebugEnabled {
gin.SetMode(gin.ReleaseMode)
}
var oauth2Endpoint = oauth2.Endpoint{
AuthURL: config.Configuration.AuthURL,
TokenURL: config.Configuration.TokenURL,
}
// Middleware
router := gin.New()
// use glog for logging
router.Use(ginglog.Logger(config.Configuration.LogFlushInterval))
// monitoring GO internals and counter middleware
counterAspect := &ginmon.CounterAspect{0}
asps := []aspects.Aspect{counterAspect}
router.Use(ginmon.CounterHandler(counterAspect))
router.Use(gomonitor.Metrics(9000, asps))
router.Use(ginoauth2.RequestLogger([]string{"uid", "team"}, "data"))
// last middleware
router.Use(gin.Recovery())
// OAuth2 secured if conf.Oauth2Enabled is set
var private *gin.RouterGroup
if config.Configuration.Oauth2Enabled {
private = router.Group("")
var accessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedUsers))
for i, v := range config.Configuration.AuthorizedUsers {
accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.UID, Cn: v.Cn}
}
zalando.AccessTuples = accessTuple
private.Use(ginoauth2.Auth(zalando.UidCheck, oauth2Endpoint))
}
router.GET("/", rootHandler)
if config.Configuration.Oauth2Enabled {
//authenticated routes
private.GET("/status", getStatus)
private.POST("/events", createEvent)
} else {
//non authenticated routes
router.GET("/status", getStatus)
router.POST("/events", createEvent)
}
// TLS config
var tlsConfig = tls.Config{}
if !config.Httponly {
tlsConfig.Certificates = []tls.Certificate{config.CertKeyPair}
tlsConfig.NextProtos = []string{"http/1.1"}
tlsConfig.Rand = rand.Reader // Strictly not necessary, should be default
}
// run frontend server
serve := &http.Server{
Addr: fmt.Sprintf(":%d", config.Configuration.Port),
Handler: router,
TLSConfig: &tlsConfig,
}
if config.Httponly {
serve.ListenAndServe()
} else {
conn, err := net.Listen("tcp", serve.Addr)
if err != nil {
panic(err)
}
tlsListener := tls.NewListener(conn, &tlsConfig)
err = serve.Serve(tlsListener)
if err != nil {
glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
}
}
return nil
}
func main() {
flag.Parse()
ready := make(chan struct{})
go func() {
<-ready
var client helloworld.GreeterClient
if *useGRPC {
opts := []grpc.DialOption{
grpc.WithBlock(),
grpc.WithTimeout(3 * time.Second),
grpc.WithInsecure(),
}
conn, err := grpc.Dial(*addr, opts...)
if err != nil {
log.Fatalf("grpc.Dial: %v", err)
}
client = helloworld.NewGreeterClient(conn)
} else {
t := (http.DefaultTransport.(*http.Transport))
t.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true,
}
if *useHTTP2 {
if err := http2.ConfigureTransport(t); err != nil {
log.Fatal(err)
}
}
}
ctx := context.Background()
for i := 0; i < *numRuns; i++ {
randomBytes := make([]byte, *msgSize)
n, err := rand.Read(randomBytes)
if err != nil {
log.Fatal(err)
}
if n != *msgSize {
log.Fatal("didn't read enough bytes")
}
msg := string(randomBytes)
t1 := time.Now()
var proto string
if *useGRPC {
_, err = client.SayHello(ctx, &helloworld.HelloRequest{Name: msg})
proto = "GRPC"
} else {
var resp *http.Response
resp, err = http.Post("https://"+*addr, "text/plain", bytes.NewReader(randomBytes))
proto = "HTTP"
if resp != nil {
proto = resp.Proto
resp.Body.Close()
}
}
if *verbose {
fmt.Println()
}
fmt.Printf("%v\t%v\t%v\n", time.Now().Sub(t1), *latency, proto)
if err != nil {
log.Fatal(err)
}
}
os.Exit(0)
}()
var server *grpc.Server
if *useGRPC {
server = grpc.NewServer()
helloworld.RegisterGreeterServer(server, greeter{})
}
l, err := net.Listen("tcp", *addr)
if err != nil {
log.Fatal(err)
}
rate := Rate{Latency: *latency}
l = &Listener{l, rate, rate}
close(ready)
if *useGRPC {
log.Fatal(server.Serve(l))
} else {
var config tls.Config
var err error
if *useHTTP2 {
config.NextProtos = []string{"h2"}
}
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatal(err)
}
srv := &http.Server{Addr: *addr, TLSConfig: &config, Handler: http.HandlerFunc(validate)}
tlsListener := tls.NewListener(l, &config)
log.Fatal(srv.Serve(tlsListener))
