mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-23 12:31:07 +01:00
lib/httpserver: follow up after def0032c7d
This commit is contained in:
parent
def0032c7d
commit
7e4bdf31ba
@ -1923,8 +1923,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li
|
|||||||
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
||||||
-tlsKeyFile string
|
-tlsKeyFile string
|
||||||
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
||||||
-tlsCipherSuites
|
-tlsCipherSuites array
|
||||||
Cipher suites names for TLS encryption. For example, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA. Used only if -tls flag is set
|
Optional list of TLS cipher suites for incoming requests over HTTPS if -tls flag is set. See the list of supported cipher suites at https://pkg.go.dev/crypto/tls#pkg-constants
|
||||||
|
Supports an array of values separated by comma or specified via multiple flags.
|
||||||
-version
|
-version
|
||||||
Show VictoriaMetrics version
|
Show VictoriaMetrics version
|
||||||
```
|
```
|
||||||
|
@ -16,6 +16,7 @@ The following tip changes can be tested by building VictoriaMetrics components f
|
|||||||
## tip
|
## tip
|
||||||
|
|
||||||
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
||||||
|
* FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404).
|
||||||
|
|
||||||
* BUGFIX: [vmctl](https://docs.victoriametrics.com/vmctl.html): return non-zero exit code on error. This allows handling `vmctl` errors in shell scripts. Previously `vmctl` was returning 0 exit code on error. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2322).
|
* BUGFIX: [vmctl](https://docs.victoriametrics.com/vmctl.html): return non-zero exit code on error. This allows handling `vmctl` errors in shell scripts. Previously `vmctl` was returning 0 exit code on error. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2322).
|
||||||
* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly show `scrape_timeout` and `scrape_interval` options at `http://vmagent:8429/config` page. Previously these options weren't displayed even if they were set in `-promscrape.config`.
|
* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly show `scrape_timeout` and `scrape_interval` options at `http://vmagent:8429/config` page. Previously these options weren't displayed even if they were set in `-promscrape.config`.
|
||||||
|
@ -1923,6 +1923,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li
|
|||||||
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
||||||
-tlsKeyFile string
|
-tlsKeyFile string
|
||||||
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
||||||
|
-tlsCipherSuites array
|
||||||
|
Optional list of TLS cipher suites for incoming requests over HTTPS if -tls flag is set. See the list of supported cipher suites at https://pkg.go.dev/crypto/tls#pkg-constants
|
||||||
|
Supports an array of values separated by comma or specified via multiple flags.
|
||||||
-version
|
-version
|
||||||
Show VictoriaMetrics version
|
Show VictoriaMetrics version
|
||||||
```
|
```
|
||||||
|
@ -1927,6 +1927,9 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li
|
|||||||
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated
|
||||||
-tlsKeyFile string
|
-tlsKeyFile string
|
||||||
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated
|
||||||
|
-tlsCipherSuites array
|
||||||
|
Optional list of TLS cipher suites for incoming requests over HTTPS if -tls flag is set. See the list of supported cipher suites at https://pkg.go.dev/crypto/tls#pkg-constants
|
||||||
|
Supports an array of values separated by comma or specified via multiple flags.
|
||||||
-version
|
-version
|
||||||
Show VictoriaMetrics version
|
Show VictoriaMetrics version
|
||||||
```
|
```
|
||||||
|
@ -33,7 +33,7 @@ var (
|
|||||||
tlsEnable = flag.Bool("tls", false, "Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set")
|
tlsEnable = flag.Bool("tls", false, "Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set")
|
||||||
tlsCertFile = flag.String("tlsCertFile", "", "Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated")
|
tlsCertFile = flag.String("tlsCertFile", "", "Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated")
|
||||||
tlsKeyFile = flag.String("tlsKeyFile", "", "Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated")
|
tlsKeyFile = flag.String("tlsKeyFile", "", "Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated")
|
||||||
tlsCipherSuites = flagutil.NewArray("tlsCipherSuites", "Cipher suites names for TLS encryption. For example, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA. Used only if -tls flag is set")
|
tlsCipherSuites = flagutil.NewArray("tlsCipherSuites", "Optional list of TLS cipher suites for incoming requests over HTTPS if -tls flag is set. See the list of supported cipher suites at https://pkg.go.dev/crypto/tls#pkg-constants")
