https

package
v3.3.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2024 License: Apache-2.0, Apache-2.0 Imports: 11 Imported by: 3

README

HTTPS Package for Prometheus

The https directory contains a Go package and a sample configuration file for running node_exporter with HTTPS instead of HTTP. We currently support TLS 1.3 and TLS 1.2.

To run a server with TLS, use the flag --web.config.

e.g. ./node_exporter --web.config="web-config.yml" If the config is kept within the https directory.

The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.

Sample Config

tls_server_config:
  # Certificate and key files for server to use to authenticate to client.
  cert_file: <filename>
  key_file: <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies.
  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server.
  [ client_ca_file: <filename> ]

  # Minimum TLS version that is acceptable.
  [ min_version: <string> | default = "TLS12" ]

  # Maximum TLS version that is acceptable.
  [ max_version: <string> | default = "TLS13" ]

  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
  [ cipher_suites:
    [ - <string> ] ]

  # prefer_server_cipher_suites controls whether the server selects the
  # client's most preferred ciphersuite, or the server's most preferred
  # ciphersuite. If true then the server's preference, as expressed in
  # the order of elements in cipher_suites, is used.
  [ prefer_server_cipher_suites: <bool> | default = true ]

  # Elliptic curves that will be used in an ECDHE handshake, in preference
  # order. Available curves are documented in the go documentation:
  # https://golang.org/pkg/crypto/tls/#CurveID
  [ curve_preferences:
    [ - <string> ] ]

http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
  [ http2: <bool> | default = true ]

# List of usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
basic_auth_users:
  [ <username>: <password> ... ]

About bcrypt

There are several tools out there to generate bcrypt passwords, e.g. htpasswd:

htpasswd -nBC 10 "" | tr -d ':\n'

That command will prompt you for a password and output the hashed password, which will look something like: $2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG

The cost (10 in the example) influences the time it takes for computing the hash. A higher cost will en up slowing down the authentication process. Depending on the machine, a cost of 10 will take about ~70ms where a cost of 18 can take up to a few seconds. That hash will be computed on every password-protected request.

Documentation

Overview

Package https allows the implementation of TLS.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConfigToTLSConfig

func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error)

ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.

func Listen

func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error

Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.

Types

type Config

type Config struct {
	TLSConfig  TLSStruct                     `yaml:"tls_server_config"`
	HTTPConfig HTTPStruct                    `yaml:"http_server_config"`
	Users      map[string]config_util.Secret `yaml:"basic_auth_users"`
}

type HTTPStruct

type HTTPStruct struct {
	HTTP2 bool `yaml:"http2"`
}

type TLSStruct

type TLSStruct struct {
	TLSCertPath              string     `yaml:"cert_file"`
	TLSKeyPath               string     `yaml:"key_file"`
	ClientAuth               string     `yaml:"client_auth_type"`
	ClientCAs                string     `yaml:"client_ca_file"`
	CipherSuites             []cipher   `yaml:"cipher_suites"`
	CurvePreferences         []curve    `yaml:"curve_preferences"`
	MinVersion               tlsVersion `yaml:"min_version"`
	MaxVersion               tlsVersion `yaml:"max_version"`
	PreferServerCipherSuites bool       `yaml:"prefer_server_cipher_suites"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL