Пример #1
0
func ListenAndServe(c *cluster.Cluster, s *scheduler.Scheduler, addr, version string, enableCors bool, tlsConfig *tls.Config) error {
	context := &context{
		cluster:       c,
		scheduler:     s,
		version:       version,
		eventsHandler: NewEventsHandler(),
	}
	c.Events(context.eventsHandler)
	r, err := createRouter(context, enableCors)
	if err != nil {
		return err
	}

	server := &http.Server{
		Addr:    addr,
		Handler: r,
	}

	l, err := net.Listen("tcp", addr)
	if err != nil {
		return err
	}
	if tlsConfig != nil {
		tlsConfig.NextProtos = []string{"http/1.1"}
		l = tls.NewListener(l, tlsConfig)
	}
	return server.Serve(l)
}
Пример #2
0
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also
// uses ThrottledListen to limit the number of open HTTP connections.
func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler, readTimeout *int, writeTimeout *int) error {
	var config *tls.Config
	if certFile != nil {
		config = &tls.Config{}
		config.MinVersion = tls.VersionTLS10 // Disable SSLv3 due to POODLE vulnerability
		config.NextProtos = []string{"http/1.1"}
		config.Certificates = make([]tls.Certificate, 1)
		var err error
		config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile)
		if err != nil {
			return err
		}
	}
	listener, err := ThrottledListen("tcp", addr, connLimit)
	if err != nil {
		return err
	}
	if config != nil {
		listener = tls.NewListener(listener, config)
	}
	defer listener.Close()
	server := &http.Server{Addr: addr, Handler: handler}
	if readTimeout != nil {
		server.ReadTimeout = time.Duration(*readTimeout) * time.Second
	}
	if writeTimeout != nil {
		server.WriteTimeout = time.Duration(*writeTimeout) * time.Second
	}

	return server.Serve(listener)
}
Пример #3
0
func newListener(proto, addr string, tlsConfig *tls.Config) (net.Listener, error) {
	var (
		l   net.Listener
		err error
	)

	switch proto {
	case "unix", "unixpacket":
		// Unix sockets must be unlink()ed before being reused again
		if err := syscall.Unlink(addr); err != nil && !os.IsNotExist(err) {
			return nil, err
		}
		l, err = net.Listen(proto, addr)
	case "tcp":
		l, err = net.Listen(proto, addr)
	default:
		return nil, fmt.Errorf("unsupported protocol: %q", proto)
	}

	if tlsConfig != nil {
		tlsConfig.NextProtos = []string{"http/1.1"}
		l = tls.NewListener(l, tlsConfig)
	}

	return l, err
}
Пример #4
0
//run starts the webserver
func (v *Vault) startServer() error {
	glog.Infof("Starting local server\n")
	router := gin.New()
	//TODO initialize configurations, correct middlewares, https/http
	router.Use(ginglog.Logger(5)) //5 seconds
	router.Use(gin.Recovery())

	//setting up https by default
	var tlsConfig = tls.Config{}
	keypair, err := tls.LoadX509KeyPair(v.config["tlsCertfilePath"], v.config["tlsKeyfilePath"])
	if err != nil {
		fmt.Printf("ERR: Could not load X509 KeyPair, caused by: %s\n", err)
		os.Exit(1) //exit explicitely as we choose a fail fast approach
	}
	tlsConfig.Certificates = []tls.Certificate{keypair}
	tlsConfig.NextProtos = []string{"http/1.1"}
	tlsConfig.Rand = rand.Reader

	router.GET("/secret/:appID", v.getSecret)
	serve := &http.Server{
		Addr:      fmt.Sprintf(":%s", v.config["serverPort"]),
		Handler:   router,
		TLSConfig: &tlsConfig,
	}
	err = serve.ListenAndServe()
	if err != nil {
		glog.Errorf("Cannot start server for Cubbyhole tokens distribution\n")
	}
	return err
}
Пример #5
0
//httpServer 启动http服务器并监听
func (ser *Server) httpServer(l net.Listener) {
	var (
		addr = l.Addr().String()
		err  error
	)
	httpServer := &http.Server{
		Addr:      addr,
		Handler:   http.HandlerFunc(ser.httpHandler),
		TLSConfig: ser.TLSConfig,
	}
	httpServer.SetKeepAlivesEnabled(true)

	addrs := strings.Split(addr, ":")
	if addrs[1] == "443" || addrs[1] == "https" {
		tlsConfig := new(tls.Config)
		if httpServer.TLSConfig != nil {
			*tlsConfig = *httpServer.TLSConfig
		}
		if tlsConfig.NextProtos == nil {
			tlsConfig.NextProtos = []string{"http/1.1"}
		}
		l = tls.NewListener(l, tlsConfig)
	}
	err = httpServer.Serve(l)
	CheckErr("服务器停止", err)
}
Пример #6
0
// Enable HTTP2ForTLSConfig explicitly enables http/2 for a TLS Config. This is due to changes in Go 1.7 where
// http servers are no longer automatically configured to enable http/2 if the server's TLSConfig is set.
// See https://github.com/golang/go/issues/15908
func enableHTTP2ForTLSConfig(t *tls.Config) {

