-
-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Revisit TLS configurations #831
Comments
For any one looking for |
Revised Go struct to configure TLS: // TLSConfig is a common configuration for TLS.
// It allows to configure TLS settings using different sources. The order sources are used is the following:
// 1. File to PEM
// 2. Base64 encoded PEM
// 3. Raw PEM
// It's up to the user to only use a single source of configured values. I.e. if both file and raw PEM are set
// the file will be used and raw PEM will be just ignored.
type TLSConfig struct {
// Enabled turns on using TLS.
Enabled bool `mapstructure:"enabled" json:"enabled"`
// CertPem is a certificate in PEM format.
CertPem string `mapstructure:"cert_pem" json:"cert_pem" envconfig:"cert_pem"`
// CertPemB64 is a certificate in base64 encoded PEM format.
CertPemB64 string `mapstructure:"cert_pem_b64" json:"cert_pem_b64" envconfig:"cert_pem_b64"`
// CertPemFile is a path to a file with certificate in PEM format.
CertPemFile string `mapstructure:"cert_pem_file" json:"cert_pem_file" envconfig:"cert_pem_file"`
// KeyPem is a key in PEM format.
KeyPem string `mapstructure:"key_pem" json:"key_pem" envconfig:"key_pem"`
// KeyPemB64 is a key in base64 encoded PEM format.
KeyPemB64 string `mapstructure:"key_pem_b64" json:"key_pem_b64" envconfig:"key_pem_b64"`
// KeyPemFile is a path to a file with key in PEM format.
KeyPemFile string `mapstructure:"key_pem_file" json:"key_pem_file" envconfig:"key_pem_file"`
// ServerCAPem is a server root CA certificate in PEM format.
// The client uses this certificate to verify the server's certificate during the TLS handshake.
ServerCAPem string `mapstructure:"server_ca_pem" json:"server_ca_pem" envconfig:"server_ca_pem"`
// ServerCAPemB64 is a server root CA certificate in base64 encoded PEM format.
ServerCAPemB64 string `mapstructure:"server_ca_pem_b64" json:"server_ca_pem_b64" envconfig:"server_ca_pem_b64"`
// ServerCAPemFile is a path to a file with server root CA certificate in PEM format.
ServerCAPemFile string `mapstructure:"server_ca_pem_file" json:"server_ca_pem_file" envconfig:"server_ca_pem_file"`
// ClientCAPem is a client CA certificate in PEM format.
// The server uses this certificate to verify the client's certificate during the TLS handshake.
ClientCAPem string `mapstructure:"client_ca_pem" json:"client_ca_pem" envconfig:"client_ca_pem"`
// ClientCAPemB64 is a client CA certificate in base64 encoded PEM format.
ClientCAPemB64 string `mapstructure:"client_ca_pem_b64" json:"client_ca_pem_b64" envconfig:"client_ca_pem_b64"`
// ClientCAPemFile is a path to a file with client CA certificate in PEM format.
ClientCAPemFile string `mapstructure:"client_ca_pem_file" json:"client_ca_pem_file" envconfig:"client_ca_pem_file"`
// InsecureSkipVerify turns off server certificate verification.
InsecureSkipVerify bool `mapstructure:"insecure_skip_verify" json:"insecure_skip_verify" envconfig:"insecure_skip_verify"`
// ServerName is used to verify the hostname on the returned certificates.
ServerName string `mapstructure:"server_name" json:"server_name" envconfig:"server_name"`
} Note:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Centrifugo has several places where it allows configuring TLS - in HTTP server, Redis connection, Kafka consumer, GRPC server and client. In the source code though we now use slightly different approach to configure TLS in various parts. I'd like to refactor the configuration a bit to use a single approach to naming and also tweak some TLS related option names. Because currently they are a bit confusing. For example,
tls_cert
option name should becometls_cert_pem_file
. Another idea is to make TLS objects nested to detach TLS configuration objects from config key prefixes, like this:Revisited TLS configuration struct may look like this:
Also, it seems tls options may be removed from command line flags of Centrifugo.
Finally, maybe we should natively support Base64 encoded PEM too. Like:
Describe the solution you'd like.
Look at all places where TLS may be configured and use revisited common configuration strategy. This should make configuration cleaner overall.
The text was updated successfully, but these errors were encountered: