Skip to content

N
nexpie-grafana-theme
Commit 4fcd5eab by Roman Vynar Committed by Carl Bergquist
Options

Add advanced TLS settings to harden setup. (#7347) 

* Hardcoded the most secured TLS options.
parent 902cf5f8
Showing with 27 additions and 1 deletions
pkg/api/http_server.go
...@@ -2,6 +2,7 @@ package api ...@@ -2,6 +2,7 @@ package api
import ( import (
"context" "context"
"crypto/tls"
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
...@@ -75,7 +76,32 @@ func (hs *HttpServer) listenAndServeTLS(listenAddr, certfile, keyfile string) er ...@@ -75,7 +76,32 @@ func (hs *HttpServer) listenAndServeTLS(listenAddr, certfile, keyfile string) er
return fmt.Errorf(`Cannot find SSL key_file at %v`, setting.KeyFile) return fmt.Errorf(`Cannot find SSL key_file at %v`, setting.KeyFile)
} }
return http.ListenAndServeTLS(listenAddr, setting.CertFile, setting.KeyFile, hs.macaron) tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
},
}
srv := &http.Server{
Addr: listenAddr,
Handler: hs.macaron,
TLSConfig: tlsCfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
return srv.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
} }
func (hs *HttpServer) newMacaron() *macaron.Macaron { func (hs *HttpServer) newMacaron() *macaron.Macaron {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment