confiG: add more tls config

moonrhythm · Jul 21, 2018 · 51566d3 · 51566d3
1 parent 800aae8
commit 51566d3
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 25 deletions.
diff --git a/app.go b/app.go
@@ -57,7 +57,6 @@ type App struct {
 	gracefulShutdown *gracefulShutdown
 
 	certFile, keyFile string
-	tlsProfile        string
 }
 
 var (
@@ -111,17 +110,6 @@ func (app *App) configServer() {
 	app.srv.ConnState = app.ConnState
 	app.srv.ErrorLog = app.ErrorLog
 	app.srv.Handler = app
-
-	if app.srv.TLSConfig == nil {
-		switch app.tlsProfile {
-		case "restricted":
-			app.srv.TLSConfig = &Restricted
-		case "modern":
-			app.srv.TLSConfig = &Modern
-		case "compatible":
-			app.srv.TLSConfig = &Compatible
-		}
-	}
 }
 
 func (app *App) listenAndServe() error {

diff --git a/config.go b/config.go
@@ -1,7 +1,9 @@
 package hime
 
 import (
+	"crypto/tls"
 	"io/ioutil"
+	"log"
 	"strings"
 	"time"
 
@@ -24,9 +26,12 @@ type AppConfig struct {
 			Wait    string `yaml:"wait" json:"wait"`
 		} `yaml:"gracefulShutdown" json:"gracefulShutdown"`
 		TLS *struct {
-			CertFile string `yaml:"certFile" json:"certFile"`
-			KeyFile  string `yaml:"keyFile" json:"keyFile"`
-			Profile  string `yaml:"profile" json:"profile"`
+			CertFile   string   `yaml:"certFile" json:"certFile"`
+			KeyFile    string   `yaml:"keyFile" json:"keyFile"`
+			Profile    string   `yaml:"profile" json:"profile"`
+			MinVersion string   `yaml:"minVersion" json:"minVersion"`
+			MaxVersion string   `yaml:"maxVersion" json:"maxVersion"`
+			Curves     []string `yaml:"curves" json:"curves"`
 		} `yaml:"tls" json:"tls"`
 		HTTPSRedirect *struct {
 			Addr string `json:"addr"`
@@ -95,17 +100,69 @@ func (app *App) Config(config AppConfig) *App {
 		parseDuration(server.WriteTimeout, &app.WriteTimeout)
 		parseDuration(server.IdleTimeout, &app.IdleTimeout)
 
-		if tls := server.TLS; tls != nil {
-			// TODO: auto generate self-signed tls if cert file, key file empty
-			if tls.CertFile != "" {
-				app.certFile = tls.CertFile
+		if t := server.TLS; t != nil {
+			var tlsConfig *tls.Config
+
+			switch strings.ToLower(t.Profile) {
+			case "restricted":
+				tlsConfig = Restricted.Clone()
+			case "modern":
+				tlsConfig = Modern.Clone()
+			case "compatible":
+				tlsConfig = Compatible.Clone()
+			default:
+				tlsConfig = &tls.Config{}
+			}
+
+			switch strings.ToLower(t.MinVersion) {
+			case "ssl3.0":
+				tlsConfig.MinVersion = tls.VersionSSL30
+			case "tls1.0":
+				tlsConfig.MinVersion = tls.VersionTLS10
+			case "tls1.1":
+				tlsConfig.MinVersion = tls.VersionTLS11
+			case "tls1.2":
+				tlsConfig.MinVersion = tls.VersionTLS12
+			}
+
+			switch strings.ToLower(t.MaxVersion) {
+			case "ssl3.0":
+				tlsConfig.MaxVersion = tls.VersionSSL30
+			case "tls1.0":
+				tlsConfig.MaxVersion = tls.VersionTLS10
+			case "tls1.1":
+				tlsConfig.MaxVersion = tls.VersionTLS11
+			case "tls1.2":
+				tlsConfig.MaxVersion = tls.VersionTLS12
 			}
-			if tls.KeyFile != "" {
-				app.keyFile = tls.KeyFile
+
+			if t.Curves != nil {
+				tlsConfig.CurvePreferences = []tls.CurveID{}
+				for _, c := range t.Curves {
+					switch strings.ToLower(c) {
+					case "p256":
+						tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveP256)
+					case "p384":
+						tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveP384)
+					case "p521":
+						tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.CurveP521)
+					case "x25519":
+						tlsConfig.CurvePreferences = append(tlsConfig.CurvePreferences, tls.X25519)
+					default:
+						log.Panicf("hime: unknown tls curve '%s'", c)
+					}
+				}
 			}
-			if tls.Profile != "" {
-				app.tlsProfile = strings.ToLower(tls.Profile)
+
+			// TODO: auto generate self-signed tls if cert file, key file empty
+			if t.CertFile != "" {
+				app.certFile = t.CertFile
 			}
+			if t.KeyFile != "" {
+				app.keyFile = t.KeyFile
+			}
+
+			app.srv.TLSConfig = tlsConfig
 		}
 
 		if gs := server.GracefulShutdown; gs != nil {
@@ -122,7 +179,12 @@ func (app *App) Config(config AppConfig) *App {
 				rd.Addr = ":80"
 			}
 
-			go StartHTTPSRedirectServer(rd.Addr)
+			go func() {
+				err := StartHTTPSRedirectServer(rd.Addr)
+				if err != nil {
+					log.Panicf("hime: start https redirect server error; %v", err)
+				}
+			}()
 		}
 	}
 

diff --git a/config_internal_test.go b/config_internal_test.go
@@ -37,7 +37,6 @@ func TestConfig(t *testing.T) {
 			assert.Equal(t, 30*time.Second, app.IdleTimeout)
 			assert.Equal(t, "tls.crt", app.certFile)
 			assert.Equal(t, "tls.key", app.keyFile)
-			assert.Equal(t, "modern", app.tlsProfile)
 
 			// graceful
 			assert.NotNil(t, app.gracefulShutdown)