Server TLS setup

BBVA · Jan 10, 2019 · 3c07dd8 · 3c07dd8
1 parent 4cc00cb
commit 3c07dd8
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 42 deletions.
diff --git a/api/apihttp/apihttp.go b/api/apihttp/apihttp.go
@@ -344,3 +344,13 @@ func LogHandler(handle http.Handler) http.HandlerFunc {
 		}
 	}
 }
+
+// STSHandler adds TLS Header to the handlers
+func STSHandler(handle http.Handler) http.HandlerFunc {
+	return func(w http.ResponseWriter, request *http.Request) {
+		w.Header().Add(
+			"Strict-Transport-Security",
+			"max-age=63072000; includeSubDomains",
+		)
+	}
+}
diff --git a/cmd/start.go b/cmd/start.go
@@ -61,7 +61,7 @@ func newStartCommand() *cobra.Command {
 
 	hostname, _ := os.Hostname()
 	cmd.Flags().StringVar(&conf.NodeID, "node-id", hostname, "Unique name for node. If not set, fallback to hostname")
-	cmd.Flags().StringVar(&conf.HttpAddr, "http-addr", ":8080", "Endpoint for REST requests on (host:port)")
+	cmd.Flags().StringVar(&conf.TLSAddr, "https-addr", ":443", "Endpoint for REST requests on (host:port)")
 	cmd.Flags().StringVar(&conf.RaftAddr, "raft-addr", ":9000", "Raft bind address (host:port)")
 	cmd.Flags().StringVar(&conf.MgmtAddr, "mgmt-addr", ":8090", "Management endpoint bind address (host:port)")
 	cmd.Flags().StringSliceVar(&conf.RaftJoinAddr, "join-addr", []string{}, "Raft: Comma-delimited list of nodes ([host]:port), through which a cluster can be joined")

diff --git a/docs/development.md b/docs/development.md
@@ -3,6 +3,19 @@
 We use the [Go](https://golang.org) programming language and set up the
 environment as described in its [documentation](https://golang.org/doc/code.html)
 
+## Self-signed certificate
+
+```
+cd ~/.ssh/
+
+# Generate private key (.key)
+openssl genrsa -out server.key 2048
+
+
+# Generation of self-signed(x509) public key (PEM-encodings .pem|.crt) based on the private (.key)
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
+```
+
 ## Useful commands
 
 - Go [documentation server](http://localhost:6061/pkg/github.com/bbva/qed/)

diff --git a/server/config.go b/server/config.go
@@ -17,8 +17,10 @@
 package server
 
 import (
+	"fmt"
 	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 )
 
@@ -27,8 +29,8 @@ type Config struct {
 	// gossip clusters. If not set, fallback to hostname.
 	NodeID string
 
-	// HTTP server bind address/port.
-	HttpAddr string
+	// TLS server bind address/port.
+	TLSAddr string
 
 	// Raft communication bind address/port.
 	RaftAddr string
@@ -61,23 +63,35 @@ type Config struct {
 
 	// Enables tampering endpoint.
 	EnableTampering bool
+
+	// TLS server cerificate
+	SSLCertificate string
+
+	// TLS server cerificate key
+	SSLCertificateKey string
 }
 
 func DefaultConfig() *Config {
 	hostname, _ := os.Hostname()
 	currentDir := getCurrentDir()
+
+	usr, _ := user.Current()
+	homeDir := usr.HomeDir
+
 	return &Config{
-		NodeID:          hostname,
-		HttpAddr:        "127.0.0.1:8080",
-		RaftAddr:        "127.0.0.1:9000",
-		MgmtAddr:        "127.0.0.1:8090",
-		RaftJoinAddr:    []string{},
-		GossipAddr:      "127.0.0.1:9100",
-		GossipJoinAddr:  []string{},
-		DBPath:          currentDir + "/data",
-		RaftPath:        currentDir + "/raft",
-		EnableProfiling: false,
-		EnableTampering: false,
+		NodeID:            hostname,
+		TLSAddr:           "127.0.0.1:443",
+		RaftAddr:          "127.0.0.1:9000",
+		MgmtAddr:          "127.0.0.1:8090",
+		RaftJoinAddr:      []string{},
+		GossipAddr:        "127.0.0.1:9100",
+		GossipJoinAddr:    []string{},
+		DBPath:            currentDir + "/data",
+		RaftPath:          currentDir + "/raft",
+		EnableProfiling:   false,
+		EnableTampering:   false,
+		SSLCertificate:    fmt.Sprintf("%s/.ssh/server.crt", homeDir),
+		SSLCertificateKey: fmt.Sprintf("%s/.ssh/server.key", homeDir),
 	}
 }
 

diff --git a/server/server.go b/server/server.go
@@ -21,6 +21,7 @@ package server
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -40,7 +41,6 @@ import (
 	"github.com/bbva/qed/protocol"
 	"github.com/bbva/qed/raftwal"
 	"github.com/bbva/qed/sign"
-	"github.com/bbva/qed/storage"
 	"github.com/bbva/qed/storage/badger"
 	"github.com/bbva/qed/util"
 )
@@ -122,16 +122,19 @@ func NewServer(conf *Config) (*Server, error) {
 	}
 
 	// Create http endpoints
-	server.httpServer = newHTTPServer(conf.HttpAddr, server.raftBalloon)
+	httpMux := apihttp.NewApiHttp(server.raftBalloon)
+	server.httpServer = newTLSServer(conf, httpMux)
 
 	// Create management endpoints
-	server.mgmtServer = newMgmtServer(conf.MgmtAddr, server.raftBalloon)
+	mgmtMux := mgmthttp.NewMgmtHttp(server.raftBalloon)
+	server.mgmtServer = newHTTPServer(conf.MgmtAddr, mgmtMux)
 
 	if conf.EnableTampering {
-		server.tamperingServer = newTamperingServer("localhost:8081", store, hashing.NewSha256Hasher())
+		tamperMux := tampering.NewTamperingApi(store, hashing.NewSha256Hasher())
+		server.tamperingServer = newHTTPServer("localhost:8081", tamperMux)
 	}
 	if conf.EnableProfiling {
-		server.profilingServer = newProfilingServer("localhost:6060")
+		server.profilingServer = newHTTPServer("localhost:6060", nil)
 	}
 
 	return server, nil
@@ -182,8 +185,12 @@ func (s *Server) Start() error {
 	}
 
 	go func() {
-		log.Debug("	* Starting QED API HTTP server in addr: ", s.conf.HttpAddr)
-		if err := s.httpServer.ListenAndServe(); err != http.ErrServerClosed {
+		log.Debug("	* Starting QED API HTTP server in addr: ", s.conf.TLSAddr)
+		err := s.httpServer.ListenAndServeTLS(
+			s.conf.SSLCertificate,
+			s.conf.SSLCertificateKey,
+		)
+		if err != http.ErrServerClosed {
 			log.Errorf("Can't start QED API HTTP Server: %s", err)
 		}
 	}()
@@ -195,7 +202,7 @@ func (s *Server) Start() error {
 		}
 	}()
 
-	log.Debugf(" ready on %s and %s\n", s.conf.HttpAddr, s.conf.MgmtAddr)
+	log.Debugf(" ready on %s and %s\n", s.conf.TLSAddr, s.conf.MgmtAddr)
 
 	if !s.bootstrap {
 		for _, addr := range s.conf.RaftJoinAddr {
@@ -272,33 +279,36 @@ func (s *Server) Stop() error {
 	return nil
 }
 
-func newHTTPServer(endpoint string, raftBalloon raftwal.RaftBalloonApi) *http.Server {
-	router := apihttp.NewApiHttp(raftBalloon)
-	return &http.Server{
-		Addr:    endpoint,
-		Handler: apihttp.LogHandler(router),
+func newTLSServer(conf *Config, mux *http.ServeMux) *http.Server {
+
+	cfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP521,
+			tls.CurveP384,
+			tls.CurveP256,
+		},
+		PreferServerCipherSuites: true,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
 	}
-}
 
-func newMgmtServer(endpoint string, raftBalloon raftwal.RaftBalloonApi) *http.Server {
-	router := mgmthttp.NewMgmtHttp(raftBalloon)
 	return &http.Server{
-		Addr:    endpoint,
-		Handler: apihttp.LogHandler(router),
+		Addr:         conf.TLSAddr,
+		Handler:      apihttp.STSHandler(apihttp.LogHandler(mux)),
+		TLSConfig:    cfg,
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
 	}
-}
 
-func newProfilingServer(endpoint string) *http.Server {
-	return &http.Server{
-		Addr:    endpoint,
-		Handler: nil,
-	}
 }
 
-func newTamperingServer(endpoint string, store storage.DeletableStore, hasher hashing.Hasher) *http.Server {
-	router := tampering.NewTamperingApi(store, hasher)
+func newHTTPServer(addr string, mux *http.ServeMux) *http.Server {
 	return &http.Server{
-		Addr:    endpoint,
-		Handler: apihttp.LogHandler(router),
+		Addr:    addr,
+		Handler: apihttp.LogHandler(mux),
 	}
 }