(FFM-5129) HTTPS support (#117)

* (FFM-5129) Https support

* (FFM-5129) docker-compose https mode

* (FFM-5129) Update routes file for https

Author: conormurray95

cmd/ff-proxy/main.go

@@ -111,6 +111,9 @@ var (
 	generateOfflineConfig bool
 	configDir             string
 	port                  int
+	tlsEnabled            bool
+	tlsCert               string
+	tlsKey                string
 )
 
 const (
@@ -139,6 +142,9 @@ const (
 	configDirEnv             = "CONFIG_DIR"
 	pprofEnabledEnv          = "PPROF"
 	portEnv                  = "PORT"
+	tlsEnabledEnv            = "TLS_ENABLED"
+	tlsCertEnv               = "TLS_CERT"
+	tlsKeyEnv                = "TLS_KEY"
 
 	bypassAuthFlag            = "bypass-auth"
 	debugFlag                 = "debug"
@@ -165,6 +171,9 @@ const (
 	configDirFlag             = "config-dir"
 	flagPollIntervalFlag      = "flag-poll-interval"
 	portFlag                  = "port"
+	tlsEnabledFlag            = "tls-enabled"
+	tlsCertFlag               = "tls-cert"
+	tlsKeyFlag                = "tls-key"
 )
 
 func init() {
@@ -194,6 +203,10 @@ func init() {
 	flag.BoolVar(&generateOfflineConfig, generateOfflineConfigFlag, false, "if true the proxy will produce offline config in the /config directory then terminate")
 	flag.StringVar(&configDir, configDirFlag, "/config", "specify a custom path to search for the offline config directory. Defaults to /config")
 	flag.IntVar(&port, portFlag, 8000, "port the relay proxy service is exposed on, default's to 8000")
+	flag.BoolVar(&tlsEnabled, tlsEnabledFlag, false, "if true the proxy will use the tlsCert and tlsKey to run with https enabled")
+	flag.StringVar(&tlsCert, tlsCertFlag, "", "Path to tls cert file. Required if tls enabled is true.")
+	flag.StringVar(&tlsKey, tlsKeyFlag, "", "Path to tls key file. Required if tls enabled is true.")
+
 	sdkClients = newSDKClientMap()
 
 	loadFlagsFromEnv(map[string]string{
@@ -222,6 +235,9 @@ func init() {
 		configDirEnv:             configDirFlag,
 		flagPollIntervalEnv:      flagPollIntervalFlag,
 		portEnv:                  portFlag,
+		tlsEnabledEnv:            tlsEnabledFlag,
+		tlsCertEnv:               tlsCertFlag,
+		tlsKeyEnv:                tlsKeyFlag,
 	})
 
 	flag.Parse()
@@ -305,7 +321,7 @@ func main() {
 		cancel()
 	}()
 
-	logger.Info("service config", "pprof", pprofEnabled, "debug", debug, "bypass-auth", bypassAuth, "offline", offline, "port", port, "admin-service", adminService, "account-identifier", accountIdentifier, "org-identifier", orgIdentifier, "sdk-base-url", sdkBaseURL, "sdk-events-url", sdkEventsURL, "redis-addr", redisAddress, "redis-db", redisDB, "api-keys", fmt.Sprintf("%v", apiKeys), "target-poll-duration", fmt.Sprintf("%ds", targetPollDuration), "heartbeat-interval", fmt.Sprintf("%ds", heartbeatInterval), "flag-stream-enabled", flagStreamEnabled, "flag-poll-interval", fmt.Sprintf("%ds", flagPollInterval), "config-dir", configDir)
+	logger.Info("service config", "pprof", pprofEnabled, "debug", debug, "bypass-auth", bypassAuth, "offline", offline, "port", port, "admin-service", adminService, "account-identifier", accountIdentifier, "org-identifier", orgIdentifier, "sdk-base-url", sdkBaseURL, "sdk-events-url", sdkEventsURL, "redis-addr", redisAddress, "redis-db", redisDB, "api-keys", fmt.Sprintf("%v", apiKeys), "target-poll-duration", fmt.Sprintf("%ds", targetPollDuration), "heartbeat-interval", fmt.Sprintf("%ds", heartbeatInterval), "flag-stream-enabled", flagStreamEnabled, "flag-poll-interval", fmt.Sprintf("%dm", flagPollInterval), "config-dir", configDir, "tls-enabled", tlsEnabled, "tls-cert", tlsCert, "tls-key", tlsKey)
 
 	adminService, err := services.NewAdminService(logger, adminService, adminServiceToken)
 	if err != nil {
@@ -505,7 +521,7 @@ func main() {
 
