handlers.go: Added parameter for TLS min version

rest-server/main.go: Added parameter handling for TLS min version

rest-server/main.go: Added crypto.tls, implemented and configured tlsConfig object
This commit is contained in:
darkspir
2024-12-05 12:58:02 +01:00
parent 2513a698f3
commit ddc5ad1a3c
2 changed files with 33 additions and 0 deletions

View File

@@ -7,6 +7,7 @@ import (
"log"
"net"
"net/http"
"crypto/tls"
"os"
"os/signal"
"path/filepath"
@@ -47,6 +48,7 @@ func newRestServerApp() *restServerApp {
Server: restserver.Server{
Path: filepath.Join(os.TempDir(), "restic"),
Listen: ":8000",
TLSMinVer: "1.2",
},
}
rv.CmdRoot.RunE = rv.runRoot
@@ -61,6 +63,7 @@ func newRestServerApp() *restServerApp {
flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version (default: 1.2)")
flags.BoolVar(&rv.Server.NoAuth, "no-auth", rv.Server.NoAuth, "disable .htpasswd authentication")
flags.StringVar(&rv.Server.HtpasswdPath, "htpasswd-file", rv.Server.HtpasswdPath, "location of .htpasswd file (default: \"<data directory>/.htpasswd)\"")
flags.BoolVar(&rv.Server.NoVerifyUpload, "no-verify-upload", rv.Server.NoVerifyUpload,
@@ -162,8 +165,37 @@ func (app *restServerApp) runRoot(cmd *cobra.Command, args []string) error {
app.listenerAddress = listener.Addr()
app.listenerAddressMu.Unlock()
tlscfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
},
}
switch app.Server.TLSMinVer {
case "1.0":
// Only available with GODEBUG="tls10server=1"
tlscfg.MinVersion = tls.VersionTLS10
case "1.1":
// Only available with GODEBUG="tls10server=1"
tlscfg.MinVersion = tls.VersionTLS11
case "1.2":
tlscfg.MinVersion = tls.VersionTLS12
case "1.3":
tlscfg.MinVersion = tls.VersionTLS13
default:
tlscfg.MinVersion = tls.VersionTLS12
}
srv := &http.Server{
Handler: handler,
TLSConfig: tlscfg,
}
// run server in background

View File

@@ -22,6 +22,7 @@ type Server struct {
CPUProfile string
TLSKey string
TLSCert string
TLSMinVer string
TLS bool
NoAuth bool
AppendOnly bool