Merge pull request #2648 from semaphoreui/support_tls

support tls
2025-01-19 23:09:21 +01:00 · 2025-01-03 17:56:54 +05:00 · 2025-01-03 17:56:54 +05:00 · 77209fd719
commit 77209fd719
parent c86e53eda6 d100bee70f
6 changed files with 73 additions and 12 deletions
--- a/.devcontainer/postCreateCommand.sh
+++ b/.devcontainer/postCreateCommand.sh
@ -1,3 +1,5 @@
+#!/bin/sh
+
 go install github.com/go-task/task/v3/cmd/task@latest

 (cd ./web && npm install)
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,6 @@
 gin-bin
 build/
+/certs/
 web/public/js/bundle.js
 web/public/css/*.*
 web/public/html/**/*.*
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -46,7 +46,7 @@
            "runtimeExecutable": "task",
            "args": ["e2e:test:local"],
            "cwd": "${workspaceFolder}",
-            "console": "integratedTerminal",
+            "console": "integratedTerminal"
        }
    ]
 }
--- a/api/login.go
+++ b/api/login.go
@ -183,9 +183,10 @@ func createSession(w http.ResponseWriter, r *http.Request, user db.User) {
 	}

 	http.SetCookie(w, &http.Cookie{
-		Name:  "semaphore",
-		Value: encoded,
-		Path:  "/",
+		Name:     "semaphore",
+		Value:    encoded,
+		Path:     "/",
+		HttpOnly: true,
 	})
 }

@ -334,10 +335,11 @@ func login(w http.ResponseWriter, r *http.Request) {

 func logout(w http.ResponseWriter, r *http.Request) {
 	http.SetCookie(w, &http.Cookie{
-		Name:    "semaphore",
-		Value:   "",
-		Expires: time.Now().Add(24 * 7 * time.Hour * -1),
-		Path:    "/",
+		Name:     "semaphore",
+		Value:    "",
+		Expires:  time.Now().Add(24 * 7 * time.Hour * -1),
+		Path:     "/",
+		HttpOnly: true,
 	})

 	w.WriteHeader(http.StatusNoContent)
--- a/cli/cmd/root.go
+++ b/cli/cmd/root.go
@ -3,9 +3,12 @@ package cmd
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"

+	"github.com/gorilla/context"
+	"github.com/gorilla/handlers"
 	"github.com/semaphoreui/semaphore/api"
 	"github.com/semaphoreui/semaphore/api/sockets"
 	"github.com/semaphoreui/semaphore/db"
@ -13,8 +16,6 @@ import (
 	"github.com/semaphoreui/semaphore/services/schedules"
 	"github.com/semaphoreui/semaphore/services/tasks"
 	"github.com/semaphoreui/semaphore/util"
-	"github.com/gorilla/context"
-	"github.com/gorilla/handlers"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@ -107,7 +108,53 @@ func runService() {
 		store.Close("root")
 	}

-	err := http.ListenAndServe(util.Config.Interface+port, cropTrailingSlashMiddleware(router))
+	var err error
+	if util.Config.TLS.Enabled {
+		if util.Config.TLS.HTTPRedirectPort != nil {
+
+			go func() {
+				httpRedirectPort := fmt.Sprintf(":%d", *util.Config.TLS.HTTPRedirectPort)
+				err = http.ListenAndServe(httpRedirectPort, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					target := "https://"
+
+					if util.Config.WebHost != "" {
+						webHost, err2 := url.Parse(util.Config.WebHost)
+						if err2 != nil {
+							log.Panic(err2)
+						}
+						target += webHost.Scheme + webHost.Host + r.URL.Path
+					} else {
+						hostParts := strings.Split(r.Host, ":")
+						host := hostParts[0]
+						target += host + port + r.URL.Path
+					}
+
+					if len(r.URL.RawQuery) > 0 {
+						target += "?" + r.URL.RawQuery
+					}
+
+					if r.Method != "GET" && r.Method != "HEAD" && r.Method != "OPTIONS" {
+						http.Error(w, "http requests forbidden", http.StatusForbidden)
+						return
+					}
+
+					http.Redirect(w, nil, target, http.StatusTemporaryRedirect)
+				}))
+				if err != nil {
+					log.Panic(err)
+				}
+			}()
+		}
+
+		err = http.ListenAndServeTLS(util.Config.Interface+port, util.Config.TLS.CertFile, util.Config.TLS.KeyFile, cropTrailingSlashMiddleware(router))
+
+		if err != nil {
+			log.Panic(err)
+		}
+
+	} else {
+		err = http.ListenAndServe(util.Config.Interface+port, cropTrailingSlashMiddleware(router))
+	}

 	if err != nil {
 		log.Panic(err)
--- a/util/config.go
+++ b/util/config.go
@ -112,6 +112,13 @@ type RunnerConfig struct {
 	MaxParallelTasks int `json:"max_parallel_tasks,omitempty" default:"1" env:"SEMAPHORE_RUNNER_MAX_PARALLEL_TASKS"`
 }

+type TLSConfig struct {
+	Enabled          bool   `json:"enabled" env:"SEMAPHORE_TLS_ENABLED"`
+	CertFile         string `json:"cert_file" env:"SEMAPHORE_TLS_CERT_FILE"`
+	KeyFile          string `json:"key_file" env:"SEMAPHORE_TLS_KEY_FILE"`
+	HTTPRedirectPort *int   `json:"http_redirect_port,omitempty" env:"SEMAPHORE_TLS_HTTP_REDIRECT_PORT"`
+}
+
 // ConfigType mapping between Config and the json file that sets it
 type ConfigType struct {
 	MySQL    *DbConfig `json:"mysql,omitempty"`
@ -122,7 +129,8 @@ type ConfigType struct {

 	// Format `:port_num` eg, :3000
 	// if : is missing it will be corrected
-	Port string `json:"port,omitempty" default:":3000" rule:"^:?([0-9]{1,5})$" env:"SEMAPHORE_PORT"`
+	Port string     `json:"port,omitempty" default:":3000" rule:"^:?([0-9]{1,5})$" env:"SEMAPHORE_PORT"`
+	TLS  *TLSConfig `json:"tls,omitempty"`

 	// Interface ip, put in front of the port.
 	// defaults to empty
@ -234,6 +242,7 @@ func ConfigInit(configPath string, noConfigFile bool) {
 	if !noConfigFile {
 		loadConfigFile(configPath)
 	}
+
 	loadConfigEnvironment()
 	loadConfigDefaults()