selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: add configurable cipher suites for tls listening (#10505) 

* feat: add configurable cipher suites for tls listening
* tls.VersionName is go 1.21, copy the function
This commit is contained in:
Steven Masley 2023-11-07 08:55:39 -06:00 committed by GitHub
parent e36503afd2
commit 64398def48
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 478 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
cli/server.go
View File

@ -354,7 +354,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
logger.Debug(ctx, "tracing closed", slog.Error(traceCloseErr))
}()
httpServers, err := ConfigureHTTPServers(inv, vals)
httpServers, err := ConfigureHTTPServers(logger, inv, vals)
if err != nil {
return xerrors.Errorf("configure http(s): %w", err)
}
@ -1021,7 +1021,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
r.Verbosef(inv, "Shutting down provisioner daemon %d...", id)
err := shutdownWithTimeout(provisionerDaemon.Shutdown, 5*time.Second)
if err != nil {
cliui.Errorf(inv.Stderr, "Failed to shutdown provisioner daemon %d: %s\n", id, err)
cliui.Errorf(inv.Stderr, "Failed to shut down provisioner daemon %d: %s\n", id, err)
return
}
err = provisionerDaemon.Close()
@ -1411,7 +1411,12 @@ func generateSelfSignedCertificate() (*tls.Certificate, error) {
return &cert, nil
}
func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (*tls.Config, error) {
// configureServerTLS returns the TLS config used for the Coderd server
// connections to clients. A logger is passed in to allow printing warning
// messages that do not block startup.
//
//nolint:revive
func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string, ciphers []string, allowInsecureCiphers bool) (*tls.Config, error) {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
NextProtos: []string{"h2", "http/1.1"},
@ -1429,6 +1434,15 @@ func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles
return nil, xerrors.Errorf("unrecognized tls version: %q", tlsMinVersion)
}
// A custom set of supported ciphers.
if len(ciphers) > 0 {
cipherIDs, err := configureCipherSuites(ctx, logger, ciphers, allowInsecureCiphers, tlsConfig.MinVersion, tls.VersionTLS13)
if err != nil {
return nil, err
}
tlsConfig.CipherSuites = cipherIDs
}
switch tlsClientAuth {
case "none":
tlsConfig.ClientAuth = tls.NoClientCert
@ -1487,6 +1501,160 @@ func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles
return tlsConfig, nil
}
//nolint:revive
func configureCipherSuites(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16) ([]uint16, error) {
if minTLS > maxTLS {
return nil, xerrors.Errorf("minimum tls version (%s) cannot be greater than maximum tls version (%s)", versionName(minTLS), versionName(maxTLS))
}
if minTLS >= tls.VersionTLS13 {
// The cipher suites config option is ignored for tls 1.3 and higher.
// So this user flag is a no-op if the min version is 1.3.
return nil, xerrors.Errorf("'--tls-ciphers' cannot be specified when using minimum tls version 1.3 or higher, %d ciphers found as input.", len(ciphers))
}
// Configure the cipher suites which parses the strings and converts them
// to golang cipher suites.
supported, err := parseTLSCipherSuites(ciphers)
if err != nil {
return nil, xerrors.Errorf("tls ciphers: %w", err)
}
// allVersions is all tls versions the server supports.
// We enumerate these to ensure if ciphers are configured, at least
// 1 cipher for each version exists.
allVersions := make(map[uint16]bool)
for v := minTLS; v <= maxTLS; v++ {
allVersions[v] = false
}
var insecure []string
cipherIDs := make([]uint16, 0, len(supported))
for _, cipher := range supported {
if cipher.Insecure {
// Always show this warning, even if they have allowInsecureCiphers
// specified.
logger.Warn(ctx, "insecure tls cipher specified for server use", slog.F("cipher", cipher.Name))
insecure = append(insecure, cipher.Name)
}
// This is a warning message to tell the user if they are specifying
// a cipher that does not support the tls versions they have specified.
// This makes the cipher essentially a "noop" cipher.
if !hasSupportedVersion(minTLS, maxTLS, cipher.SupportedVersions) {
versions := make([]string, 0, len(cipher.SupportedVersions))
for _, sv := range cipher.SupportedVersions {
versions = append(versions, versionName(sv))
}
logger.Warn(ctx, "cipher not supported for tls versions enabled, cipher will not be used",
slog.F("cipher", cipher.Name),
slog.F("cipher_supported_versions", strings.Join(versions, ",")),
slog.F("server_min_version", versionName(minTLS)),
slog.F("server_max_version", versionName(maxTLS)),
)
}
for _, v := range cipher.SupportedVersions {
allVersions[v] = true
}
cipherIDs = append(cipherIDs, cipher.ID)
}
if len(insecure) > 0 && !allowInsecureCiphers {
return nil, xerrors.Errorf("insecure tls ciphers specified, must use '--tls-allow-insecure-ciphers' to allow these: %s", strings.Join(insecure, ", "))
}
// This is an additional sanity check. The user can specify ciphers that
// do not cover the full range of tls versions they have specified.
// They can unintentionally break TLS for some tls configured versions.
var missedVersions []string
for version, covered := range allVersions {
if version == tls.VersionTLS13 {
continue // v1.3 ignores configured cipher suites.
}
if !covered {
missedVersions = append(missedVersions, versionName(version))
}
}
if len(missedVersions) > 0 {
return nil, xerrors.Errorf("no tls ciphers supported for tls versions %q."+
"Add additional ciphers, set the minimum version to 'tls13, or remove the ciphers configured and rely on the default",
strings.Join(missedVersions, ","))
}
return cipherIDs, nil
}
// parseTLSCipherSuites will parse cipher suite names like 'TLS_RSA_WITH_AES_128_CBC_SHA'
// to their tls cipher suite structs. If a cipher suite that is unsupported is
// passed in, this function will return an error.
// This function can return insecure cipher suites.
func parseTLSCipherSuites(ciphers []string) ([]tls.CipherSuite, error) {
if len(ciphers) == 0 {
return nil, nil
}
var unsupported []string
var supported []tls.CipherSuite
// A custom set of supported ciphers.
allCiphers := append(tls.CipherSuites(), tls.InsecureCipherSuites()...)
for _, cipher := range ciphers {
// For each cipher specified by the client, find the cipher in the
// list of golang supported ciphers.
var found *tls.CipherSuite
for _, supported := range allCiphers {
if strings.EqualFold(supported.Name, cipher) {
found = supported
break
}
}
if found == nil {
unsupported = append(unsupported, cipher)
continue
}
supported = append(supported, *found)
}
if len(unsupported) > 0 {
return nil, xerrors.Errorf("unsupported tls ciphers specified, see https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75: %s", strings.Join(unsupported, ", "))
}
return supported, nil
}
// hasSupportedVersion is a helper function that returns true if the list
// of supported versions contains a version between min and max.
// If the versions list is outside the min/max, then it returns false.
func hasSupportedVersion(min, max uint16, versions []uint16) bool {
for _, v := range versions {
if v >= min && v <= max {
// If one version is in between min/max, return true.
return true
}
}
return false
}
// versionName is tls.VersionName in go 1.21.
// Until the switch, the function is copied locally.
func versionName(version uint16) string {
switch version {
case tls.VersionSSL30:
return "SSLv3"
case tls.VersionTLS10:
return "TLS 1.0"
case tls.VersionTLS11:
return "TLS 1.1"
case tls.VersionTLS12:
return "TLS 1.2"
case tls.VersionTLS13:
return "TLS 1.3"
default:
return fmt.Sprintf("0x%04X", version)
}
}
func configureOIDCPKI(orig *oauth2.Config, keyFile string, certFile string) (*oauthpki.Config, error) {
// Read the files
keyData, err := os.ReadFile(keyFile)
@ -2078,7 +2246,8 @@ func ConfigureTraceProvider(
return tracerProvider, sqlDriver, closeTracing
}
func ConfigureHTTPServers(inv *clibase.Invocation, cfg *codersdk.DeploymentValues) (_ *HTTPServers, err error) {
func ConfigureHTTPServers(logger slog.Logger, inv *clibase.Invocation, cfg *codersdk.DeploymentValues) (_ *HTTPServers, err error) {
ctx := inv.Context()
httpServers := &HTTPServers{}
defer func() {
if err != nil {
@ -2154,16 +2323,20 @@ func ConfigureHTTPServers(inv *clibase.Invocation, cfg *codersdk.DeploymentValue
// DEPRECATED: This redirect used to default to true.
// It made more sense to have the redirect be opt-in.
if inv.Environ.Get("CODER_TLS_REDIRECT_HTTP") == "true" || inv.ParsedFlags().Changed("tls-redirect-http-to-https") {
cliui.Warn(inv.Stderr, "--tls-redirect-http-to-https is deprecated, please use --redirect-to-access-url instead")
logger.Warn(ctx, "--tls-redirect-http-to-https is deprecated, please use --redirect-to-access-url instead")
cfg.RedirectToAccessURL = cfg.TLS.RedirectHTTP
}
tlsConfig, err := configureTLS(
tlsConfig, err := configureServerTLS(
ctx,
logger,
cfg.TLS.MinVersion.String(),
cfg.TLS.ClientAuth.String(),
cfg.TLS.CertFiles,
cfg.TLS.KeyFiles,
cfg.TLS.ClientCAFile.String(),
cfg.TLS.SupportedCiphers.Value(),
cfg.TLS.AllowInsecureCiphers.Value(),
)
if err != nil {
return nil, xerrors.Errorf("configure tls: %w", err)

171
cli/server_internal_test.go Normal file
View File

@ -0,0 +1,171 @@
package cli
import (
"bytes"
"context"
"crypto/tls"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"cdr.dev/slog"
"cdr.dev/slog/sloggers/sloghuman"
)
func Test_configureCipherSuites(t *testing.T) {
t.Parallel()
cipherNames := func(ciphers []*tls.CipherSuite) []string {
var names []string
for _, c := range ciphers {
names = append(names, c.Name)
}
return names
}
cipherIDs := func(ciphers []*tls.CipherSuite) []uint16 {
var ids []uint16
for _, c := range ciphers {
ids = append(ids, c.ID)
}
return ids
}
cipherByName := func(cipher string) *tls.CipherSuite {
for _, c := range append(tls.CipherSuites(), tls.InsecureCipherSuites()...) {
if cipher == c.Name {
c := c
return c
}
}
return nil
}
tests := []struct {
name string
wantErr string
wantWarnings []string
inputCiphers []string
minTLS uint16
maxTLS uint16
allowInsecure bool
expectCiphers []uint16
}{
{
name: "AllSecure",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
inputCiphers: cipherNames(tls.CipherSuites()),
wantWarnings: []string{},
expectCiphers: cipherIDs(tls.CipherSuites()),
},
{
name: "AllowInsecure",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
inputCiphers: append(cipherNames(tls.CipherSuites()), tls.InsecureCipherSuites()[0].Name),
allowInsecure: true,
wantWarnings: []string{
"insecure tls cipher specified",
},
expectCiphers: append(cipherIDs(tls.CipherSuites()), tls.InsecureCipherSuites()[0].ID),
},
{
name: "AllInsecure",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
inputCiphers: append(cipherNames(tls.CipherSuites()), cipherNames(tls.InsecureCipherSuites())...),
allowInsecure: true,
wantWarnings: []string{
"insecure tls cipher specified",
},
expectCiphers: append(cipherIDs(tls.CipherSuites()), cipherIDs(tls.InsecureCipherSuites())...),
},
{
// Providing ciphers that are not compatible with any tls version
// enabled should generate a warning.
name: "ExcessiveCiphers",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS11,
inputCiphers: []string{
"TLS_RSA_WITH_AES_128_CBC_SHA",
// Only for TLS 1.3
"TLS_AES_128_GCM_SHA256",
},
allowInsecure: true,
wantWarnings: []string{
"cipher not supported for tls versions",
},
expectCiphers: cipherIDs([]*tls.CipherSuite{
cipherByName("TLS_RSA_WITH_AES_128_CBC_SHA"),
cipherByName("TLS_AES_128_GCM_SHA256"),
}),
},
// Errors
{
name: "NotRealCiphers",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
inputCiphers: []string{"RSA-Fake"},
wantErr: "unsupported tls ciphers",
},
{
name: "NoCiphers",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
wantErr: "no tls ciphers supported",
},
{
name: "InsecureNotAllowed",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
inputCiphers: append(cipherNames(tls.CipherSuites()), tls.InsecureCipherSuites()[0].Name),
wantErr: "insecure tls ciphers specified",
},
{
name: "TLS1.3",
minTLS: tls.VersionTLS13,
maxTLS: tls.VersionTLS13,
inputCiphers: cipherNames(tls.CipherSuites()),
wantErr: "'--tls-ciphers' cannot be specified when using minimum tls version 1.3",
},
{
name: "TLSUnsupported",
minTLS: tls.VersionTLS10,
maxTLS: tls.VersionTLS13,
// TLS_RSA_WITH_AES_128_GCM_SHA256 only supports tls 1.2
inputCiphers: []string{"TLS_RSA_WITH_AES_128_GCM_SHA256"},
wantErr: "no tls ciphers supported for tls versions",
},
{
name: "Min>Max",
minTLS: tls.VersionTLS13,
maxTLS: tls.VersionTLS12,
wantErr: "minimum tls version (TLS 1.3) cannot be greater than maximum tls version (TLS 1.2)",
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
ctx := context.Background()
var out bytes.Buffer
logger := slog.Make(sloghuman.Sink(&out))
found, err := configureCipherSuites(ctx, logger, tt.inputCiphers, tt.allowInsecure, tt.minTLS, tt.maxTLS)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
} else {
require.NoError(t, err, "no error")
require.ElementsMatch(t, tt.expectCiphers, found, "expected ciphers")
if len(tt.wantWarnings) > 0 {
logger.Sync()
for _, w := range tt.wantWarnings {
assert.Contains(t, out.String(), w, "expected warning")
}
}
}
})
}
}

