Merge pull request #38 from acoshift/merge-tls

auto start tls if config
moonrhythm · Jul 19, 2018 · f3d80b3 · f3d80b3
2 parents bd53655 + 0cf4165
commit f3d80b3
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 0 deletions.
diff --git a/app.go b/app.go
@@ -55,6 +55,8 @@ type App struct {
 	templateFuncs []template.FuncMap
 
 	gracefulShutdown *gracefulShutdown
+
+	certFile, keyFile string
 }
 
 var (
@@ -124,6 +126,10 @@ func (app *App) listenAndServeTLS(certFile, keyFile string) error {
 
 // ListenAndServe starts web server
 func (app *App) ListenAndServe() error {
+	if app.certFile != "" && app.keyFile != "" {
+		return app.ListenAndServeTLS(app.certFile, app.keyFile)
+	}
+
 	if app.gracefulShutdown != nil {
 		return app.GracefulShutdown().ListenAndServe()
 	}

diff --git a/config.go b/config.go
@@ -22,6 +22,8 @@ type AppConfig struct {
 			Timeout string `yaml:"timeout" json:"timeout"`
 			Wait    string `yaml:"wait" json:"wait"`
 		} `yaml:"gracefulShutdown" json:"gracefulShutdown"`
+		CertFile string `yaml:"certFile" json:"certFile"`
+		KeyFile  string `yaml:"keyFile" json:"keyFile"`
 	} `yaml:"server" json:"server"`
 }
 
@@ -82,6 +84,8 @@ func (app *App) Config(config AppConfig) *App {
 	parseDuration(config.Server.ReadHeaderTimeout, &app.ReadHeaderTimeout)
 	parseDuration(config.Server.WriteTimeout, &app.WriteTimeout)
 	parseDuration(config.Server.IdleTimeout, &app.IdleTimeout)
+	app.certFile = config.Server.CertFile
+	app.keyFile = config.Server.KeyFile
 
 	// load graceful config
 	if config.Server.GracefulShutdown != nil {

diff --git a/config_internal_test.go b/config_internal_test.go
@@ -35,6 +35,8 @@ func TestConfig(t *testing.T) {
 			assert.Equal(t, 5*time.Second, app.ReadHeaderTimeout)
 			assert.Equal(t, 6*time.Second, app.WriteTimeout)
 			assert.Equal(t, 30*time.Second, app.IdleTimeout)
+			assert.Equal(t, "tls.crt", app.certFile)
+			assert.Equal(t, "tls.key", app.keyFile)
 
 			// graceful
 			assert.NotNil(t, app.gracefulShutdown)

diff --git a/graceful.go b/graceful.go
@@ -93,6 +93,10 @@ func (gs *GracefulShutdownApp) start(listenAndServe func() error) (err error) {
 
 // ListenAndServe starts web server in graceful shutdown mode
 func (gs *GracefulShutdownApp) ListenAndServe() error {
+	if gs.App.certFile != "" && gs.App.keyFile != "" {
+		return gs.ListenAndServeTLS(gs.App.certFile, gs.App.keyFile)
+	}
+
 	return gs.start(gs.App.listenAndServe)
 }
 

diff --git a/testdata/config1.yaml b/testdata/config1.yaml
@@ -22,6 +22,8 @@ server:
   readHeaderTimeout: 5s
   writeTimeout: 6s
   idleTimeout: 30s
+  certFile: tls.crt
+  keyFile: tls.key
   gracefulShutdown:
     timeout: 1m
     wait: 5s
diff --git a/tls.go b/tls.go
@@ -0,0 +1,75 @@
+package hime
+
+import (
+	"crypto/tls"
+)
+
+// Restricted is the tls config for restricted mode
+var Restricted = tls.Config{
+	MinVersion: tls.VersionTLS12,
+	CurvePreferences: []tls.CurveID{
+		tls.CurveP521,
+		tls.CurveP384,
+		tls.CurveP256,
+	},
+	PreferServerCipherSuites: true,
+	CipherSuites: []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	},
+}
+
+// Modern is the tls config for modern mode
+var Modern = tls.Config{
+	MinVersion: tls.VersionTLS12,
+	CurvePreferences: []tls.CurveID{
+		tls.CurveP521,
+		tls.CurveP384,
+		tls.CurveP256,
+	},
+	PreferServerCipherSuites: true,
+	CipherSuites: []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	},
+}
+
+// Compatible is the tls config for compatible mode
+var Compatible = tls.Config{
+	MinVersion: tls.VersionTLS10,
+	CurvePreferences: []tls.CurveID{
+		tls.CurveP521,
+		tls.CurveP384,
+		tls.CurveP256,
+	},
+	PreferServerCipherSuites: true,
+	CipherSuites: []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	},
+}