fix: https enhancement
This commit is contained in:
@@ -10,6 +10,8 @@ logger:
|
|||||||
|
|
||||||
# rest agent listen ipv4/v6 and port, support multiple routines
|
# rest agent listen ipv4/v6 and port, support multiple routines
|
||||||
# ip: 0.0.0.0 or ::0, support IPv4/v6
|
# ip: 0.0.0.0 or ::0, support IPv4/v6
|
||||||
|
# clientAuthType: 0:NoClientCert (default), 1:RequestClientCert, 2:RequireAnyClientCert,
|
||||||
|
# 3:VerifyClientCertIfGiven, 4:RequireAndVerifyClientCerts
|
||||||
rest:
|
rest:
|
||||||
- ipv4: 0.0.0.0
|
- ipv4: 0.0.0.0
|
||||||
ipv6:
|
ipv6:
|
||||||
@@ -18,6 +20,7 @@ rest:
|
|||||||
ipv6:
|
ipv6:
|
||||||
port: 3443
|
port: 3443
|
||||||
schema: https
|
schema: https
|
||||||
|
clientAuthType: 0
|
||||||
caFile: /usr/local/omc/etc/certs/omc-ca.crt
|
caFile: /usr/local/omc/etc/certs/omc-ca.crt
|
||||||
certFile: /usr/local/omc/etc/certs/omc-server.crt
|
certFile: /usr/local/omc/etc/certs/omc-server.crt
|
||||||
keyFile: /usr/local/omc/etc/certs/omc-server.key
|
keyFile: /usr/local/omc/etc/certs/omc-server.key
|
||||||
@@ -30,6 +33,7 @@ webServer:
|
|||||||
schema: http
|
schema: http
|
||||||
- addr: :443
|
- addr: :443
|
||||||
schema: https
|
schema: https
|
||||||
|
clientAuthType: 0
|
||||||
caFile: /usr/local/omc/etc/certs/omc-ca.crt
|
caFile: /usr/local/omc/etc/certs/omc-ca.crt
|
||||||
certFile: /usr/local/omc/etc/certs/omc-server.crt
|
certFile: /usr/local/omc/etc/certs/omc-server.crt
|
||||||
keyFile: /usr/local/omc/etc/certs/omc-server.key
|
keyFile: /usr/local/omc/etc/certs/omc-server.key
|
||||||
|
|||||||
@@ -31,24 +31,26 @@ type YamlConfig struct {
|
|||||||
} `yaml:"logger"`
|
} `yaml:"logger"`
|
||||||
|
|
||||||
Rest []struct {
|
Rest []struct {
|
||||||
IPv4 string `yaml:"ipv4"`
|
IPv4 string `yaml:"ipv4"`
|
||||||
IPv6 string `yaml:"ipv6"`
|
IPv6 string `yaml:"ipv6"`
|
||||||
Port uint16 `yaml:"port"`
|
Port uint16 `yaml:"port"`
|
||||||
Scheme string `yaml:"scheme"`
|
Scheme string `yaml:"scheme"`
|
||||||
CaFile string `yaml:"caFile"`
|
ClientAuthType int `yaml:"clientAuthType"`
|
||||||
CertFile string `yaml:"certFile"`
|
CaFile string `yaml:"caFile"`
|
||||||
KeyFile string `yaml:"keyFile"`
|
CertFile string `yaml:"certFile"`
|
||||||
|
KeyFile string `yaml:"keyFile"`
|
||||||
} `yaml:"rest"`
|
} `yaml:"rest"`
|
||||||
|
|
||||||
WebServer struct {
|
WebServer struct {
|
||||||
Enabled bool `yaml:"enabled"`
|
Enabled bool `yaml:"enabled"`
|
||||||
RootDir string `yaml:"rootDir"`
|
RootDir string `yaml:"rootDir"`
|
||||||
Listen []struct {
|
Listen []struct {
|
||||||
Addr string `yaml:"addr"`
|
Addr string `yaml:"addr"`
|
||||||
Scheme string `yaml:"scheme"`
|
Scheme string `yaml:"scheme"`
|
||||||
CaFile string `yaml:"caFile"`
|
ClientAuthType int `yaml:"clientAuthType"`
|
||||||
CertFile string `yaml:"certFile"`
|
CaFile string `yaml:"caFile"`
|
||||||
KeyFile string `yaml:"keyFile"`
|
CertFile string `yaml:"certFile"`
|
||||||
|
KeyFile string `yaml:"keyFile"`
|
||||||
} `yaml:"listen"`
|
} `yaml:"listen"`
|
||||||
} `yaml:"webServer"`
|
} `yaml:"webServer"`
|
||||||
|
|
||||||
|
|||||||