9
cli/testdata/coder_server_--help.golden vendored
View File

@ -249,12 +249,21 @@ can safely ignore these settings.
--tls-address host:port, $CODER_TLS_ADDRESS (default: 127.0.0.1:3443)
HTTPS bind address of the server.
--tls-allow-insecure-ciphers bool, $CODER_TLS_ALLOW_INSECURE_CIPHERS (default: false)
By default, only ciphers marked as 'secure' are allowed to be used.
See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
--tls-cert-file string-array, $CODER_TLS_CERT_FILE
Path to each certificate for TLS. It requires a PEM-encoded file. To
configure the listener to use a CA certificate, concatenate the
primary certificate and the CA certificate together. The primary
certificate should appear first in the combined file.
--tls-ciphers string-array, $CODER_TLS_CIPHERS
Specify specific TLS ciphers that allowed to be used. See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
--tls-client-auth string, $CODER_TLS_CLIENT_AUTH (default: none)
Policy the server will follow for TLS Client Authentication. Accepted
values are "none", "request", "require-any", "verify-if-given", or

8
cli/testdata/server-config.yaml.golden vendored
View File

@ -83,6 +83,14 @@ networking:
# Path to key for client TLS authentication. It requires a PEM-encoded file.
# (default: <unset>, type: string)
clientKeyFile: ""
# Specify specific TLS ciphers that allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
# (default: <unset>, type: string-array)
tlsCiphers: []
# By default, only ciphers marked as 'secure' are allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
# (default: false, type: bool)
tlsAllowInsecureCiphers: false
# Controls if the 'Strict-Transport-Security' header is set on all static file
# responses. This header should only be set if the server is accessed via HTTPS.
# This value is the MaxAge in seconds of the header.

