feat(server): simplify TLS usage

2025-04-05 18:03:41 +00:00 · 2020-08-20 12:32:44 +00:00 · 2020-08-20 12:32:44 +00:00 · 1ee71be4c5
commit 1ee71be4c5
parent 7433f69c92
7 changed files with 19 additions and 38 deletions
--- a/README.md
+++ b/README.md
@ -324,13 +324,11 @@ You can find a small HTTP client in the ["tooling" directory](./tooling/httpsig/
 You can activate TLS to secure communications:

 ```bash
-$ export WHD_TLS_LISTEN_ADDR=:8443
+$ export WHD_TLS=true
 $ # or
-$ webhookd --tls-listen-addr=:8443
+$ webhookd --tls
 ```

-This will disable HTTP port.
-
 By default webhookd is expecting a certificate and key file (`./server.pem` and `./server.key`).
 You can provide your own certificate and key with `-tls-cert-file` and `-tls-key-file`.

@ -338,10 +336,10 @@ Webhookd also support [ACME](https://ietf-wg-acme.github.io/acme/) protocol.
 You can activate ACME by setting a fully qualified domain name:

 ```bash
-$ export WHD_TLS_LISTEN_ADDR=:8443
+$ export WHD_TLS=true
 $ export WHD_TLS_DOMAIN=hook.example.com
 $ # or
-$ webhookd --tls-listen-addr=:8443 --tls-domain=hook.example.com
+$ webhookd --tls --tls-domain=hook.example.com
 ```

 **Note:**
--- a/etc/default/webhookd.env
+++ b/etc/default/webhookd.env
@ -43,9 +43,8 @@
 # Example: `/etc/webhookd/pubkey.pem`
 #WHD_TRUST_STORE_FILE=

-# TLS listend address, disabled by default
-# Example: `localhost:8443` or `:8443` for all interfaces
-#WHD_TLS_LISTEN_ADDR=
+# Activate TLS, default is false
+#WHD_TLS=false

 # TLS key file, default is "./server.key"
 #WHD_TLS_KEY_FILE="./server.key"
--- a/main.go
+++ b/main.go
@ -71,14 +71,10 @@ func main() {
 		close(done)
 	}()

-	addr := conf.ListenAddr
-	if conf.TLSListenAddr != "" {
-		addr = conf.TLSListenAddr
-	}
-	logger.Info.Println("server is ready to handle requests at", addr)
+	logger.Info.Println("server is ready to handle requests at", conf.ListenAddr)
 	api.Start()
 	if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-		logger.Error.Fatalf("could not listen on %s : %v\n", addr, err)
+		logger.Error.Fatalf("could not listen on %s : %v\n", conf.ListenAddr, err)
 	}

 	<-done
--- a/pkg/api/router.go
+++ b/pkg/api/router.go
@ -21,7 +21,7 @@ func NewRouter(conf *config.Config) *http.ServeMux {
 	router := http.NewServeMux()

 	var middlewares = commonMiddlewares
-	if conf.TLSListenAddr != "" {
+	if conf.TLS {
 		middlewares = append(middlewares, middleware.HSTS)
 	}

--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -3,7 +3,7 @@ package config
 // Config contain global configuration
 type Config struct {
 	ListenAddr      string `flag:"listen-addr" desc:"HTTP listen address" default:":8080"`
-	TLSListenAddr   string `flag:"tls-listen-addr" desc:"TLS listen address"`
+	TLS             bool   `flag:"tls" desc:"Activate TLS" default:"false"`
 	TLSCertFile     string `flag:"tls-cert-file" desc:"TLS certificate file" default:"server.pem"`
 	TLSKeyFile      string `flag:"tls-key-file" desc:"TLS key file" default:"server.key"`
 	TLSDomain       string `flag:"tls-domain" desc:"TLS domain name used by ACME"`
--- a/pkg/middleware/hsts.go
+++ b/pkg/middleware/hsts.go
@ -8,6 +8,7 @@ import (
 func HSTS(inner http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Strict-Transport-Security", "max-age=15768000 ; includeSubDomains")
+		inner.ServeHTTP(w, r)
 		return
 	})
 }
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -36,9 +36,8 @@ type Server struct {
 func (s *Server) ListenAndServe() error {
 	if s.tls {
 		return s.self.ListenAndServeTLS(s.certFile, s.keyFile)
-	} else {
-		return s.self.ListenAndServe()
 	}
+	return s.self.ListenAndServe()
 }

 // Shutdown stop HTTP(s) server
@ -49,23 +48,17 @@ func (s *Server) Shutdown(ctx context.Context) error {

 // NewServer create new HTTP(s) server
 func NewServer(cfg *config.Config) *Server {
-	server := &Server{}
-	if cfg.TLSListenAddr == "" {
-		// Simple HTTP server
-		server.self = &http.Server{
+	server := &Server{
+		tls: cfg.TLS,
+		self: &http.Server{
 			Addr:     cfg.ListenAddr,
 			Handler:  api.NewRouter(cfg),
 			ErrorLog: logger.Error,
-		}
-		server.tls = false
-	} else {
+		},
+	}
+	if server.tls {
 		// HTTPs server
 		if cfg.TLSDomain == "" {
-			server.self = &http.Server{
-				Addr:     cfg.TLSListenAddr,
-				Handler:  api.NewRouter(cfg),
-				ErrorLog: logger.Error,
-			}
 			server.certFile = cfg.TLSCertFile
 			server.keyFile = cfg.TLSKeyFile
 		} else {
@ -74,16 +67,10 @@ func NewServer(cfg *config.Config) *Server {
 				Prompt:     autocert.AcceptTOS,
 				HostPolicy: autocert.HostWhitelist(cfg.TLSDomain),
 			}
-			server.self = &http.Server{
-				Addr:      cfg.TLSListenAddr,
-				Handler:   api.NewRouter(cfg),
-				ErrorLog:  logger.Error,
-				TLSConfig: m.TLSConfig(),
-			}
+			server.self.TLSConfig = m.TLSConfig()
 			server.certFile = ""
 			server.keyFile = ""
 		}
-		server.tls = true
 	}
 	return server
 }