	if TLSConfigHasHTTP2Enabled(t) {
		return
	}

	t.NextProtos = append(t.NextProtos, "h2")
}
Пример #7
0
func (t *Transport) newTLSConfig(host string) *tls.Config {
	cfg := new(tls.Config)
	if t.TLSClientConfig != nil {
		*cfg = *t.TLSClientConfig
	}
	cfg.NextProtos = []string{NextProtoTLS} // TODO: don't override if already in list
	cfg.ServerName = host
	return cfg
}
Пример #8
0
// NewTCPSocket creates a TCP socket listener with the specified address and
// and the specified tls configuration. If TLSConfig is set, will encapsulate the
// TCP listener inside a TLS one.
// The channel passed is used to activate the listenbuffer when the caller is ready
// to accept connections.
func NewTCPSocket(addr string, tlsConfig *tls.Config, activate <-chan struct{}) (net.Listener, error) {
	l, err := listenbuffer.NewListenBuffer("tcp", addr, activate)
	if err != nil {
		return nil, err
	}
	if tlsConfig != nil {
		tlsConfig.NextProtos = []string{"http/1.1"}
		l = tls.NewListener(l, tlsConfig)
	}
	return l, nil
}
Пример #9
0
// NewTCPSocket creates a TCP socket listener with the specified address and
// and the specified tls configuration. If TLSConfig is set, will encapsulate the
// TCP listener inside a TLS one.
func NewTCPSocket(addr string, tlsConfig *tls.Config) (net.Listener, error) {
	l, err := net.Listen("tcp", addr)
	if err != nil {
		return nil, err
	}
	if tlsConfig != nil {
		tlsConfig.NextProtos = []string{"http/1.1"}
		l = tls.NewListener(l, tlsConfig)
	}
	return l, nil
}
Пример #10
0
func (t *Transport) newTLSConfig(host string) *tls.Config {
	cfg := new(tls.Config)
	if t.TLSClientConfig != nil {
		*cfg = *t.TLSClientConfig
	}
	if !strSliceContains(cfg.NextProtos, NextProtoTLS) {
		cfg.NextProtos = append([]string{NextProtoTLS}, cfg.NextProtos...)
	}
	if cfg.ServerName == "" {
		cfg.ServerName = host
	}
	return cfg
}
Пример #11
0
func (this *Server) Run(mode string, addr string, port int) error {
	var tlsConfig *tls.Config
	var err error
	if mode == "https" {
		tlsConfig = &tls.Config{}
		if tlsConfig.NextProtos == nil {
			tlsConfig.NextProtos = []string{"http/1.1"}
		}
		tlsConfig.Certificates = make([]tls.Certificate, 1)
		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(SslCertificate, SslCertificateKey)
		if err != nil {
			return err
		}
	}

	listenUnix := false
	if strings.HasPrefix(addr, "unix:") {
		listenUnix = true
		addr = addr[5:]
	}

	if listenUnix {
		os.Remove(addr)
		this.listener, err = net.Listen("unix", addr)
		if err == nil {
			os.Chmod(addr, os.FileMode(0666))
			defer os.Remove(addr)
		}
	} else {
		listenAddr := net.JoinHostPort(addr, fmt.Sprintf("%d", port))
		this.listener, err = net.Listen("tcp", listenAddr)
	}
	if err != nil {
		return err
	}
	// defer this.listener.Close()
	this.RunMode = mode

	switch mode {
	case "http":
		http.Serve(this.listener, this.router)
	case "fcgi":
		fcgi.Serve(this.listener, this.router)
	case "https":
		http.Serve(tls.NewListener(this.listener, tlsConfig), this.router)
	default:
		http.Serve(this.listener, this.router)
	}
	return nil
}
Пример #12
0
func newListener(proto, addr string, tlsConfig *tls.Config) (net.Listener, error) {
	l, err := net.Listen(proto, addr)
	if err != nil {
		if strings.Contains(err.Error(), "address already in use") && strings.Contains(addr, DefaultDockerPort) {
			return nil, fmt.Errorf("%s: is Docker already running on this machine? Try using a different port", err)
		}
		return nil, err
	}
	if tlsConfig != nil {
		tlsConfig.NextProtos = []string{"http/1.1"}
		l = tls.NewListener(l, tlsConfig)
	}
	return l, nil
}
Пример #13
0
Файл: rspdy.go Проект: kr/rspdy
// Listen listens for incoming TLS connections and
// returns a Listener that accepts SPDY sessions.
func ListenTLS(addr, certFile, keyFile string) (*Listener, error) {
	var config tls.Config
	config.NextProtos = []string{"rspdy/3"}
	var err error
	config.Certificates = make([]tls.Certificate, 1)
	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		return nil, err
	}
	l, err := tls.Listen("tcp", addr, &config)
	if err != nil {
		return nil, err
	}
	return &Listener{l}, nil
}
Пример #14
0
// make tls.Config with spdy/3 npn
func ConfigTLS(addr, certFile, keyFile string) (*tls.Config, error) {
	if addr == "" {
		addr = ":https"
	}
	var config *tls.Config = &tls.Config{}
	config.NextProtos = []string{"spdy/3"}

	var err error
	config.Certificates = make([]tls.Certificate, 1)
	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		return nil, err
	}

	return config, nil
}
Пример #15
0
// ListenAndServeTLSWithSNI serves TLS with Server Name Indication (SNI) support, which allows
// multiple sites (different hostnames) to be served from the same address. This method is
// adapted directly from the std lib's net/http ListenAndServeTLS function, which was
// written by the Go Authors. It has been modified to support multiple certificate/key pairs.
func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error {
	addr := srv.Addr
	if addr == "" {
		addr = ":https"
	}

	config := new(tls.Config)
	if srv.TLSConfig != nil {
		*config = *srv.TLSConfig
	}
	if config.NextProtos == nil {
		config.NextProtos = []string{"http/1.1"}
	}

	// Here we diverge from the stdlib a bit by loading multiple certs/key pairs
	// then we map the server names to their certs
	var err error
	config.Certificates = make([]tls.Certificate, len(tlsConfigs))
	for i, tlsConfig := range tlsConfigs {
		config.Certificates[i], err = tls.LoadX509KeyPair(tlsConfig.Certificate, tlsConfig.Key)
		if err != nil {
			return err
		}
	}
	config.BuildNameToCertificate()

	// Customize our TLS configuration
	config.MinVersion = tlsConfigs[0].ProtocolMinVersion
	config.MaxVersion = tlsConfigs[0].ProtocolMaxVersion
	config.CipherSuites = tlsConfigs[0].Ciphers
	config.PreferServerCipherSuites = tlsConfigs[0].PreferServerCipherSuites

	// TLS client authentication, if user enabled it
	err = setupClientAuth(tlsConfigs, config)
	if err != nil {
		return err
	}

	// Create listener and we're on our way
	conn, err := net.Listen("tcp", addr)
	if err != nil {
		return err
	}
	tlsListener := tls.NewListener(conn, config)

	return srv.Serve(tlsListener)
}
Пример #16
0
Файл: rspdy.go Проект: kr/rspdy
// DialAndServeTLS dials a TLS connection, then serves incoming HTTP
// requests. If h is nil, it uses http.DefaultHandler.
// If config.NextProtos is nil, it uses "rspdy/3".
func DialAndServeTLS(network, addr string, config *tls.Config, h http.Handler) error {
	var srv spdy.Server
	srv.Handler = h
	config1 := new(tls.Config)
	if config != nil {
		*config1 = *config
	}
	if config1.NextProtos == nil {
		config1.NextProtos = []string{"rspdy/3"}
	}
	// TODO(kr): cert stuff
	conn, err := tls.Dial(network, addr, config1)
	if err != nil {
		return err
	}
	return srv.ServeConn(conn)
}
Пример #17
0
func main() {

	var err error

	flag.Parse()
	session.LoadConfig()

	var tlsc tls.Config
	tlsc.NextProtos = []string{"http/1.1"}
	tlsc.Certificates = make([]tls.Certificate, 1)
	if tlsc.Certificates[0], err = tls.X509KeyPair(session.Conf.HttpsCert, session.Conf.HttpsKey); err != nil {
		panic("Error attempting to use HttpsCert and HttpsKey to create a certificate: " + err.Error())
	}

	// verify the HttpsCert
	asn1, _ := pem.Decode(session.Conf.HttpsCert)
	cert, err := x509.ParseCertificate(asn1.Bytes)
	if err != nil {
		panic(fmt.Sprintf("Error parsing cert data: %s\n", err))
	}

	var vo x509.VerifyOptions
	chains, err := cert.Verify(vo)
	if err != nil {
		panic(fmt.Sprintf("Error verifying: %s", err))
	}

	if len(chains) <= 0 {
		panic(fmt.Sprintf("Configured HttpsCert did not verify: %s\n", err))
	}

	// set up the handler and start the server
	http.HandleFunc("/session/", session.Handler)

	addr := fmt.Sprintf("%s:%d", session.Conf.HttpsHost, session.Conf.HttpsPort)
	tlsServer := &http.Server{Addr: addr, TLSConfig: &tlsc}
	conn, err := net.Listen("tcp", addr)
	if err != nil {
		panic("Error while listening: " + err.Error())
	}

	tlsListener := tls.NewListener(conn, &tlsc)
	tlsServer.Serve(tlsListener)
}
Пример #18
0
Файл: web.go Проект: vuleetu/web
//Runs the web application and serves http requests
func (s *Server) Run(addr string) {
	s.initServer()

	mux := http.NewServeMux()
	if s.profile {
		mux.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
		mux.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
		mux.Handle("/debug/pprof/heap", pprof.Handler("heap"))
		mux.Handle("/debug/pprof/block", pprof.Handler("block"))
		mux.Handle("/debug/pprof/routine", pprof.Handler("goroutine"))
		mux.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
	}
	mux.Handle("/", s)

	var l net.Listener
	var err error
	if s.Config.TLSConfig != nil {
		s.Logger.Printf("web.go serving %s [SSL]", addr)
		cert, err := tls.LoadX509KeyPair(s.Config.TLSConfig.Cert, s.Config.TLSConfig.Key)
		if err != nil {
			log.Fatal("Load tls cert/key:", err)
		}

		tlsc := tls.Config{}
		tlsc.NextProtos = []string{"http/1.1"}
		tlsc.Certificates = []tls.Certificate{cert}
		l, err = tls.Listen("tcp", addr, &tlsc)
	} else {
		s.Logger.Printf("web.go serving %s", addr)
		l, err = net.Listen("tcp", addr)
	}

	if err != nil {
		log.Fatal("ListenAndServe:", err)
	}

	if l == nil {
		log.Fatal("ListenAndServe failed")
	}
	s.l = l
	err = http.Serve(s.l, mux)
	s.l.Close()
}
Пример #19
0
func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error {
	addr := srv.Addr
	if addr == "" {
		addr = ":https"
	}

	config := new(tls.Config)
	if srv.TLSConfig != nil {
		*config = *srv.TLSConfig
	}
	if config.NextProtos == nil {
		config.NextProtos = []string{"http/1.1"}
	}

	var err error
	config.Certificates = make([]tls.Certificate, len(tlsConfigs))
	for i, tlsConfig := range tlsConfigs {
		config.Certificates[i], err = tls.LoadX509KeyPair(tlsConfig.Certificate, tlsConfig.Key)
		if err != nil {
			return err
		}
	}
	config.BuildNameToCertificate()

	config.MinVersion = tlsConfigs[0].ProtocolMinVersion
	config.MaxVersion = tlsConfigs[0].ProtocolMaxVersion
	config.CipherSuites = tlsConfigs[0].Ciphers
	config.PreferServerCipherSuites = tlsConfigs[0].PreferServerCipherSuites

	err = setupClientAuth(tlsConfigs, config)
	if err != nil {
		return err
	}

	conn, err := net.Listen("tcp", addr)
	if err != nil {
		return err
	}
	tlsListener := tls.NewListener(conn, config)

	return srv.Serve(tlsListener)
}
Пример #20
0
// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
// passed to this process.
// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
func TLSListeners(unsetEnv bool, tlsConfig *tls.Config) ([]net.Listener, error) {
	listeners, err := Listeners(unsetEnv)