}
}
func (svc *Service) Run(cfg ServerSettings) error {
config = cfg // save config in global
// init gin
if !config.Configuration.DebugEnabled {
gin.SetMode(gin.ReleaseMode)
}
var oauth2Endpoint = oauth2.Endpoint{
AuthURL: config.Configuration.AuthURL,
TokenURL: config.Configuration.TokenURL,
}
// Middleware
router := gin.New()
// use glog for logging
router.Use(ginglog.Logger(config.Configuration.LogFlushInterval))
// monitoring GO internals and counter middleware
counterAspect := &ginmon.CounterAspect{0}
asps := []aspects.Aspect{counterAspect}
router.Use(ginmon.CounterHandler(counterAspect))
router.Use(gomonitor.Metrics(9000, asps))
router.Use(ginoauth2.RequestLogger([]string{"uid", "team"}, "data"))
// last middleware
router.Use(gin.Recovery())
// OAuth2 secured if conf.Oauth2Enabled is set
var private *gin.RouterGroup
//ATM team or user auth is mutually exclusive, we have to look for a better solution
if config.Configuration.Oauth2Enabled {
private = router.Group("")
if config.Configuration.TeamAuthorization {
var accessTuple []zalando.AccessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedTeams))
for i, v := range config.Configuration.AuthorizedTeams {
accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.Uid, Cn: v.Cn}
}
zalando.AccessTuples = accessTuple
private.Use(ginoauth2.Auth(zalando.GroupCheck, oauth2Endpoint))
} else {
var accessTuple []zalando.AccessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedUsers))
for i, v := range config.Configuration.AuthorizedUsers {
accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.Uid, Cn: v.Cn}
}
private.Use(ginoauth2.Auth(zalando.UidCheck, oauth2Endpoint))
}
}
//non authenticated routes
router.GET("/", rootHandler)
router.GET("/health", healthHandler)
//authenticated routes
if config.Configuration.Oauth2Enabled {
private.GET("/deployments", deployList)
private.GET("/deployments/:name", deployInfo)
private.POST("/deployments", deployCreate)
private.PUT("/deployments/:name", deployUpsert)
private.DELETE("/deployments/:name", deployDelete)
private.PATCH("/deployments/:name/replicas/:num", deployReplicasModify)
} else {
router.GET("/deployments", deployList)
router.GET("/deployments/:name", deployInfo)
router.POST("/deployments", deployCreate)
router.PUT("/deployments/:name", deployUpsert)
router.DELETE("/deployments/:name", deployDelete)
router.PATCH("/deployments/:name/replicas/:num", deployReplicasModify)
}
// TLS config
var tls_config tls.Config = tls.Config{}
if !config.Httponly {
tls_config.Certificates = []tls.Certificate{config.CertKeyPair}
tls_config.NextProtos = []string{"http/1.1"}
tls_config.Rand = rand.Reader // Strictly not necessary, should be default
}
// run backend
Start()
// run frontend server
serve := &http.Server{
Addr: fmt.Sprintf(":%d", config.Configuration.Port),
Handler: router,
TLSConfig: &tls_config,
}
if config.Httponly {
serve.ListenAndServe()
} else {
conn, err := net.Listen("tcp", serve.Addr)
if err != nil {
panic(err)
}
tlsListener := tls.NewListener(conn, &tls_config)
err = serve.Serve(tlsListener)
if err != nil {
glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
}
}
return nil
}
func (svc *Service) Run(cfg Config) error {
cfg = cfg // save config in global
// init gin
if !cfg.Debug {
gin.SetMode(gin.ReleaseMode)
}
// Middleware
router := gin.New()
// use glog for logging
router.Use(ginglog.Logger(cfg.LogFlushInterval))
// monitoring GO internals and counter middleware
counterAspect := &ginmon.CounterAspect{0}
asps := []aspects.Aspect{counterAspect}
router.Use(ginmon.CounterHandler(counterAspect))
router.Use(gomonitor.Metrics(9000, asps))
// last middleware
router.Use(gin.Recovery())
svc.ProxyCfg = conf.New()
glog.Infof("svc config: %+v", svc.ProxyCfg)
// OAuth2 secured if conf.Oauth2Enabled is set
var private *gin.RouterGroup
if cfg.Oauth2Enabled {
zalando.AccessTuples = []zalando.AccessTuple{{"employees", "sszuecs", "Sandor Szücs"}, {"employees", "njuettner", "Nick Jüttner"}, {"employees", "rdifazio", "Raffaele Di Fazio"}}
private = router.Group("")
private.Use(ginoauth2.Auth(zalando.UidCheck, cfg.OAuth2Endpoints))
}
//
// Handlers
//
if cfg.Oauth2Enabled {
private.GET("/", svc.rootHandler)
private.GET("/sum/:name", svc.sumHandler)
private.GET("/eql/:name", svc.eqlHandler)
} else {
router.GET("/", svc.rootHandler)
router.GET("/sum/:name", svc.sumHandler)
router.GET("/eql/:name", svc.eqlHandler)
}
// TLS config
var tls_config tls.Config = tls.Config{}
if !cfg.Httponly {
tls_config.Certificates = []tls.Certificate{cfg.CertKeyPair}
tls_config.NextProtos = []string{"http/1.1"}
tls_config.Rand = rand.Reader // Strictly not necessary, should be default
}
// run frontend server
serve := &http.Server{
Addr: fmt.Sprintf(":%d", cfg.SvcPort),
Handler: router,
TLSConfig: &tls_config,
}
if cfg.Httponly {
serve.ListenAndServe()
} else {
conn, err := net.Listen("tcp", serve.Addr)
if err != nil {
panic(err)
}
tlsListener := tls.NewListener(conn, &tls_config)
err = serve.Serve(tlsListener)
if err != nil {
glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
}
}
return nil
}
func main() {
http.HandleFunc("/", newLoggingHandleFunc(rootHandler))
http.HandleFunc("/new", newLoggingHandleFunc(newHandler))
http.HandleFunc("/view/", newLoggingHandleFunc(newGzipHandleFunc(titleHandler(viewHandler))))
http.HandleFunc("/edit/", newLoggingHandleFunc(newGzipHandleFunc(titleHandler(editHandler))))
http.HandleFunc("/save/", newLoggingHandleFunc(titleHandler(saveHandler)))
http.HandleFunc("/del/", newLoggingHandleFunc(titleHandler(delHandler)))
http.HandleFunc("/front", newLoggingHandleFunc(newGzipHandleFunc(frontHandler)))
http.HandleFunc("/hsts_hpkp", hsts_hpkp)
log.SetPrefix("goWiki: ")
log.Println("listening... on port", HTTPS_PORT)
go func() {
for {
err := func() error {
var OCSPC OCSPCert
var err error
cert, err := tls.LoadX509KeyPair(CERT, KEY)
if err != nil {
return err
}
OCSPC.cert = &cert
if OCSPC.cert.Leaf, err = x509.ParseCertificate(OCSPC.cert.Certificate[0]); err != nil {
return err
}
issuerRAW, err := ioutil.ReadFile(ISSUER)
if err != nil {
return err
}
for {
var issuerPEM *pem.Block
issuerPEM, issuerRAW = pem.Decode(issuerRAW)
if issuerPEM == nil {
break
}
if issuerPEM.Type == "CERTIFICATE" {
OCSPC.issuer, err = x509.ParseCertificate(issuerPEM.Bytes)
if err != nil {
return err
}
}
}
if OCSPC.issuer == nil {
return errors.New("no issuer")
}
OCSPC.req, err = ocsp.CreateRequest(OCSPC.cert.Leaf, OCSPC.issuer, nil)
if err != nil {
return err
}
err = OCSPC.updateStaple()
if err != nil {
return err
}
go OCSPC.stapleLoop()
TLSConfig := new(tls.Config)
TLSConfig.Certificates = []tls.Certificate{cert}
TLSConfig.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}
TLSConfig.PreferServerCipherSuites = true
TLSConfig.MinVersion = tls.VersionTLS11
//MaxVersion needed because of bug with TLS_FALLBACK_SCSV gonna be fixed in go 1.5
TLSConfig.MaxVersion = tls.VersionTLS12
TLSConfig.NextProtos = []string{"http/1.1"}
TLSConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
OCSPC.RLock()
defer OCSPC.RUnlock()
return OCSPC.cert, nil
}
ln, err := net.Listen("tcp", HTTPS_PORT)
if err != nil {
return err
}
tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, TLSConfig)
return new(http.Server).Serve(tlsListener)
}()
if err != nil {
log.Println(err)
}
time.Sleep(time.Second * TIMEOUT)
}
}()
for {
log.Println("redirecting from port", HTTP_PORT, "to", HTTPS_PORT)
err := http.ListenAndServe(HTTP_PORT, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
w.Header().Set("Server", "Jesus")
log.Println("redirecting http", r.RemoteAddr, "to https", DOMAIN+HTTPS_PORT+r.URL.Path)
http.Redirect(w, r, "https://"+DOMAIN+HTTPS_PORT+r.URL.Path, http.StatusMovedPermanently)
}))
if err != nil {
log.Println(err)
}
time.Sleep(time.Second * TIMEOUT)
}
}
// newServerTesterInternal creates test context. If frontendTLS is
// true, set up TLS frontend connection.