9
coderd/apidoc/docs.go generated
View File

@ -9865,6 +9865,9 @@ const docTemplate = `{
"address": {
"$ref": "#/definitions/clibase.HostPort"
},
"allow_insecure_ciphers": {
"type": "boolean"
},
"cert_file": {
"type": "array",
"items": {
@ -9897,6 +9900,12 @@ const docTemplate = `{
},
"redirect_http": {
"type": "boolean"
},
"supported_ciphers": {
"type": "array",
"items": {
"type": "string"
}
}
}
},

9
coderd/apidoc/swagger.json generated
View File

@ -8901,6 +8901,9 @@
"address": {
"$ref": "#/definitions/clibase.HostPort"
},
"allow_insecure_ciphers": {
"type": "boolean"
},
"cert_file": {
"type": "array",
"items": {
@ -8933,6 +8936,12 @@
},
"redirect_http": {
"type": "boolean"
},
"supported_ciphers": {
"type": "array",
"items": {
"type": "string"
}
}
}
},

44
codersdk/deployment.go
View File

@ -305,16 +305,18 @@ type TelemetryConfig struct {
}
type TLSConfig struct {
Enable clibase.Bool `json:"enable" typescript:",notnull"`
Address clibase.HostPort `json:"address" typescript:",notnull"`
RedirectHTTP clibase.Bool `json:"redirect_http" typescript:",notnull"`
CertFiles clibase.StringArray `json:"cert_file" typescript:",notnull"`
ClientAuth clibase.String `json:"client_auth" typescript:",notnull"`
ClientCAFile clibase.String `json:"client_ca_file" typescript:",notnull"`
KeyFiles clibase.StringArray `json:"key_file" typescript:",notnull"`
MinVersion clibase.String `json:"min_version" typescript:",notnull"`
ClientCertFile clibase.String `json:"client_cert_file" typescript:",notnull"`
ClientKeyFile clibase.String `json:"client_key_file" typescript:",notnull"`
Enable clibase.Bool `json:"enable" typescript:",notnull"`
Address clibase.HostPort `json:"address" typescript:",notnull"`
RedirectHTTP clibase.Bool `json:"redirect_http" typescript:",notnull"`
CertFiles clibase.StringArray `json:"cert_file" typescript:",notnull"`
ClientAuth clibase.String `json:"client_auth" typescript:",notnull"`
ClientCAFile clibase.String `json:"client_ca_file" typescript:",notnull"`
KeyFiles clibase.StringArray `json:"key_file" typescript:",notnull"`
MinVersion clibase.String `json:"min_version" typescript:",notnull"`
ClientCertFile clibase.String `json:"client_cert_file" typescript:",notnull"`
ClientKeyFile clibase.String `json:"client_key_file" typescript:",notnull"`
SupportedCiphers clibase.StringArray `json:"supported_ciphers" typescript:",notnull"`
AllowInsecureCiphers clibase.Bool `json:"allow_insecure_ciphers" typescript:",notnull"`
}
type TraceConfig struct {
@ -740,6 +742,28 @@ when required by your organization's security policy.`,
YAML: "clientKeyFile",
Annotations: clibase.Annotations{}.Mark(annotationExternalProxies, "true"),
},
{
Name: "TLS Ciphers",
Description: "Specify specific TLS ciphers that allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.",
Flag: "tls-ciphers",
Env: "CODER_TLS_CIPHERS",
Default: "",
Value: &c.TLS.SupportedCiphers,
Group: &deploymentGroupNetworkingTLS,
YAML: "tlsCiphers",
Annotations: clibase.Annotations{}.Mark(annotationExternalProxies, "true"),
},
{
Name: "TLS Allow Insecure Ciphers",
Description: "By default, only ciphers marked as 'secure' are allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.",
Flag: "tls-allow-insecure-ciphers",
Env: "CODER_TLS_ALLOW_INSECURE_CIPHERS",
Default: "false",
Value: &c.TLS.AllowInsecureCiphers,
Group: &deploymentGroupNetworkingTLS,
YAML: "tlsAllowInsecureCiphers",
Annotations: clibase.Annotations{}.Mark(annotationExternalProxies, "true"),
},
// Derp settings
{
Name: "DERP Server Enable",

