Skip to content

Commit 6d6be08

Browse files
pebanbPetarBanov
authored andcommitted
Introducing configurable setting for tls 1.3. as min version
1 parent 70ed078 commit 6d6be08

5 files changed

Lines changed: 35 additions & 15 deletions

File tree

internal/cmd/run.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ func newRunCommand() *runCommand {
2929
runCommand.cmd.Flags().IntVar(&globalConfig.HttpsPort, "https-port", getEnvInt("HTTPS_PORT", server.DefaultHttpsPort), "Port to serve HTTPS traffic on")
3030
runCommand.cmd.Flags().IntVar(&globalConfig.MetricsPort, "metrics-port", getEnvInt("METRICS_PORT", 0), "Publish metrics on the specified port (default zero to disable)")
3131
runCommand.cmd.Flags().BoolVar(&globalConfig.HTTP3Enabled, "http3", false, "Enable HTTP/3")
32+
runCommand.cmd.Flags().BoolVar(&globalConfig.MinTLS13, "min-tls13", getEnvBool("MIN_TLS13", false), "Set TLS 1.3 as the minimum TLS version on the HTTPS server")
3233

3334
return runCommand
3435
}

internal/server/config.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ type Config struct {
1818
HttpsPort int
1919
MetricsPort int
2020
HTTP3Enabled bool
21+
MinTLS13 bool
2122

2223
AlternateConfigDir string
2324
}

internal/server/server.go

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,14 @@ func (s *Server) startHTTPServers() error {
150150
return err
151151
}
152152
s.httpsListener = httpsListener
153+
tlsConfig := &tls.Config{
154+
NextProtos: []string{"h2", "http/1.1", acme.ALPNProto},
155+
GetCertificate: s.router.GetCertificate,
156+
}
157+
if s.config.MinTLS13 {
158+
tlsConfig.MinVersion = tls.VersionTLS13
159+
}
160+
153161
s.httpsServer = &http.Server{
154162
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
155163
if s.config.HTTP3Enabled {
@@ -158,10 +166,7 @@ func (s *Server) startHTTPServers() error {
158166

159167
handler.ServeHTTP(w, r)
160168
}),
161-
TLSConfig: &tls.Config{
162-
NextProtos: []string{"h2", "http/1.1", acme.ALPNProto},
163-
GetCertificate: s.router.GetCertificate,
164-
},
169+
TLSConfig: tlsConfig,
165170
}
166171

167172
go s.httpServer.Serve(s.httpListener)

internal/server/server_test.go

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ import (
1414

1515
func TestServer_Deploying(t *testing.T) {
1616
target := testTarget(t, func(w http.ResponseWriter, r *http.Request) {})
17-
server := testServer(t, true)
17+
server := testServer(t, false, false)
1818

1919
testDeployTarget(t, target, server, defaultServiceOptions)
2020

@@ -24,9 +24,9 @@ func TestServer_Deploying(t *testing.T) {
2424
}
2525

2626
func TestServer_DeployingHTTPS(t *testing.T) {
27-
startDeployment := func(http3Enabled bool) *Server {
27+
startDeployment := func(http3Enabled bool, minTLS13 bool) *Server {
2828
target := testTarget(t, func(w http.ResponseWriter, r *http.Request) {})
29-
server := testServer(t, http3Enabled)
29+
server := testServer(t, http3Enabled, minTLS13)
3030

3131
certPath, keyPath := prepareTestCertificateFiles(t)
3232
serviceOptions := defaultServiceOptions
@@ -40,7 +40,7 @@ func TestServer_DeployingHTTPS(t *testing.T) {
4040
}
4141

4242
t.Run("with HTTP/3 enabled", func(t *testing.T) {
43-
server := startDeployment(true)
43+
server := startDeployment(true, false)
4444

4545
t.Run("http/1.1", func(t *testing.T) {
4646
resp, err := testRequestUsingHTTP11(t, server)
@@ -72,8 +72,20 @@ func TestServer_DeployingHTTPS(t *testing.T) {
7272
})
7373
})
7474

75+
t.Run("with min TLS 1.3", func(t *testing.T) {
76+
server := startDeployment(false, true)
77+
78+
t.Run("http/1.1", func(t *testing.T) {
79+
resp, err := testRequestUsingHTTP11(t, server)
80+
require.NoError(t, err)
81+
assert.Equal(t, http.StatusOK, resp.StatusCode)
82+
assert.Equal(t, "HTTP/1.1", resp.Proto)
83+
assert.Equal(t, uint16(tls.VersionTLS13), resp.TLS.Version)
84+
})
85+
})
86+
7587
t.Run("with HTTP/3 disabled", func(t *testing.T) {
76-
server := startDeployment(false)
88+
server := startDeployment(false, false)
7789

7890
t.Run("http/1.1", func(t *testing.T) {
7991
resp, err := testRequestUsingHTTP11(t, server)

internal/server/testing.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,11 @@ import (
1111
)
1212

1313
var (
14-
defaultHealthCheckConfig = HealthCheckConfig{Path: DefaultHealthCheckPath, Port: DefaultHealthCheckPort, Interval: DefaultHealthCheckInterval, Timeout: time.Second * 5}
15-
defaultEmptyReaders = []string{}
16-
defaultServiceOptions = ServiceOptions{TLSRedirect: true}
17-
defaultTargetOptions = TargetOptions{HealthCheckConfig: defaultHealthCheckConfig, ResponseTimeout: DefaultTargetTimeout}
18-
defaultDeploymentOptions = DeploymentOptions{DeployTimeout: DefaultDeployTimeout, DrainTimeout: DefaultDrainTimeout, Force: false}
14+
defaultHealthCheckConfig = HealthCheckConfig{Path: DefaultHealthCheckPath, Port: DefaultHealthCheckPort, Interval: DefaultHealthCheckInterval, Timeout: time.Second * 5}
15+
defaultEmptyReaders = []string{}
16+
defaultServiceOptions = ServiceOptions{TLSRedirect: true}
17+
defaultTargetOptions = TargetOptions{HealthCheckConfig: defaultHealthCheckConfig, ResponseTimeout: DefaultTargetTimeout}
18+
defaultDeploymentOptions = DeploymentOptions{DeployTimeout: DefaultDeployTimeout, DrainTimeout: DefaultDrainTimeout, Force: false}
1919
)
2020

2121
func testTarget(t testing.TB, handler http.HandlerFunc) *Target {
@@ -69,7 +69,7 @@ func testBackendWithHandler(t testing.TB, handler http.HandlerFunc) (*httptest.S
6969
return server, serverURL.Host
7070
}
7171

72-
func testServer(t testing.TB, http3Enabled bool) *Server {
72+
func testServer(t testing.TB, http3Enabled bool, minTLS13 bool) *Server {
7373
t.Helper()
7474

7575
config := &Config{
@@ -78,6 +78,7 @@ func testServer(t testing.TB, http3Enabled bool) *Server {
7878
HttpsPort: 0,
7979
AlternateConfigDir: t.TempDir(),
8080
HTTP3Enabled: http3Enabled,
81+
MinTLS13: minTLS13,
8182
}
8283
router := NewRouter(config.StatePath())
8384
server := NewServer(config, router)

0 commit comments

Comments
 (0)