 	// Configure endpoints and server
 	endpoints := transport.NewEndpoints(service)
-	server := transport.NewHTTPServer(port, endpoints, logger)
+	server := transport.NewHTTPServer(port, endpoints, logger, tlsEnabled, tlsCert, tlsKey)
 	server.Use(
 		middleware.NewEchoRequestIDMiddleware(),
 		middleware.NewEchoLoggingMiddleware(),
@@ -572,7 +588,12 @@ func main() {
 	go func() {
 		ticker := time.NewTicker(time.Duration(heartbeatInterval) * time.Second)
 		logger.Info(fmt.Sprintf("polling heartbeat every %d seconds", heartbeatInterval))
-		heartbeat(ctx, ticker.C, fmt.Sprintf("http://localhost:%d", port), logger)
+		protocol := "http"
+		if tlsEnabled {
+			protocol = "https"
+		}
+
+		heartbeat(ctx, ticker.C, fmt.Sprintf("%s://localhost:%d", protocol, port), logger)
 	}()
 
 	if err := server.Serve(); err != nil {
@@ -597,7 +618,11 @@ func heartbeat(ctx context.Context, tick <-chan time.Time, listenAddr string, lo
 			case <-tick:
 				resp, err := http.Get(fmt.Sprintf("%s/health", listenAddr))
 				if err != nil {
-					logger.Error(fmt.Sprintf("heartbeat request failed: %d", resp.StatusCode))
+					logger.Error(fmt.Sprintf("heartbeat request failed: %s", err))
+				}
+
+				if resp == nil {
+					continue
 				}
 
 				if resp.StatusCode == http.StatusOK {

docker-compose.yml

@@ -21,6 +21,9 @@ services:
       - TARGET_POLL_DURATION=${TARGET_POLL_DURATION}
       - GENERATE_OFFLINE_CONFIG=${GENERATE_OFFLINE_CONFIG}
       - PORT=${PORT}
+      - TLS_ENABLED=${TLS_ENABLED}
+      - TLS_CERT=${TLS_CERT}
+      - TLS_KEY=${TLS_KEY}
     build:
       context: ./
       dockerfile: ./Dockerfile

docker-entrypoint.sh

@@ -32,15 +32,48 @@ fi
 
 # Update pushpin.conf file to use $PORT for http_port
 if [ -w /etc/pushpin/pushpin.conf ]; then
+  PROTOCOL="http_port"
+  PUSHPIN_PORT=7000
   if [ -n "${PORT}" ]; then
-    echo "Listening for requests on port ${PORT}"
-    sed -i \
-		-e "s/http_port=7000/http_port=${PORT}/" \
-		/etc/pushpin/pushpin.conf
-		export PORT=
+      PUSHPIN_PORT=${PORT}
+  fi
+
+  if [ "${TLS_ENABLED}" = true ] ; then
+    echo "https configured"
+    PROTOCOL="https_ports"
+
+    # write ca cert to pushpin certs directory if exists
+    if [ -n "${TLS_CERT}" ]; then
+      echo "copying tls cert from ${TLS_CERT} to etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.crt"
+      cp ${TLS_CERT} etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.crt
+    fi
+
+    # write ca key to pushpin certs directory if exists
+    if [ -n "${TLS_KEY}" ]; then
+      echo "copying tls key from ${TLS_CERT} to etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.key"
+      cp ${TLS_KEY} etc/pushpin/runner/certs/default_${PUSHPIN_PORT}.key
+    fi
   fi
+
+  # set port and protocol for pushpin to listen on e.g. listen for https connections on port 6000
+  echo "Listening for requests on port ${PUSHPIN_PORT}"
+  sed -i \
+  -e "s/http_port=7000/${PROTOCOL}=${PUSHPIN_PORT}/" \
+  /etc/pushpin/pushpin.conf
+  export PORT=
 else
 	echo "docker-entrypoint.sh: unable to write to /etc/pushpin/pushpin.conf, readonly"
 fi
 
