https

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 6, 2020 License: Apache-2.0 Imports: 10 Imported by: 0

README

HTTPS Package for Prometheus

The https directory contains a Go package and a sample configuration file for running node_exporter with HTTPS instead of HTTP. We currently support TLS 1.3 and TLS 1.2.

To run a server with TLS, use the flag --web.config.

e.g. ./node_exporter --web.config="web-config.yml" If the config is kept within the https directory.

The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.

Sample Config

tls_config:
  # Certificate and key files for server to use to authenticate to client
  cert_file: <filename>
  key_file: <filename>

  # Server policy for client authentication. Maps to ClientAuth Policies
  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server
  [ client_ca_file: <filename> ]

# List of usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
basic_auth_users:
  [ <username>: <password> ... ]

About bcrypt

There are several tools out there to generate bcrypt passwords, e.g. htpasswd:

htpasswd -nBC 10 "" | tr -d ':\n

That command will prompt you for a password and output the hashed password, which will look something like: $2y$10$X0h1gDsPszWURQaxFh.zoubFi6DXncSjhoQNJgRrnGs7EsimhC7zG

The cost (10 in the example) influences the time it takes for computing the hash. A higher cost will en up slowing down the authentication process. Depending on the machine, a cost of 10 will take about ~70ms where a cost of 18 can take up to a few seconds. That hash will be computed on every password-protected request.

Documentation

Overview

Package https allows the implementation of TLS.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConfigToTLSConfig

func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error)

ConfigToTLSConfig generates the golang tls.Config from the TLSStruct config.

func Listen

func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error

Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.

Types

type Config

type Config struct {
	TLSConfig TLSStruct                     `yaml:"tls_config"`
	Users     map[string]config_util.Secret `yaml:"basic_auth_users"`
}

type TLSStruct

type TLSStruct struct {
	TLSCertPath string `yaml:"cert_file"`
	TLSKeyPath  string `yaml:"key_file"`
	ClientAuth  string `yaml:"client_auth_type"`
	ClientCAs   string `yaml:"client_ca_file"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL