Add support for TLS (gomods#979)

* Add support for TLS * Fix review comments
owenhaynes · Dec 9, 2018 · fe032bc · fe032bc
1 parent 9c4f06c
commit fe032bc
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 1 deletion.
diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go
@@ -4,9 +4,11 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net/http"
 	"os"
 	"path/filepath"
 
+	"github.com/gobuffalo/buffalo/servers"
 	"github.com/gomods/athens/cmd/proxy/actions"
 	"github.com/gomods/athens/pkg/build"
 	"github.com/gomods/athens/pkg/config"
@@ -35,7 +37,19 @@ func main() {
 		log.Fatal(err)
 	}
 
-	if err := app.Serve(); err != nil {
+	cert, key, err := conf.TLSCertFiles()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	var srv servers.Server
+	if cert != "" && key != "" {
+		srv = servers.WrapTLS(&http.Server{}, conf.TLSCertFile, conf.TLSKeyFile)
+	} else {
+		srv = servers.Wrap(&http.Server{})
+	}
+
+	if err := app.Serve(srv); err != nil {
 		log.Fatal(err)
 	}
 }
diff --git a/config.dev.toml b/config.dev.toml
@@ -60,6 +60,12 @@ Timeout = 300
 # Env override: ATHENS_STORAGE_TYPE
 StorageType = "memory"
 
+# Certificate and key to make athens serve using https instead of plain text http.
+# Set both to enable.
+# Env override: ATHENS_TLSCERT_FILE, ATHENS_TLSKEY_FILE
+#TLSCertFile = "server.cer"
+#TLSKeyFile = "server.key"
+
 # Port sets the port the proxy listens on
 # Env override: PORT
 # Note that PORT needs to be prefixed by :

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -36,6 +36,8 @@ type Config struct {
 	NETRCPath        string `envconfig:"ATHENS_NETRC_PATH"`
 	GithubToken      string `envconfig:"ATHENS_GITHUB_TOKEN"`
 	HGRCPath         string `envconfig:"ATHENS_HGRC_PATH"`
+	TLSCertFile      string `envconfig:"ATHENS_TLSCERT_FILE"`
+	TLSKeyFile       string `envconfig:"ATHENS_TLSKEY_FILE"`
 	Storage          *StorageConfig
 }
 
@@ -48,6 +50,30 @@ func (c *Config) BasicAuth() (user, pass string, ok bool) {
 	return user, pass, ok
 }
 
+// TLSCertFiles returns certificate and key files and an error if
+// both files doesn't exist and have approperiate file permissions
+func (c *Config) TLSCertFiles() (cert, key string, err error) {
+	if c.TLSCertFile == "" && c.TLSKeyFile == "" {
+		return "", "", nil
+	}
+
+	certFile, err := os.Stat(c.TLSCertFile)
+	if err != nil {
+		return "", "", fmt.Errorf("Could not access TLSCertFile: %v", err)
+	}
+
+	keyFile, err := os.Stat(c.TLSKeyFile)
+	if err != nil {
+		return "", "", fmt.Errorf("Could not access TLSKeyFile: %v", err)
+	}
+
+	if keyFile.Mode()&077 != 0 && runtime.GOOS != "windows" {
+		return "", "", fmt.Errorf("TLSKeyFile should not be accessable by others")
+	}
+
+	return certFile.Name(), keyFile.Name(), nil
+}
+
 // FilterOff returns true if the FilterFile is empty
 func (c *Config) FilterOff() bool {
 	return c.FilterFile == ""