use TLS

2023-04-02 12:07:58 +10:00
parent 2554c7f4ca
commit b45e276df5
4 changed files with 286 additions and 4 deletions
--- a/main.go
+++ b/main.go
@@ -4,9 +4,13 @@ import (
 	"ccsecrets/controllers"
 	"ccsecrets/middlewares"
 	"ccsecrets/models"
+	"ccsecrets/utils"
 	"context"
+	"crypto/tls"
+	"fmt"
 	"log"
 	"net/http"
+	"os"
 	"os/signal"
 	"syscall"
 	"time"
@@ -26,12 +30,51 @@ func main() {
 	router := gin.Default()
 	router.GET("/", func(c *gin.Context) {
 		//time.Sleep(10 * time.Second)
-		c.String(http.StatusOK, "Welcome Gin Server")
+		c.String(http.StatusOK, "Hello World.")
 	})

+	// Set some options for TLS
+	tlsConfig := &tls.Config{
+		MinVersion:               tls.VersionTLS12,
+		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		PreferServerCipherSuites: true,
+		InsecureSkipVerify:       true,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
+
+	// Determine bind IP
+	bindIP := os.Getenv("BIND_IP")
+	if bindIP == "" {
+		bindIP = utils.GetOutboundIP().String()
+	}
+	// Determine bind port
+	bindPort := os.Getenv("BIND_PORT")
+	if bindPort == "" {
+		bindIP = "8443"
+	}
+	bindAddress := fmt.Sprint(bindIP, ":", bindPort)
+	fmt.Printf("Will listen on address 'https://%s'\n", bindAddress)
+
+	// Generate certificate if required
+	tlsCertFilename := utils.GetFilePath(os.Getenv("TLS_CERT_FILE"))
+	tlsKeyFilename := utils.GetFilePath(os.Getenv("TLS_KEY_FILE"))
+
+	if !(utils.FileExists(tlsCertFilename) && utils.FileExists(tlsKeyFilename)) {
+		fmt.Printf("Specified TLS certificate (%s) or private key (%s) do not exist.\n", tlsCertFilename, tlsKeyFilename)
+		utils.GenerateCerts(tlsCertFilename, tlsKeyFilename)
+	}
+
 	srv := &http.Server{
-		Addr:    ":8080",
-		Handler: router,
+		Addr:      bindAddress,
+		Handler:   router,
+		TLSConfig: tlsConfig,
 	}

 	// Register our routes
@@ -52,7 +95,7 @@ func main() {
 	// Initializing the server in a goroutine so that
 	// it won't block the graceful shutdown handling below
 	go func() {
-		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		if err := srv.ListenAndServeTLS(tlsCertFilename, tlsKeyFilename); err != nil && err != http.ErrServerClosed {
 			log.Fatalf("listen: %s\n", err)
 		}
 	}()