	if listeners == nil || err != nil {
		return nil, err
	}

	if tlsConfig != nil && err == nil {
		tlsConfig.NextProtos = []string{"http/1.1"}

		for i, l := range listeners {
			// Activate TLS only for TCP sockets
			if l.Addr().Network() == "tcp" {
				listeners[i] = tls.NewListener(l, tlsConfig)
			}
		}
	}

	return listeners, err
}
Пример #21
0
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also
// uses ThrottledListen to limit the number of open HTTP connections.
func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler) error {
	var config *tls.Config
	if certFile != nil {
		config = &tls.Config{}
		config.NextProtos = []string{"http/1.1"}
		config.Certificates = make([]tls.Certificate, 1)
		var err error
		config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile)
		if err != nil {
			return err
		}
	}
	listener, err := ThrottledListen("tcp", addr, connLimit)
	if err != nil {
		return err
	}
	if config != nil {
		listener = tls.NewListener(listener, config)
	}
	defer listener.Close()
	server := &http.Server{Addr: addr, Handler: handler}
	return server.Serve(listener)
}
Пример #22
0
// ListenAndServeTLSWithConfig binds sockets according to the provided TLS
// config and blocks until the socket closes or an exit signal is received.
func (srv *Server) ListenTLSWithConfig(config *tls.Config) error {
	addr := srv.Addr
	if addr == "" {
		addr = ":https"
	}

	if config == nil {
		return errors.New("TLSConfig required")
	}
	if len(config.Certificates) == 0 {
		return errors.New("TLSConfig has no certificate")
	}

	if config.NextProtos == nil {
		config.NextProtos = []string{"http/1.1"}
	}

	if l, err := srv.socketListen(addr); err == nil {
		srv.listener = tls.NewListener(l, config)
	} else {
		return err
	}
	return nil
}
Пример #23
0
func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
	if req.URL == nil {
		return nil, errors.New("http: nil Request.URL")
	}
	if req.Header == nil {
		return nil, errors.New("http: nil Request.Header")
	}

	if req.URL.Scheme != "https" {
		if t.FallbackClient == nil {
			return nil, errors.New(fmt.Sprintf("spdy: no fallback client for scheme %s", req.URL.Scheme))
		}

		return t.FallbackClient.Do(req)
	}

	var proxy *url.URL
	if t.Proxy != nil {
		if proxy, err = t.Proxy(req); err != nil {
			return nil, err
		}
	}

	key := connKey(proxy, req)

reconnect:
	t.lk.Lock()
	c := t.connections[key]

	// Try and use an existing connection
	if c == nil {
		proxySock, err := t.dialProxy(proxy, req.URL.Host)
		if err != nil {
			t.lk.Unlock()
			return nil, err
		}

		cfg := tls.Config{}
		if t.TLSClientConfig != nil {
			cfg = *t.TLSClientConfig
		}

		cfg.NextProtos = []string{"http/1.1", "spdy/3", "spdy/2"}
		cfg.ServerName = removePort(req.URL.Host)

		tlsSock := tls.Client(proxySock, &cfg)
		if err := tlsSock.Handshake(); err != nil {
			t.lk.Unlock()
			tlsSock.Close()
			proxySock.Close()
			return nil, err
		}

		if err := tlsSock.VerifyHostname(cfg.ServerName); err != nil {
			t.lk.Unlock()
			tlsSock.Close()
			proxySock.Close()
			return nil, err
		}

		Log("negotiated protocol %s", tlsSock.ConnectionState().NegotiatedProtocol)

		switch tlsSock.ConnectionState().NegotiatedProtocol {
		case "http/1.1":
			// fallback to a standard HTTPS client
			t.lk.Unlock()
			client := httputil.NewClientConn(tlsSock, nil)
			resp, err := client.Do(req)
			client.Close()
			tlsSock.Close()
			proxySock.Close()
			return resp, err

		case "spdy/2":
			c = NewConnection(tlsSock, nil, 2, false)
		case "spdy/3":
			c = NewConnection(tlsSock, nil, 3, false)
		default:
			panic("spdy-internal: unexpected negotiated protocol")
		}

		if t.connections == nil {
			t.connections = make(map[string]*Connection)
		}
		t.connections[key] = c
		go t.runClient(key, c)
	}

	t.lk.Unlock()
	resp, err = c.startRequest(nil, req, &t.RequestExtra)

	// In the case that we missed the connection due to being told to go
	// away, we need to reconnect. This is due to either the server
	// sending us a GO_AWAY or the startRequest going through after the
	// socket has already been closed due to an error or timeout.
	if err == errGoAway {
		goto reconnect
	}

	return resp, err
}
Пример #24
0
// newServerTesterInternal creates test context.  If frontendTLS is
// true, set up TLS frontend connection.  connectPort is the server
// side port where client connection is made.
func newServerTesterInternal(src_args []string, t *testing.T, handler http.Handler, frontendTLS bool, connectPort int, clientConfig *tls.Config) *serverTester {
	ts := httptest.NewUnstartedServer(handler)

	args := []string{}

	backendTLS := false
	dns := false
	externalDNS := false
	acceptProxyProtocol := false
	for _, k := range src_args {
		switch k {
		case "--http2-bridge":
			backendTLS = true
		case "--dns":
			dns = true
		case "--external-dns":
			dns = true
			externalDNS = true
		case "--accept-proxy-protocol":
			acceptProxyProtocol = true
		default:
			args = append(args, k)
		}
	}
	if backendTLS {
		nghttp2.ConfigureServer(ts.Config, &nghttp2.Server{})
		// According to httptest/server.go, we have to set
		// NextProtos separately for ts.TLS.  NextProtos set
		// in nghttp2.ConfigureServer is effectively ignored.
		ts.TLS = new(tls.Config)
		ts.TLS.NextProtos = append(ts.TLS.NextProtos, "h2")
		ts.StartTLS()
		args = append(args, "-k")
	} else {
		ts.Start()
	}
	scheme := "http"
	if frontendTLS {
		scheme = "https"
		args = append(args, testDir+"/server.key", testDir+"/server.crt")
	}

	backendURL, err := url.Parse(ts.URL)
	if err != nil {
		t.Fatalf("Error parsing URL from httptest.Server: %v", err)
	}

