Make TLS configurable

cmd/start.go

@@ -30,6 +30,7 @@ import (
 func newStartCommand() *cobra.Command {
 	const defaultKeyPath = "~/.ssh/id_ed25519"
 
+	var disableTLS bool
 	conf := server.DefaultConfig()
 
 	cmd := &cobra.Command{
@@ -39,6 +40,7 @@ func newStartCommand() *cobra.Command {
 		// Args:  cobra.NoArgs(),
 
 		Run: func(cmd *cobra.Command, args []string) {
+			conf.EnableTLS = !disableTLS
 
 			if conf.PrivateKeyPath == defaultKeyPath {
 				usr, _ := user.Current()
@@ -61,7 +63,7 @@ func newStartCommand() *cobra.Command {
 
 	hostname, _ := os.Hostname()
 	cmd.Flags().StringVar(&conf.NodeID, "node-id", hostname, "Unique name for node. If not set, fallback to hostname")
-	cmd.Flags().StringVar(&conf.TLSAddr, "https-addr", ":443", "Endpoint for REST requests on (host:port)")
+	cmd.Flags().StringVar(&conf.HTTPAddr, "http-addr", ":8080", "Endpoint for REST requests on (host:port)")
 	cmd.Flags().StringVar(&conf.RaftAddr, "raft-addr", ":9000", "Raft bind address (host:port)")
 	cmd.Flags().StringVar(&conf.MgmtAddr, "mgmt-addr", ":8090", "Management endpoint bind address (host:port)")
 	cmd.Flags().StringSliceVar(&conf.RaftJoinAddr, "join-addr", []string{}, "Raft: Comma-delimited list of nodes ([host]:port), through which a cluster can be joined")
@@ -71,6 +73,7 @@ func newStartCommand() *cobra.Command {
 	cmd.Flags().StringVar(&conf.RaftPath, "raftpath", "/var/tmp/qed/raft", "Set raft storage path")
 	cmd.Flags().StringVarP(&conf.PrivateKeyPath, "keypath", "y", defaultKeyPath, "Path to the ed25519 key file")
 	cmd.Flags().BoolVarP(&conf.EnableProfiling, "profiling", "f", false, "Allow a pprof url (localhost:6060) for profiling purposes")
+	cmd.Flags().BoolVar(&disableTLS, "insecure", "", false, "Disable TLS service")
 
 	// INFO: testing purposes
 	cmd.Flags().BoolVar(&conf.EnableTampering, "tampering", false, "Allow tampering api for proof demostrations")

server/config.go

@@ -30,7 +30,7 @@ type Config struct {
 	NodeID string
 
 	// TLS server bind address/port.
-	TLSAddr string
+	HTTPAddr string
 
 	// Raft communication bind address/port.
 	RaftAddr string
@@ -64,6 +64,9 @@ type Config struct {
 	// Enables tampering endpoint.
 	EnableTampering bool
 
+	// Enable TLS service
+	EnableTLS bool
+
 	// TLS server cerificate
 	SSLCertificate string
 
@@ -80,7 +83,7 @@ func DefaultConfig() *Config {
 
 	return &Config{
 		NodeID:            hostname,
-		TLSAddr:           "127.0.0.1:443",
+		HTTPAddr:          "127.0.0.1:8080",
 		RaftAddr:          "127.0.0.1:9000",
 		MgmtAddr:          "127.0.0.1:8090",
 		RaftJoinAddr:      []string{},
@@ -90,6 +93,7 @@ func DefaultConfig() *Config {
 		RaftPath:          currentDir + "/raft",
 		EnableProfiling:   false,
 		EnableTampering:   false,
+		EnableTLS:         true,
 		SSLCertificate:    fmt.Sprintf("%s/.ssh/server.crt", homeDir),
 		SSLCertificateKey: fmt.Sprintf("%s/.ssh/server.key", homeDir),
 	}

server/server.go

@@ -123,7 +123,11 @@ func NewServer(conf *Config) (*Server, error) {
 
 	// Create http endpoints
 	httpMux := apihttp.NewApiHttp(server.raftBalloon)
-	server.httpServer = newTLSServer(conf, httpMux)
+	if conf.EnableTLS {
+		server.httpServer = newTLSServer(conf.HTTPAddr, httpMux)
+	} else {
+		server.httpServer = newHTTPServer(conf.HTTPAddr, httpMux)
+	}
 
 	// Create management endpoints
 	mgmtMux := mgmthttp.NewMgmtHttp(server.raftBalloon)
@@ -184,16 +188,26 @@ func (s *Server) Start() error {
 		}()
 	}
 
-	go func() {
-		log.Debug("	* Starting QED API HTTP server in addr: ", s.conf.TLSAddr)
-		err := s.httpServer.ListenAndServeTLS(
-			s.conf.SSLCertificate,
-			s.conf.SSLCertificateKey,
-		)
-		if err != http.ErrServerClosed {
-			log.Errorf("Can't start QED API HTTP Server: %s", err)
-		}
-	}()
+	if s.conf.EnableTLS {
+		go func() {
+			log.Debug("	* Starting QED API HTTPS server in addr: ", s.conf.HTTPAddr)
+			err := s.httpServer.ListenAndServeTLS(
+				s.conf.SSLCertificate,
+				s.conf.SSLCertificateKey,
+			)
+			if err != http.ErrServerClosed {
+				log.Errorf("Can't start QED API HTTP Server: %s", err)
+			}
+		}()
+	} else {
+		go func() {
+			log.Debug("	* Starting QED API HTTP server in addr: ", s.conf.HTTPAddr)
+			if err := s.httpServer.ListenAndServe(); err != http.ErrServerClosed {
+				log.Errorf("Can't start QED API HTTP Server: %s", err)
+			}
+		}()
+
+	}
 
 	go func() {
 		log.Debug("	* Starting QED MGMT HTTP server in addr: ", s.conf.MgmtAddr)
@@ -202,7 +216,7 @@ func (s *Server) Start() error {
 		}
 	}()
 
-	log.Debugf(" ready on %s and %s\n", s.conf.TLSAddr, s.conf.MgmtAddr)
+	log.Debugf(" ready on %s and %s\n", s.conf.HTTPAddr, s.conf.MgmtAddr)
 
 	if !s.bootstrap {
 		for _, addr := range s.conf.RaftJoinAddr {
@@ -279,7 +293,7 @@ func (s *Server) Stop() error {
 	return nil
 }
 
-func newTLSServer(conf *Config, mux *http.ServeMux) *http.Server {
+func newTLSServer(addr string, mux *http.ServeMux) *http.Server {
 
 	cfg := &tls.Config{
 		MinVersion: tls.VersionTLS12,
@@ -298,7 +312,7 @@ func newTLSServer(conf *Config, mux *http.ServeMux) *http.Server {
 	}
 
 	return &http.Server{
-		Addr:         conf.TLSAddr,
+		Addr:         addr,
 		Handler:      apihttp.STSHandler(apihttp.LogHandler(mux)),
 		TLSConfig:    cfg,
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),