allow console to listen on ipv6 (#781)
also converge tls-host and host, because hostnames have nothing to do with HTTP or HTTPs they are the same for both HTTP and HTTPs. Deprecating the older flag `--tls-host` but it will still be honored as hidden flag.
This commit is contained in:
Harshavardhana
GitHub
@@ -23,6 +23,7 @@ import (
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/go-openapi/loads"
|
||||
@@ -38,32 +39,37 @@ var serverCmd = cli.Command{
|
||||
Name: "server",
|
||||
Aliases: []string{"srv"},
|
||||
Usage: "starts Console server",
|
||||
Action: startServer,
|
||||
Action: StartServer,
|
||||
Flags: []cli.Flag{
|
||||
cli.StringFlag{
|
||||
Name: "host",
|
||||
Value: restapi.GetHostname(),
|
||||
Usage: "HTTP server hostname",
|
||||
Usage: "hostname",
|
||||
},
|
||||
cli.IntFlag{
|
||||
Name: "port",
|
||||
Value: restapi.GetPort(),
|
||||
Usage: "HTTP Server port",
|
||||
Usage: "HTTP port",
|
||||
},
|
||||
// This is kept here for backward compatibility,
|
||||
// hostname's do not have HTTP or HTTPs
|
||||
// hostnames are opaque so using --host
|
||||
// works for both HTTP and HTTPS setup.
|
||||
cli.StringFlag{
|
||||
Name: "tls-host",
|
||||
Value: restapi.GetTLSHostname(),
|
||||
Usage: "HTTPS server hostname",
|
||||
Name: "tls-host",
|
||||
Value: restapi.GetHostname(),
|
||||
Usage: "HTTPS hostname",
|
||||
Hidden: true,
|
||||
},
|
||||
cli.IntFlag{
|
||||
Name: "tls-port",
|
||||
Value: restapi.GetTLSPort(),
|
||||
Usage: "HTTPS server port",
|
||||
Usage: "HTTPS port",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tls-redirect",
|
||||
Value: restapi.GetTLSRedirect(),
|
||||
Usage: "HTTPS redirect by default",
|
||||
Usage: "toggle HTTP->HTTPS redirect",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "certs-dir",
|
||||
@@ -73,23 +79,23 @@ var serverCmd = cli.Command{
|
||||
cli.StringFlag{
|
||||
Name: "tls-certificate",
|
||||
Value: "",
|
||||
Usage: "path tls certificate",
|
||||
Usage: "path to TLS public certificate",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tls-key",
|
||||
Value: "",
|
||||
Usage: "path tls key",
|
||||
Usage: "path to TLS private key",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tls-ca",
|
||||
Value: "",
|
||||
Usage: "path tls ca",
|
||||
Usage: "path to TLS Certificate Authority",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// starts the controller
|
||||
func startServer(ctx *cli.Context) error {
|
||||
// StartServer starts the console service
|
||||
func StartServer(ctx *cli.Context) error {
|
||||
swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
@@ -126,7 +132,7 @@ func startServer(ctx *cli.Context) error {
|
||||
server.Port = ctx.Int("port")
|
||||
|
||||
restapi.Hostname = ctx.String("host")
|
||||
restapi.Port = fmt.Sprintf("%v", ctx.Int("port"))
|
||||
restapi.Port = strconv.Itoa(ctx.Int("port"))
|
||||
|
||||
// Set all certs and CAs directories path
|
||||
certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
|
||||
@@ -139,26 +145,28 @@ func startServer(ctx *cli.Context) error {
|
||||
// load the certificates and the CAs
|
||||
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
|
||||
|
||||
// TLS flags from swagger server, used to support older versions of minio-operator
|
||||
swaggerServerCertificate := ctx.String("tls-certificate")
|
||||
swaggerServerCertificateKey := ctx.String("tls-key")
|
||||
SwaggerServerCACertificate := ctx.String("tls-ca")
|
||||
// load tls cert and key from swagger server tls-certificate and tls-key flags
|
||||
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
|
||||
if errAddCert := certs.AddCertificate(context.Background(), restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
|
||||
log.Println(errAddCert)
|
||||
}
|
||||
if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
|
||||
if len(x509Certs) > 0 {
|
||||
restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0])
|
||||
{
|
||||
// TLS flags from swagger server, used to support VMware vsphere operator version.
|
||||
swaggerServerCertificate := ctx.String("tls-certificate")
|
||||
swaggerServerCertificateKey := ctx.String("tls-key")
|
||||
SwaggerServerCACertificate := ctx.String("tls-ca")
|
||||
// load tls cert and key from swagger server tls-certificate and tls-key flags
|
||||
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
|
||||
if errAddCert := certs.AddCertificate(context.Background(),
|
||||
restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
|
||||
log.Println(errAddCert)
|
||||
}
|
||||
if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
|
||||
restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
|
||||
}
|
||||
}
|
||||
}
|
||||
// load ca cert from swagger server tls-ca flag
|
||||
if SwaggerServerCACertificate != "" {
|
||||
caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
|
||||
if caCertErr == nil {
|
||||
restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
|
||||
|
||||
// load ca cert from swagger server tls-ca flag
|
||||
if SwaggerServerCACertificate != "" {
|
||||
caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
|
||||
if caCertErr == nil {
|
||||
restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -170,7 +178,7 @@ func startServer(ctx *cli.Context) error {
|
||||
server.TLSHost = ctx.String("tls-host")
|
||||
// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
|
||||
restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
|
||||
restapi.TLSHostname = ctx.String("tls-host")
|
||||
restapi.Hostname = ctx.String("host")
|
||||
restapi.TLSRedirect = ctx.String("tls-redirect")
|
||||
}
|
||||
|
||||
|
||||
@@ -18,8 +18,8 @@ package restapi
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
@@ -34,10 +34,10 @@ var (
|
||||
Port = "9090"
|
||||
|
||||
// Hostname console hostname
|
||||
Hostname = "0.0.0.0"
|
||||
|
||||
// TLSHostname console tls hostname
|
||||
TLSHostname = "0.0.0.0"
|
||||
// avoid listening on 0.0.0.0 by default
|
||||
// instead listen on all IPv4 and IPv6
|
||||
// - Hostname should be empty.
|
||||
Hostname = ""
|
||||
|
||||
// TLSPort console tls port
|
||||
TLSPort = "9443"
|
||||
@@ -116,7 +116,7 @@ func GetPort() int {
|
||||
// GetTLSHostname gets console tls hostname set on env variable
|
||||
// or default one
|
||||
func GetTLSHostname() string {
|
||||
return strings.ToLower(env.Get(ConsoleTLSHostname, TLSHostname))
|
||||
return strings.ToLower(env.Get(ConsoleTLSHostname, Hostname))
|
||||
}
|
||||
|
||||
// GetTLSPort gets console tls port set on env variable
|
||||
@@ -186,7 +186,7 @@ func getSecureHostsProxyHeaders() []string {
|
||||
|
||||
// TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
|
||||
func getSecureTLSHost() string {
|
||||
return env.Get(ConsoleSecureTLSHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
|
||||
return env.Get(ConsoleSecureTLSHost, net.JoinHostPort(Hostname, TLSPort))
|
||||
}
|
||||
|
||||
// STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
|
||||
|
||||
Reference in New Issue
Block a user