	// URL.Host looks like "127.0.0.1:8080", but we want
	// "127.0.0.1,8080"
	b := "-b"
	if !externalDNS {
		b += fmt.Sprintf("%v;", strings.Replace(backendURL.Host, ":", ",", -1))
	} else {
		sep := strings.LastIndex(backendURL.Host, ":")
		if sep == -1 {
			t.Fatalf("backendURL.Host %v does not contain separator ':'", backendURL.Host)
		}
		// We use awesome service xip.io.
		b += fmt.Sprintf("%v.xip.io,%v;", backendURL.Host[:sep], backendURL.Host[sep+1:])
	}

	if backendTLS {
		b += ";proto=h2;tls"
	}
	if dns {
		b += ";dns"
	}

	noTLS := ";no-tls"
	if frontendTLS {
		noTLS = ""
	}

	var proxyProto string
	if acceptProxyProtocol {
		proxyProto = ";proxyproto"
	}

	args = append(args, fmt.Sprintf("-f127.0.0.1,%v%v%v", serverPort, noTLS, proxyProto), b,
		"--errorlog-file="+logDir+"/log.txt", "-LINFO")

	authority := fmt.Sprintf("127.0.0.1:%v", connectPort)

	st := &serverTester{
		cmd:          exec.Command(serverBin, args...),
		t:            t,
		ts:           ts,
		url:          fmt.Sprintf("%v://%v", scheme, authority),
		frontendHost: fmt.Sprintf("127.0.0.1:%v", serverPort),
		backendHost:  backendURL.Host,
		nextStreamID: 1,
		authority:    authority,
		frCh:         make(chan http2.Frame),
		spdyFrCh:     make(chan spdy.Frame),
		errCh:        make(chan error),
	}

	if err := st.cmd.Start(); err != nil {
		st.t.Fatalf("Error starting %v: %v", serverBin, err)
	}

	retry := 0
	for {
		time.Sleep(50 * time.Millisecond)

		var conn net.Conn
		var err error
		if frontendTLS {
			var tlsConfig *tls.Config
			if clientConfig == nil {
				tlsConfig = new(tls.Config)
			} else {
				tlsConfig = clientConfig
			}
			tlsConfig.InsecureSkipVerify = true
			tlsConfig.NextProtos = []string{"h2", "spdy/3.1"}
			conn, err = tls.Dial("tcp", authority, tlsConfig)
		} else {
			conn, err = net.Dial("tcp", authority)
		}
		if err != nil {
			retry += 1
			if retry >= 100 {
				st.Close()
				st.t.Fatalf("Error server is not responding too long; server command-line arguments may be invalid")
			}
			continue
		}
		if frontendTLS {
			tlsConn := conn.(*tls.Conn)
			cs := tlsConn.ConnectionState()
			if !cs.NegotiatedProtocolIsMutual {
				st.Close()
				st.t.Fatalf("Error negotiated next protocol is not mutual")
			}
		}
		st.conn = conn
		break
	}

	st.fr = http2.NewFramer(st.conn, st.conn)
	spdyFr, err := spdy.NewFramer(st.conn, st.conn)
	if err != nil {
		st.Close()
		st.t.Fatalf("Error spdy.NewFramer: %v", err)
	}
	st.spdyFr = spdyFr
	st.enc = hpack.NewEncoder(&st.headerBlkBuf)
	st.dec = hpack.NewDecoder(4096, func(f hpack.HeaderField) {
		st.header.Add(f.Name, f.Value)
	})

	return st
}
Пример #25
0
//Run starts Howler
func (svc *Service) Run(cfg ServerSettings) error {
	config = cfg // save config in global

	// init gin
	if !config.Configuration.DebugEnabled {
		gin.SetMode(gin.ReleaseMode)
	}

	var oauth2Endpoint = oauth2.Endpoint{
		AuthURL:  config.Configuration.AuthURL,
		TokenURL: config.Configuration.TokenURL,
	}

	// Middleware
	router := gin.New()
	// use glog for logging
	router.Use(ginglog.Logger(config.Configuration.LogFlushInterval))
	// monitoring GO internals and counter middleware
	counterAspect := &ginmon.CounterAspect{0}
	asps := []aspects.Aspect{counterAspect}
	router.Use(ginmon.CounterHandler(counterAspect))
	router.Use(gomonitor.Metrics(9000, asps))
	router.Use(ginoauth2.RequestLogger([]string{"uid", "team"}, "data"))
	// last middleware
	router.Use(gin.Recovery())

	// OAuth2 secured if conf.Oauth2Enabled is set
	var private *gin.RouterGroup
	if config.Configuration.Oauth2Enabled {
		private = router.Group("")
		var accessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedUsers))
		for i, v := range config.Configuration.AuthorizedUsers {
			accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.UID, Cn: v.Cn}
		}
		zalando.AccessTuples = accessTuple
		private.Use(ginoauth2.Auth(zalando.UidCheck, oauth2Endpoint))
	}

	router.GET("/", rootHandler)
	if config.Configuration.Oauth2Enabled {
		//authenticated routes
		private.GET("/status", getStatus)
		private.POST("/events", createEvent)
	} else {
		//non authenticated routes
		router.GET("/status", getStatus)
		router.POST("/events", createEvent)
	}

	// TLS config
	var tlsConfig = tls.Config{}
	if !config.Httponly {
		tlsConfig.Certificates = []tls.Certificate{config.CertKeyPair}
		tlsConfig.NextProtos = []string{"http/1.1"}
		tlsConfig.Rand = rand.Reader // Strictly not necessary, should be default
	}

	// run frontend server
	serve := &http.Server{
		Addr:      fmt.Sprintf(":%d", config.Configuration.Port),
		Handler:   router,
		TLSConfig: &tlsConfig,
	}
	if config.Httponly {
		serve.ListenAndServe()
	} else {
		conn, err := net.Listen("tcp", serve.Addr)
		if err != nil {
			panic(err)
		}
		tlsListener := tls.NewListener(conn, &tlsConfig)
		err = serve.Serve(tlsListener)
		if err != nil {
			glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
		}
	}
	return nil
}
Пример #26
0
Файл: main.go Проект: rsc/tmp
func main() {
	flag.Parse()

	ready := make(chan struct{})
	go func() {
		<-ready

		var client helloworld.GreeterClient
		if *useGRPC {
			opts := []grpc.DialOption{
				grpc.WithBlock(),
				grpc.WithTimeout(3 * time.Second),
				grpc.WithInsecure(),
			}
			conn, err := grpc.Dial(*addr, opts...)
			if err != nil {
				log.Fatalf("grpc.Dial: %v", err)
			}
			client = helloworld.NewGreeterClient(conn)
		} else {
			t := (http.DefaultTransport.(*http.Transport))
			t.TLSClientConfig = &tls.Config{
				InsecureSkipVerify: true,
			}
			if *useHTTP2 {
				if err := http2.ConfigureTransport(t); err != nil {
					log.Fatal(err)
				}
			}
		}

		ctx := context.Background()

		for i := 0; i < *numRuns; i++ {
			randomBytes := make([]byte, *msgSize)
			n, err := rand.Read(randomBytes)
			if err != nil {
				log.Fatal(err)
			}
			if n != *msgSize {
				log.Fatal("didn't read enough bytes")
			}
			msg := string(randomBytes)

			t1 := time.Now()
			var proto string
			if *useGRPC {
				_, err = client.SayHello(ctx, &helloworld.HelloRequest{Name: msg})
				proto = "GRPC"
			} else {
				var resp *http.Response
				resp, err = http.Post("https://"+*addr, "text/plain", bytes.NewReader(randomBytes))
				proto = "HTTP"
				if resp != nil {
					proto = resp.Proto
					resp.Body.Close()
				}
			}
			if *verbose {
				fmt.Println()
			}
			fmt.Printf("%v\t%v\t%v\n", time.Now().Sub(t1), *latency, proto)
			if err != nil {
				log.Fatal(err)
			}
		}

		os.Exit(0)
	}()

	var server *grpc.Server
	if *useGRPC {
		server = grpc.NewServer()
		helloworld.RegisterGreeterServer(server, greeter{})
	}
	l, err := net.Listen("tcp", *addr)
	if err != nil {
		log.Fatal(err)
	}
	rate := Rate{Latency: *latency}
	l = &Listener{l, rate, rate}
	close(ready)
	if *useGRPC {
		log.Fatal(server.Serve(l))
	} else {
		var config tls.Config
		var err error
		if *useHTTP2 {
			config.NextProtos = []string{"h2"}
		}
		config.Certificates = make([]tls.Certificate, 1)
		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
		if err != nil {
			log.Fatal(err)
		}
		srv := &http.Server{Addr: *addr, TLSConfig: &config, Handler: http.HandlerFunc(validate)}
		tlsListener := tls.NewListener(l, &config)
		log.Fatal(srv.Serve(tlsListener))
	}
}
Пример #27
0
func (svc *Service) Run(cfg ServerSettings) error {
	config = cfg // save config in global

	// init gin
	if !config.Configuration.DebugEnabled {
		gin.SetMode(gin.ReleaseMode)
	}

	var oauth2Endpoint = oauth2.Endpoint{
		AuthURL:  config.Configuration.AuthURL,
		TokenURL: config.Configuration.TokenURL,
	}

	// Middleware
	router := gin.New()
	// use glog for logging
	router.Use(ginglog.Logger(config.Configuration.LogFlushInterval))
	// monitoring GO internals and counter middleware
	counterAspect := &ginmon.CounterAspect{0}
	asps := []aspects.Aspect{counterAspect}
	router.Use(ginmon.CounterHandler(counterAspect))
	router.Use(gomonitor.Metrics(9000, asps))
	router.Use(ginoauth2.RequestLogger([]string{"uid", "team"}, "data"))
	// last middleware
	router.Use(gin.Recovery())

	// OAuth2 secured if conf.Oauth2Enabled is set
	var private *gin.RouterGroup
	//ATM team or user auth is mutually exclusive, we have to look for a better solution
	if config.Configuration.Oauth2Enabled {
		private = router.Group("")
		if config.Configuration.TeamAuthorization {
			var accessTuple []zalando.AccessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedTeams))
			for i, v := range config.Configuration.AuthorizedTeams {
				accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.Uid, Cn: v.Cn}
			}
			zalando.AccessTuples = accessTuple
			private.Use(ginoauth2.Auth(zalando.GroupCheck, oauth2Endpoint))
		} else {
			var accessTuple []zalando.AccessTuple = make([]zalando.AccessTuple, len(config.Configuration.AuthorizedUsers))
			for i, v := range config.Configuration.AuthorizedUsers {
				accessTuple[i] = zalando.AccessTuple{Realm: v.Realm, Uid: v.Uid, Cn: v.Cn}
			}
			private.Use(ginoauth2.Auth(zalando.UidCheck, oauth2Endpoint))
		}
	}

	//non authenticated routes
	router.GET("/", rootHandler)
	router.GET("/health", healthHandler)
	//authenticated routes
	if config.Configuration.Oauth2Enabled {
		private.GET("/deployments", deployList)
		private.GET("/deployments/:name", deployInfo)
		private.POST("/deployments", deployCreate)
		private.PUT("/deployments/:name", deployUpsert)
		private.DELETE("/deployments/:name", deployDelete)
		private.PATCH("/deployments/:name/replicas/:num", deployReplicasModify)
	} else {
		router.GET("/deployments", deployList)
		router.GET("/deployments/:name", deployInfo)
		router.POST("/deployments", deployCreate)
		router.PUT("/deployments/:name", deployUpsert)
		router.DELETE("/deployments/:name", deployDelete)
		router.PATCH("/deployments/:name/replicas/:num", deployReplicasModify)
	}