|
||||||
|
|
||||||
pathPrefix = flag.String("http.pathPrefix", "", "An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, "+
|
pathPrefix = flag.String("http.pathPrefix", "", "An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, "+
|
||||||
"then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. "+
|
"then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. "+
|
||||||
@ -101,17 +101,13 @@ func Serve(addr string, rh RequestHandler) {
|
|||||||
var certLock sync.Mutex
|
var certLock sync.Mutex
|
||||||
var certDeadline uint64
|
var certDeadline uint64
|
||||||
var cert *tls.Certificate
|
var cert *tls.Certificate
|
||||||
var cipherSuites []uint16
|
|
||||||
c, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
|
c, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatalf("cannot load TLS cert from tlsCertFile=%q, tlsKeyFile=%q: %s", *tlsCertFile, *tlsKeyFile, err)
|
logger.Fatalf("cannot load TLS cert from -tlsCertFile=%q, -tlsKeyFile=%q: %s", *tlsCertFile, *tlsKeyFile, err)
|
||||||
}
|
}
|
||||||
if len(*tlsCipherSuites) != 0 {
|
cipherSuites, err := cipherSuitesFromNames(*tlsCipherSuites)
|
||||||
collectedCipherSuites, err := collectCipherSuites(*tlsCipherSuites)
|
if err != nil {
|
||||||
if err != nil {
|
logger.Fatalf("cannot use TLS cipher suites from -tlsCipherSuites=%q: %s", *tlsCipherSuites, err)
|
||||||
logger.Fatalf("cannot use TLS cipher suites from tlsCipherSuites=%q: %s", *tlsCipherSuites, err)
|
|
||||||
}
|
|
||||||
cipherSuites = collectedCipherSuites
|
|
||||||
}
|
}
|
||||||
cert = &c
|
cert = &c
|
||||||
cfg := &tls.Config{
|
cfg := &tls.Config{
|
||||||
@ -123,7 +119,7 @@ func Serve(addr string, rh RequestHandler) {
|
|||||||
if fasttime.UnixTimestamp() > certDeadline {
|
if fasttime.UnixTimestamp() > certDeadline {
|
||||||
c, err = tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
|
c, err = tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot load TLS cert from tlsCertFile=%q, tlsKeyFile=%q: %w", *tlsCertFile, *tlsKeyFile, err)
|
return nil, fmt.Errorf("cannot load TLS cert from -tlsCertFile=%q, -tlsKeyFile=%q: %w", *tlsCertFile, *tlsKeyFile, err)
|
||||||
}
|
}
|
||||||
certDeadline = fasttime.UnixTimestamp() + 1
|
certDeadline = fasttime.UnixTimestamp() + 1
|
||||||
cert = &c
|
cert = &c
|
||||||
@ -698,18 +694,20 @@ func GetRequestURI(r *http.Request) string {
|
|||||||
return requestURI + delimiter + queryArgs
|
return requestURI + delimiter + queryArgs
|
||||||
}
|
}
|
||||||
|
|
||||||
func collectCipherSuites(definedCipherSuites []string) ([]uint16, error) {
|
func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
|
||||||
var cipherSuites []uint16
|
if len(cipherSuiteNames) == 0 {
|
||||||
|
return nil, nil
|
||||||
supportedCipherSuites := tls.CipherSuites()
|
|
||||||
supportedCipherSuitesMap := make(map[string]uint16, len(supportedCipherSuites))
|
|
||||||
for _, scf := range supportedCipherSuites {
|
|
||||||
supportedCipherSuitesMap[strings.ToLower(scf.Name)] = scf.ID
|
|
||||||
}
|
}
|
||||||
for _, gotSuite := range definedCipherSuites {
|
css := tls.CipherSuites()
|
||||||
id, ok := supportedCipherSuitesMap[strings.ToLower(gotSuite)]
|
cssMap := make(map[string]uint16, len(css))
|
||||||
|
for _, cs := range css {
|
||||||
|
cssMap[strings.ToLower(cs.Name)] = cs.ID
|
||||||
|
}
|
||||||
|
cipherSuites := make([]uint16, 0, len(cipherSuiteNames))
|
||||||
|
for _, name := range cipherSuiteNames {
|
||||||
|
id, ok := cssMap[strings.ToLower(name)]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("got unsupported cipher suite name: %s", gotSuite)
|
return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)
|
||||||
}
|
}
|
||||||
cipherSuites = append(cipherSuites, id)
|
cipherSuites = append(cipherSuites, id)
|
||||||
}
|
}
|
||||||
|
@ -5,7 +5,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_validateCipherSuites(t *testing.T) {
|
func TestCipherSuitesFromNames(t *testing.T) {
|
||||||
type args struct {
|
type args struct {
|
||||||
definedCipherSuites []string
|
definedCipherSuites []string
|
||||||
}
|
}
|
||||||
@ -65,9 +65,9 @@ func Test_validateCipherSuites(t *testing.T) {
|
|||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
got, err := collectCipherSuites(tt.args.definedCipherSuites)
|
got, err := cipherSuitesFromNames(tt.args.definedCipherSuites)
|
||||||
if (err != nil) != tt.wantErr {
|
if (err != nil) != tt.wantErr {
|
||||||
t.Errorf("collectCipherSuites() error = %v, wantErr %v", err, tt.wantErr)
|
t.Errorf("cipherSuitesFromNames() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if !reflect.DeepEqual(got, tt.want) {
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
Loading…
Reference in New Issue
Block a user