@@ -10,6 +10,8 @@ logger:
|
|||||||
|
|
||||||
# rest agent listen ipv4/v6 and port, support multiple routines
|
# rest agent listen ipv4/v6 and port, support multiple routines
|
||||||
# ip: 0.0.0.0 or ::0, support IPv4/v6
|
# ip: 0.0.0.0 or ::0, support IPv4/v6
|
||||||
|
# clientAuthType: 0:NoClientCert (default), 1:RequestClientCert, 2:RequireAnyClientCert,
|
||||||
|
# 3:VerifyClientCertIfGiven, 4:RequireAndVerifyClientCerts
|
||||||
rest:
|
rest:
|
||||||
- ipv4: 0.0.0.0
|
- ipv4: 0.0.0.0
|
||||||
ipv6:
|
ipv6:
|
||||||
@@ -18,6 +20,7 @@ rest:
|
|||||||
ipv6:
|
ipv6:
|
||||||
port: 3443
|
port: 3443
|
||||||
scheme: https
|
scheme: https
|
||||||
|
clientAuthType: 0
|
||||||
caFile: ./etc/certs/omc-ca.crt
|
caFile: ./etc/certs/omc-ca.crt
|
||||||
certFile: ./etc/certs/omc-server.crt
|
certFile: ./etc/certs/omc-server.crt
|
||||||
keyFile: ./etc/certs/omc-server.key
|
keyFile: ./etc/certs/omc-server.key
|
||||||
@@ -30,6 +33,7 @@ webServer:
|
|||||||
schema: http
|
schema: http
|
||||||
- addr: :443
|
- addr: :443
|
||||||
scheme: https
|
scheme: https
|
||||||
|
clientAuthType: 0
|
||||||
caFile: ./etc/certs/omc-ca.crt
|
caFile: ./etc/certs/omc-ca.crt
|
||||||
certFile: ./etc/certs/omc-server.crt
|
certFile: ./etc/certs/omc-server.crt
|
||||||
keyFile: ./etc/certs/omc-server.key
|
keyFile: ./etc/certs/omc-server.key
|
||||||
|
|||||||
@@ -74,8 +74,8 @@ func HttpListen(addr string, router http.Handler) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func HttpListenTLS(addr, caFile, certFile, keyFile string, router http.Handler) {
|
func HttpListenTLS(addr, caFile, certFile, keyFile string, clientAuthType int, router http.Handler) {
|
||||||
HttpListenConfigTLS(addr, caFile, certFile, keyFile, router)
|
HttpListenConfigTLS(addr, caFile, certFile, keyFile, clientAuthType, router)
|
||||||
err := http.ListenAndServeTLS(addr, certFile, keyFile, router)
|
err := http.ListenAndServeTLS(addr, certFile, keyFile, router)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println("ListenAndServeTLS err:", err)
|
fmt.Println("ListenAndServeTLS err:", err)
|
||||||
@@ -83,7 +83,7 @@ func HttpListenTLS(addr, caFile, certFile, keyFile string, router http.Handler)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Handler) {
|
func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, clientAuthType int, router http.Handler) {
|
||||||
// 加载根证书
|
// 加载根证书
|
||||||
caCert, err := os.ReadFile(caFile)
|
caCert, err := os.ReadFile(caFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -97,7 +97,7 @@ func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Han
|
|||||||
MinVersion: tls.VersionTLS10,
|
MinVersion: tls.VersionTLS10,
|
||||||
MaxVersion: tls.VersionTLS13,
|
MaxVersion: tls.VersionTLS13,
|
||||||
ClientCAs: caCertPool,
|
ClientCAs: caCertPool,
|
||||||
//ClientAuth: tls.RequireAndVerifyClientCert,
|
ClientAuth: tls.ClientAuthType(clientAuthType),
|
||||||
}
|
}
|
||||||
|
|
||||||
// 创建HTTP服务器
|
// 创建HTTP服务器
|
||||||
@@ -114,8 +114,8 @@ func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Han
