From 06f4e2d2961e72703a38cbab397f310a3ef8d794 Mon Sep 17 00:00:00 2001 From: Ilja Neumann Date: Wed, 15 Jul 2020 16:29:59 +0200 Subject: [PATCH] Add option to disable TLS Can be used to disable TLS when the ocis-proxy is behind an TLS-Terminating reverse proxy. env PROXY_TLS=false or cli --tls=false --- changelog/unreleased/add-disable-tls.md | 8 +++++ pkg/config/config.go | 1 + pkg/flagset/flagset.go | 7 +++++ pkg/server/http/server.go | 39 +++++++++++++++---------- 4 files changed, 39 insertions(+), 16 deletions(-) create mode 100644 changelog/unreleased/add-disable-tls.md diff --git a/changelog/unreleased/add-disable-tls.md b/changelog/unreleased/add-disable-tls.md new file mode 100644 index 000000000..6f1ee9595 --- /dev/null +++ b/changelog/unreleased/add-disable-tls.md @@ -0,0 +1,8 @@ +Enhancement: Add option to disable TLS + +Can be used to disable TLS when the ocis-proxy is behind an +TLS-Terminating reverse proxy. + +env PROXY_TLS=false or --tls=false + +https://github.com/owncloud/ocis-proxy/issues/71 diff --git a/pkg/config/config.go b/pkg/config/config.go index d77ade733..72423f754 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -22,6 +22,7 @@ type HTTP struct { Root string TLSCert string TLSKey string + TLS bool } // Tracing defines the available tracing configuration. diff --git a/pkg/flagset/flagset.go b/pkg/flagset/flagset.go index 3d3081444..d7ad756d6 100644 --- a/pkg/flagset/flagset.go +++ b/pkg/flagset/flagset.go @@ -157,6 +157,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"PROXY_TRANSPORT_TLS_KEY"}, Destination: &cfg.HTTP.TLSKey, }, + &cli.BoolFlag{ + Name: "tls", + Usage: "Use TLS (disable only if proxy is behind a TLS-terminating reverse-proxy).", + EnvVars: []string{"PROXY_TLS"}, + Value: true, + Destination: &cfg.HTTP.TLS, + }, &cli.StringFlag{ Name: "jwt-secret", Value: "Pive-Fumkiu4", diff --git a/pkg/server/http/server.go b/pkg/server/http/server.go index 8442bf09c..292ac0e9d 100644 --- a/pkg/server/http/server.go +++ b/pkg/server/http/server.go @@ -18,26 +18,33 @@ func Server(opts ...Option) (svc.Service, error) { var cer tls.Certificate var certErr error - if httpCfg.TLSCert == "" || httpCfg.TLSKey == "" { - l.Warn().Msgf("No tls certificate provided, using a generated one") + var tlsConfig *tls.Config + if options.Config.HTTP.TLS { + if httpCfg.TLSCert == "" || httpCfg.TLSKey == "" { + l.Warn().Msgf("No tls certificate provided, using a generated one") + _, certErr := os.Stat("./server.crt") + _, keyErr := os.Stat("./server.key") - // GenCert has side effects as it writes 2 files to the binary running location - if err := crypto.GenCert(l); err != nil { - l.Fatal().Err(err).Msgf("Could not generate test-certificate") + if os.IsNotExist(certErr) || os.IsNotExist(keyErr) { + // GenCert has side effects as it writes 2 files to the binary running location + if err := crypto.GenCert(l); err != nil { + l.Fatal().Err(err).Msgf("Could not generate test-certificate") + os.Exit(1) + } + } + + httpCfg.TLSCert = "server.crt" + httpCfg.TLSKey = "server.key" } - httpCfg.TLSCert = "server.crt" - httpCfg.TLSKey = "server.key" + cer, certErr = tls.LoadX509KeyPair(httpCfg.TLSCert, httpCfg.TLSKey) + if certErr != nil { + options.Logger.Fatal().Err(certErr).Msg("Could not setup TLS") + os.Exit(1) + } + + tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}} } - - cer, certErr = tls.LoadX509KeyPair(httpCfg.TLSCert, httpCfg.TLSKey) - - if certErr != nil { - options.Logger.Fatal().Err(certErr).Msg("Could not setup TLS") - os.Exit(1) - } - - tlsConfig := &tls.Config{Certificates: []tls.Certificate{cer}} chain := options.Middlewares.Then(options.Handler) service := svc.NewService(