Add TLS options to server #873
Conversation
goller
changed the title
| s.Listener, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port))) | ||
| if s.useTLS() { | ||
| // Add HSTS to instruct all browsers to change from http to https | ||
| s.handler = HSTS(s.handler) |
There was a problem hiding this comment.
Does Chronograf have an API? Does this change effect the API as well?
There was a problem hiding this comment.
Hey @nathanielc, yup, chronograf does have an API (the swagger is here: https://github.com/influxdata/chronograf/blob/master/server/swagger.json)
The HSTS middleware also wraps the API routes as well.
There was a problem hiding this comment.
Great, will non browser clients honor the HSTS headers or will you also need to create a redirect from http to https for those clients? I know nothing about HSTS so just asking the questions hoping you know the answers.
There was a problem hiding this comment.
So, HSTS really informs the client to cache that HTTPS should be used for this domain and potentially its subdomains for a length of time.
If that client that has the value cached ever receives HTTP instead it would know to reject it as a possible man-in-the-middle.
So for normal API calls to HTTPS from, say, curl, it would not use HSTS as that value is probably not cached.
HSTS doesn't redirect HTTP to HTTPS but rather is only used on HTTPS responses.
goller
changed the title
There was a problem hiding this comment.
Looks good! There are two small typos and I had one minor recommendation that you can take or leave. I think the doc is clear either way.
I did wonder if the CLI options or the environment variables take precedence, but I don't know if that's relevant for this subject matter.
docs/tls.md
Outdated
| INFO[0000] Serving chronograf at https://[::]:8888 component=server | ||
| ``` | ||
|
|
||
| In the first log message you should `https` rather than `http`. |
There was a problem hiding this comment.
should https -> should see https
docs/tls.md
Outdated
| In Chronograf all command line options also have a corresponding environment | ||
| variable. | ||
|
|
||
| To specify the the certificate file either use the `--cert` CLI option or `TLS_CERTIFICATE` |
|
|
||
| To specify the key file either use the `--key` CLI option or `TLS_PRIVATE_KEY` | ||
| environment variable. | ||
|
|
There was a problem hiding this comment.
Maybe unnecessary but, to have all of this kind of information in one place, I might include the text below in this section, and remove If the cert and the key are in the same file, you don't have to specify the TLS_PRIVATE_KEY option from the Testing section.
To specify the certificate and key if they're in the same file either use the --cert CLI option or TLS_CERTIFICATE environment variable.
Connect #
The problem
Chronograf server did not have the option to host certs. This is important for OAuth2 if one doesn't have TLS termination in some other location.
The Solution
Add two CLI options (
--cert and --key) and corresponding environment variables (TLS_CERTIFICATEandTLS_PRIVATE_KEY).The two parameters specify files container the certificate and the private key. If the private key is in the certificate file then only
--certneeds to be specified.Additionally, HSTS middleware was added to require https if TLS is turned on.