func newServerTesterInternal(args []string, t *testing.T, handler http.Handler, frontendTLS bool, clientConfig *tls.Config) *serverTester {
ts := httptest.NewUnstartedServer(handler)
backendTLS := false
for _, k := range args {
switch k {
case "--http2-bridge":
backendTLS = true
}
}
if backendTLS {
nghttp2.ConfigureServer(ts.Config, &nghttp2.Server{})
// According to httptest/server.go, we have to set
// NextProtos separately for ts.TLS. NextProtos set
// in nghttp2.ConfigureServer is effectively ignored.
ts.TLS = new(tls.Config)
ts.TLS.NextProtos = append(ts.TLS.NextProtos, "h2-14")
ts.StartTLS()
args = append(args, "-k")
} else {
ts.Start()
}
scheme := "http"
if frontendTLS {
scheme = "https"
args = append(args, testDir+"/server.key", testDir+"/server.crt")
} else {
args = append(args, "--frontend-no-tls")
}
backendURL, err := url.Parse(ts.URL)
if err != nil {
t.Fatalf("Error parsing URL from httptest.Server: %v", err)
}
// URL.Host looks like "127.0.0.1:8080", but we want
// "127.0.0.1,8080"
b := "-b" + strings.Replace(backendURL.Host, ":", ",", -1)
args = append(args, fmt.Sprintf("-f127.0.0.1,%v", serverPort), b,
"--errorlog-file="+testDir+"/log.txt", "-LINFO")
authority := fmt.Sprintf("127.0.0.1:%v", serverPort)
st := &serverTester{
cmd: exec.Command(serverBin, args...),
t: t,
ts: ts,
url: fmt.Sprintf("%v://%v", scheme, authority),
frontendHost: fmt.Sprintf("127.0.0.1:%v", serverPort),
backendHost: backendURL.Host,
nextStreamID: 1,
authority: authority,
frCh: make(chan http2.Frame),
spdyFrCh: make(chan spdy.Frame),
errCh: make(chan error),
}
if err := st.cmd.Start(); err != nil {
st.t.Fatalf("Error starting %v: %v", serverBin, err)
}
retry := 0
for {
var conn net.Conn
var err error
if frontendTLS {
var tlsConfig *tls.Config
if clientConfig == nil {
tlsConfig = new(tls.Config)
} else {
tlsConfig = clientConfig
}
tlsConfig.InsecureSkipVerify = true
tlsConfig.NextProtos = []string{"h2-14", "spdy/3.1"}
conn, err = tls.Dial("tcp", authority, tlsConfig)
} else {
conn, err = net.Dial("tcp", authority)
}
if err != nil {
retry += 1
if retry >= 100 {
st.Close()
st.t.Fatalf("Error server is not responding too long; server command-line arguments may be invalid")
}
time.Sleep(150 * time.Millisecond)
continue
}
if frontendTLS {
tlsConn := conn.(*tls.Conn)
cs := tlsConn.ConnectionState()
if !cs.NegotiatedProtocolIsMutual {
st.Close()
st.t.Fatalf("Error negotiated next protocol is not mutual")
}
}
st.conn = conn
break
}
st.fr = http2.NewFramer(st.conn, st.conn)
spdyFr, err := spdy.NewFramer(st.conn, st.conn)
if err != nil {
st.Close()
st.t.Fatalf("Error spdy.NewFramer: %v", err)
}
st.spdyFr = spdyFr
st.enc = hpack.NewEncoder(&st.headerBlkBuf)
st.dec = hpack.NewDecoder(4096, func(f hpack.HeaderField) {
st.header.Add(f.Name, f.Value)
})
return st
}