	// TLS config
	var tls_config tls.Config = tls.Config{}
	if !config.Httponly {
		tls_config.Certificates = []tls.Certificate{config.CertKeyPair}
		tls_config.NextProtos = []string{"http/1.1"}
		tls_config.Rand = rand.Reader // Strictly not necessary, should be default
	}

	// run backend
	Start()

	// run frontend server
	serve := &http.Server{
		Addr:      fmt.Sprintf(":%d", config.Configuration.Port),
		Handler:   router,
		TLSConfig: &tls_config,
	}
	if config.Httponly {
		serve.ListenAndServe()
	} else {
		conn, err := net.Listen("tcp", serve.Addr)
		if err != nil {
			panic(err)
		}
		tlsListener := tls.NewListener(conn, &tls_config)
		err = serve.Serve(tlsListener)
		if err != nil {
			glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
		}
	}
	return nil
}
Пример #28
0
func (svc *Service) Run(cfg Config) error {
	cfg = cfg // save config in global

	// init gin
	if !cfg.Debug {
		gin.SetMode(gin.ReleaseMode)
	}

	// Middleware
	router := gin.New()
	// use glog for logging
	router.Use(ginglog.Logger(cfg.LogFlushInterval))
	// monitoring GO internals and counter middleware
	counterAspect := &ginmon.CounterAspect{0}
	asps := []aspects.Aspect{counterAspect}
	router.Use(ginmon.CounterHandler(counterAspect))
	router.Use(gomonitor.Metrics(9000, asps))
	// last middleware
	router.Use(gin.Recovery())

	svc.ProxyCfg = conf.New()
	glog.Infof("svc config: %+v", svc.ProxyCfg)

	// OAuth2 secured if conf.Oauth2Enabled is set
	var private *gin.RouterGroup
	if cfg.Oauth2Enabled {
		zalando.AccessTuples = []zalando.AccessTuple{{"employees", "sszuecs", "Sandor Szücs"}, {"employees", "njuettner", "Nick Jüttner"}, {"employees", "rdifazio", "Raffaele Di Fazio"}}
		private = router.Group("")
		private.Use(ginoauth2.Auth(zalando.UidCheck, cfg.OAuth2Endpoints))
	}

	//
	//  Handlers
	//
	if cfg.Oauth2Enabled {
		private.GET("/", svc.rootHandler)
		private.GET("/sum/:name", svc.sumHandler)
		private.GET("/eql/:name", svc.eqlHandler)
	} else {
		router.GET("/", svc.rootHandler)
		router.GET("/sum/:name", svc.sumHandler)
		router.GET("/eql/:name", svc.eqlHandler)
	}

	// TLS config
	var tls_config tls.Config = tls.Config{}
	if !cfg.Httponly {
		tls_config.Certificates = []tls.Certificate{cfg.CertKeyPair}
		tls_config.NextProtos = []string{"http/1.1"}
		tls_config.Rand = rand.Reader // Strictly not necessary, should be default
	}

	// run frontend server
	serve := &http.Server{
		Addr:      fmt.Sprintf(":%d", cfg.SvcPort),
		Handler:   router,
		TLSConfig: &tls_config,
	}
	if cfg.Httponly {
		serve.ListenAndServe()
	} else {
		conn, err := net.Listen("tcp", serve.Addr)
		if err != nil {
			panic(err)
		}
		tlsListener := tls.NewListener(conn, &tls_config)
		err = serve.Serve(tlsListener)
		if err != nil {
			glog.Fatalf("Can not Serve TLS, caused by: %s\n", err)
		}
	}
	return nil
}
Пример #29
0
func main() {
	http.HandleFunc("/", newLoggingHandleFunc(rootHandler))
	http.HandleFunc("/new", newLoggingHandleFunc(newHandler))
	http.HandleFunc("/view/", newLoggingHandleFunc(newGzipHandleFunc(titleHandler(viewHandler))))
	http.HandleFunc("/edit/", newLoggingHandleFunc(newGzipHandleFunc(titleHandler(editHandler))))
	http.HandleFunc("/save/", newLoggingHandleFunc(titleHandler(saveHandler)))
	http.HandleFunc("/del/", newLoggingHandleFunc(titleHandler(delHandler)))
	http.HandleFunc("/front", newLoggingHandleFunc(newGzipHandleFunc(frontHandler)))
	http.HandleFunc("/hsts_hpkp", hsts_hpkp)
	log.SetPrefix("goWiki: ")
	log.Println("listening... on port", HTTPS_PORT)
	go func() {
		for {
			err := func() error {
				var OCSPC OCSPCert
				var err error
				cert, err := tls.LoadX509KeyPair(CERT, KEY)
				if err != nil {
					return err
				}
				OCSPC.cert = &cert
				if OCSPC.cert.Leaf, err = x509.ParseCertificate(OCSPC.cert.Certificate[0]); err != nil {
					return err
				}
				issuerRAW, err := ioutil.ReadFile(ISSUER)
				if err != nil {
					return err
				}
				for {
					var issuerPEM *pem.Block
					issuerPEM, issuerRAW = pem.Decode(issuerRAW)
					if issuerPEM == nil {
						break
					}
					if issuerPEM.Type == "CERTIFICATE" {
						OCSPC.issuer, err = x509.ParseCertificate(issuerPEM.Bytes)
						if err != nil {
							return err
						}
					}
				}
				if OCSPC.issuer == nil {
					return errors.New("no issuer")
				}
				OCSPC.req, err = ocsp.CreateRequest(OCSPC.cert.Leaf, OCSPC.issuer, nil)
				if err != nil {
					return err
				}
				err = OCSPC.updateStaple()
				if err != nil {
					return err
				}
				go OCSPC.stapleLoop()
				TLSConfig := new(tls.Config)
				TLSConfig.Certificates = []tls.Certificate{cert}
				TLSConfig.CipherSuites = []uint16{
					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
					tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
					tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA}
				TLSConfig.PreferServerCipherSuites = true
				TLSConfig.MinVersion = tls.VersionTLS11
				//MaxVersion needed because of bug with TLS_FALLBACK_SCSV gonna be fixed in go 1.5
				TLSConfig.MaxVersion = tls.VersionTLS12
				TLSConfig.NextProtos = []string{"http/1.1"}
				TLSConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
					OCSPC.RLock()
					defer OCSPC.RUnlock()
					return OCSPC.cert, nil
				}
				ln, err := net.Listen("tcp", HTTPS_PORT)
				if err != nil {
					return err
				}
				tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, TLSConfig)
				return new(http.Server).Serve(tlsListener)
			}()
			if err != nil {
				log.Println(err)
			}
			time.Sleep(time.Second * TIMEOUT)
		}
	}()
	for {
		log.Println("redirecting from port", HTTP_PORT, "to", HTTPS_PORT)
		err := http.ListenAndServe(HTTP_PORT, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
			w.Header().Set("Server", "Jesus")
			log.Println("redirecting http", r.RemoteAddr, "to https", DOMAIN+HTTPS_PORT+r.URL.Path)
			http.Redirect(w, r, "https://"+DOMAIN+HTTPS_PORT+r.URL.Path, http.StatusMovedPermanently)
		}))
		if err != nil {
			log.Println(err)
		}
		time.Sleep(time.Second * TIMEOUT)
	}
}
Пример #30
0
// newServerTesterInternal creates test context.  If frontendTLS is
// true, set up TLS frontend connection.
func newServerTesterInternal(args []string, t *testing.T, handler http.Handler, frontendTLS bool, clientConfig *tls.Config) *serverTester {
	ts := httptest.NewUnstartedServer(handler)