-exec "$@"
+# Update routes file to forward traffic using ssl if tls_enabled is true
+if [ -w /etc/pushpin/routes ]; then
+  if [ "${TLS_ENABLED}" = true ] ; then
+    sed -i \
+      -e "s/localhost:8000/localhost:8000,ssl,insecure/" \
+      /etc/pushpin/routes
+  fi
+else
+	echo "docker-entrypoint.sh: unable to write to /etc/pushpin/routes, readonly"
+fi
+
+exec "$@"

docs/configuration.md

@@ -80,6 +80,13 @@ Adjust how often certain actions are performed.
 | METRIC_POST_DURATION | metric-post-duration | How often in seconds the proxy posts metrics to Harness. Set to 0 to disable.               | int  | 60      |
 | HEARTBEAT_INTERVAL   | heartbeat-interval   | How often in seconds the proxy polls pings it's health function                             | int  | 60      |
 
+### TLS (beta)
+| Environment Variable | Flag        | Description                                                                 | Type   | Default |
+|----------------------|-------------|-----------------------------------------------------------------------------|--------|---------|
+| TLS_ENABLED          | tls-enabled | If true the proxy will use the tlsCert and tlsKey to run with https enabled | bool   | false   |
+| TLS_CERT             | tls-cert    | Path to tls cert file. Required if tls enabled is true.                     | string |         |
+| TLS_KEY              | tls-key     | Path to tls key file. Required if tls enabled is true.                      | string |         |
+
 ### Harness URLs
 You may need to adjust these if you pass all your traffic through a filter or proxy rather than sending the requests directly. 
 

docs/tls.md

@@ -1,7 +1,12 @@
 # Enabling TLS
+There are two ways to configure the Relay Proxy to accept HTTPS requests.
 
-The Relay Proxy does not currently natively support running with TLS enabled (coming soon).
+### Native TLS (Beta)
+You can configure the Relay Proxy to start with HTTPS enabled. This can be configured using the TLS config options. See [configuration](./configuration.md) for details. 
 
+This does not provide every fine-grained configuration option available to secure servers. If you require more control the best option is to use a program made for this purpose, and follow the "External TLS" option below.
+
+### External TLS
 The recommended way to connect to the Relay Proxy using TLS is to place a reverse proxy such as nginx in front of the Relay Proxy. Then all connected sdks should make requests to the reverse proxy url instead of hitting the Relay Proxy directly.
 
 ![TLS Setup](images/TLS.png?raw=true)

transport/http_server.go

@@ -12,14 +12,17 @@ import (
 
 // HTTPServer is an http server that handles http requests
 type HTTPServer struct {
-	router *echo.Echo
-	server *http.Server
-	log    log.Logger
+	router     *echo.Echo
+	server     *http.Server
+	log        log.Logger
+	tlsEnabled bool
+	tlsCert    string
+	tlsKey     string
 }
 
 // NewHTTPServer registers the passed endpoints against routes and returns an
 // HTTPServer that's ready to use
-func NewHTTPServer(port int, e *Endpoints, l log.Logger) *HTTPServer {
+func NewHTTPServer(port int, e *Endpoints, l log.Logger, tlsEnabled bool, tlsCert string, tlsKey string) *HTTPServer {
 	l = l.With("component", "HTTPServer")
 
 	router := echo.New()
@@ -33,9 +36,12 @@ func NewHTTPServer(port int, e *Endpoints, l log.Logger) *HTTPServer {
 	}
 
 	h := &HTTPServer{
-		router: router,
-		server: server,
-		log:    l,
+		router:     router,
+		server:     server,
+		log:        l,
+		tlsEnabled: tlsEnabled,
+		tlsCert:    tlsCert,
+		tlsKey:     tlsKey,
 	}
 	h.registerEndpoints(e)
 	return h
@@ -48,6 +54,10 @@ func (h *HTTPServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // Serve listens on the HTTPServers addr and handles requests
 func (h *HTTPServer) Serve() error {
+	if h.tlsEnabled {
+		h.log.Info("starting https server", "addr", h.server.Addr, "tlsCert", h.tlsCert, "tlsKey", h.tlsKey)
+		return h.server.ListenAndServeTLS(h.tlsCert, h.tlsKey)
+	}
 	h.log.Info("starting http server", "addr", h.server.Addr)
 	return h.server.ListenAndServe()
 }

transport/http_server_test.go

@@ -244,7 +244,7 @@ func setupHTTPServer(t *testing.T, bypassAuth bool, opts ...setupOpts) *HTTPServ
 	})
 	endpoints := NewEndpoints(service)
 
-	server := NewHTTPServer(8000, endpoints, logger)
+	server := NewHTTPServer(8000, endpoints, logger, false, "", "")
 	server.Use(middleware.NewEchoAuthMiddleware([]byte(`secret`), bypassAuth))
 	return server
 }