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func HttpListenWebServerTLS(addr, caFile, certFile, keyFile string) {
|
func HttpListenWebServerTLS(addr, caFile, certFile, keyFile string, clientAuthType int) {
|
||||||
HttpListenConfigTLS(addr, caFile, certFile, keyFile, nil)
|
HttpListenConfigTLS(addr, caFile, certFile, keyFile, clientAuthType, nil)
|
||||||
err := http.ListenAndServeTLS(addr, certFile, keyFile, nil)
|
err := http.ListenAndServeTLS(addr, certFile, keyFile, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println("ListenAndServeTLS err:", err)
|
fmt.Println("ListenAndServeTLS err:", err)
|
||||||
@@ -194,7 +194,7 @@ func main() {
|
|||||||
if rest.IPv4 != "" {
|
if rest.IPv4 != "" {
|
||||||
listen := rest.IPv4 + ":" + strconv.Itoa(int(rest.Port))
|
listen := rest.IPv4 + ":" + strconv.Itoa(int(rest.Port))
|
||||||
if strings.ToLower(rest.Scheme) == "https" {
|
if strings.ToLower(rest.Scheme) == "https" {
|
||||||
go HttpListenTLS(listen, rest.CaFile, rest.CertFile, rest.KeyFile, app)
|
go HttpListenTLS(listen, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
|
||||||
} else {
|
} else {
|
||||||
go HttpListen(listen, app)
|
go HttpListen(listen, app)
|
||||||
}
|
}
|
||||||
@@ -203,7 +203,7 @@ func main() {
|
|||||||
// 默认启动localhost侦听
|
// 默认启动localhost侦听
|
||||||
listenLocal := "127.0.0.1" + ":" + strconv.Itoa(int(rest.Port))
|
listenLocal := "127.0.0.1" + ":" + strconv.Itoa(int(rest.Port))
|
||||||
if strings.ToLower(rest.Scheme) == "https" {
|
if strings.ToLower(rest.Scheme) == "https" {
|
||||||
go HttpListenTLS(listenLocal, rest.CaFile, rest.CertFile, rest.KeyFile, app)
|
go HttpListenTLS(listenLocal, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
|
||||||
} else {
|
} else {
|
||||||
go HttpListen(listenLocal, app)
|
go HttpListen(listenLocal, app)
|
||||||
}
|
}
|
||||||
@@ -212,7 +212,7 @@ func main() {
|
|||||||
if rest.IPv6 != "" {
|
if rest.IPv6 != "" {
|
||||||
listenv6 := "[" + rest.IPv6 + "]" + ":" + strconv.Itoa(int(rest.Port))
|
listenv6 := "[" + rest.IPv6 + "]" + ":" + strconv.Itoa(int(rest.Port))
|
||||||
if strings.ToLower(rest.Scheme) == "https" {
|
if strings.ToLower(rest.Scheme) == "https" {
|
||||||
go HttpListenTLS(listenv6, rest.CaFile, rest.CertFile, rest.KeyFile, app)
|
go HttpListenTLS(listenv6, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
|
||||||
} else {
|
} else {
|
||||||
go HttpListen(listenv6, app)
|
go HttpListen(listenv6, app)
|
||||||
}
|
}
|
||||||
@@ -234,7 +234,7 @@ func main() {
|
|||||||
http.Handle("/", fs)
|
http.Handle("/", fs)
|
||||||
for _, listen := range conf.WebServer.Listen {
|
for _, listen := range conf.WebServer.Listen {
|
||||||
if strings.ToLower(listen.Scheme) == "https" {
|
if strings.ToLower(listen.Scheme) == "https" {
|
||||||
go HttpListenWebServerTLS(listen.Addr, listen.CaFile, listen.CertFile, listen.KeyFile)
|
go HttpListenWebServerTLS(listen.Addr, listen.CaFile, listen.CertFile, listen.KeyFile, listen.ClientAuthType)
|
||||||
} else {
|
} else {
|
||||||
go HttpListenWebServer(listen.Addr)
|
go HttpListenWebServer(listen.Addr)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user