	backendTLS := false
	for _, k := range args {
		switch k {
		case "--http2-bridge":
			backendTLS = true
		}
	}
	if backendTLS {
		nghttp2.ConfigureServer(ts.Config, &nghttp2.Server{})
		// According to httptest/server.go, we have to set
		// NextProtos separately for ts.TLS.  NextProtos set
		// in nghttp2.ConfigureServer is effectively ignored.
		ts.TLS = new(tls.Config)
		ts.TLS.NextProtos = append(ts.TLS.NextProtos, "h2-14")
		ts.StartTLS()
		args = append(args, "-k")
	} else {
		ts.Start()
	}
	scheme := "http"
	if frontendTLS {
		scheme = "https"
		args = append(args, testDir+"/server.key", testDir+"/server.crt")
	} else {
		args = append(args, "--frontend-no-tls")
	}

	backendURL, err := url.Parse(ts.URL)
	if err != nil {
		t.Fatalf("Error parsing URL from httptest.Server: %v", err)
	}

	// URL.Host looks like "127.0.0.1:8080", but we want
	// "127.0.0.1,8080"
	b := "-b" + strings.Replace(backendURL.Host, ":", ",", -1)
	args = append(args, fmt.Sprintf("-f127.0.0.1,%v", serverPort), b,
		"--errorlog-file="+testDir+"/log.txt", "-LINFO")

	authority := fmt.Sprintf("127.0.0.1:%v", serverPort)

	st := &serverTester{
		cmd:          exec.Command(serverBin, args...),
		t:            t,
		ts:           ts,
		url:          fmt.Sprintf("%v://%v", scheme, authority),
		frontendHost: fmt.Sprintf("127.0.0.1:%v", serverPort),
		backendHost:  backendURL.Host,
		nextStreamID: 1,
		authority:    authority,
		frCh:         make(chan http2.Frame),
		spdyFrCh:     make(chan spdy.Frame),
		errCh:        make(chan error),
	}

	if err := st.cmd.Start(); err != nil {
		st.t.Fatalf("Error starting %v: %v", serverBin, err)
	}

	retry := 0
	for {
		var conn net.Conn
		var err error
		if frontendTLS {
			var tlsConfig *tls.Config
			if clientConfig == nil {
				tlsConfig = new(tls.Config)
			} else {
				tlsConfig = clientConfig
			}
			tlsConfig.InsecureSkipVerify = true
			tlsConfig.NextProtos = []string{"h2-14", "spdy/3.1"}
			conn, err = tls.Dial("tcp", authority, tlsConfig)
		} else {
			conn, err = net.Dial("tcp", authority)
		}
		if err != nil {
			retry += 1
			if retry >= 100 {
				st.Close()
				st.t.Fatalf("Error server is not responding too long; server command-line arguments may be invalid")
			}
			time.Sleep(150 * time.Millisecond)
			continue
		}
		if frontendTLS {
			tlsConn := conn.(*tls.Conn)
			cs := tlsConn.ConnectionState()
			if !cs.NegotiatedProtocolIsMutual {
				st.Close()
				st.t.Fatalf("Error negotiated next protocol is not mutual")
			}
		}
		st.conn = conn
		break
	}

	st.fr = http2.NewFramer(st.conn, st.conn)
	spdyFr, err := spdy.NewFramer(st.conn, st.conn)
	if err != nil {
		st.Close()
		st.t.Fatalf("Error spdy.NewFramer: %v", err)
	}
	st.spdyFr = spdyFr
	st.enc = hpack.NewEncoder(&st.headerBlkBuf)
	st.dec = hpack.NewDecoder(4096, func(f hpack.HeaderField) {
		st.header.Add(f.Name, f.Value)
	})

	return st
}