4
docs/api/general.md generated
View File

@ -368,6 +368,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
"host": "string",
"port": "string"
},
"allow_insecure_ciphers": true,
"cert_file": ["string"],
"client_auth": "string",
"client_ca_file": "string",
@ -376,7 +377,8 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
"enable": true,
"key_file": ["string"],
"min_version": "string",
"redirect_http": true
"redirect_http": true,
"supported_ciphers": ["string"]
},
"trace": {
"capture_logs": true,

38
docs/api/schemas.md generated
View File

@ -2289,6 +2289,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"host": "string",
"port": "string"
},
"allow_insecure_ciphers": true,
"cert_file": ["string"],
"client_auth": "string",
"client_ca_file": "string",
@ -2297,7 +2298,8 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"enable": true,
"key_file": ["string"],
"min_version": "string",
"redirect_http": true
"redirect_http": true,
"supported_ciphers": ["string"]
},
"trace": {
"capture_logs": true,
@ -2658,6 +2660,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"host": "string",
"port": "string"
},
"allow_insecure_ciphers": true,
"cert_file": ["string"],
"client_auth": "string",
"client_ca_file": "string",
@ -2666,7 +2669,8 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"enable": true,
"key_file": ["string"],
"min_version": "string",
"redirect_http": true
"redirect_http": true,
"supported_ciphers": ["string"]
},
"trace": {
"capture_logs": true,
@ -4278,6 +4282,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"host": "string",
"port": "string"
},
"allow_insecure_ciphers": true,
"cert_file": ["string"],
"client_auth": "string",
"client_ca_file": "string",
@ -4286,24 +4291,27 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"enable": true,
"key_file": ["string"],
"min_version": "string",
"redirect_http": true
"redirect_http": true,
"supported_ciphers": ["string"]
}
```
### Properties
| Name | Type | Required | Restrictions | Description |
| ------------------ | ------------------------------------ | -------- | ------------ | ----------- |
| `address` | [clibase.HostPort](#clibasehostport) | false | | |
| `cert_file` | array of string | false | | |
| `client_auth` | string | false | | |
| `client_ca_file` | string | false | | |
| `client_cert_file` | string | false | | |
| `client_key_file` | string | false | | |
| `enable` | boolean | false | | |
| `key_file` | array of string | false | | |
| `min_version` | string | false | | |
| `redirect_http` | boolean | false | | |
| Name | Type | Required | Restrictions | Description |
| ------------------------ | ------------------------------------ | -------- | ------------ | ----------- |
| `address` | [clibase.HostPort](#clibasehostport) | false | | |
| `allow_insecure_ciphers` | boolean | false | | |
| `cert_file` | array of string | false | | |
| `client_auth` | string | false | | |
| `client_ca_file` | string | false | | |
| `client_cert_file` | string | false | | |
| `client_key_file` | string | false | | |
| `enable` | boolean | false | | |
| `key_file` | array of string | false | | |
| `min_version` | string | false | | |
| `redirect_http` | boolean | false | | |
| `supported_ciphers` | array of string | false | | |
## codersdk.TelemetryConfig

21
docs/cli/server.md generated
View File

@ -874,6 +874,17 @@ Two optional fields can be set in the Strict-Transport-Security header; 'include
HTTPS bind address of the server.
### --tls-allow-insecure-ciphers
| | |
| ----------- | --------------------------------------------------- |
| Type | <code>bool</code> |
| Environment | <code>$CODER_TLS_ALLOW_INSECURE_CIPHERS</code> |
| YAML | <code>networking.tls.tlsAllowInsecureCiphers</code> |
| Default | <code>false</code> |
By default, only ciphers marked as 'secure' are allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
### --tls-cert-file
| | |
@ -884,6 +895,16 @@ HTTPS bind address of the server.
Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.
### --tls-ciphers
| | |
| ----------- | -------------------------------------- |
| Type | <code>string-array</code> |
| Environment | <code>$CODER_TLS_CIPHERS</code> |
| YAML | <code>networking.tls.tlsCiphers</code> |
Specify specific TLS ciphers that allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
### --tls-client-auth
| | |

2
enterprise/cli/proxyserver.go
View File

@ -158,7 +158,7 @@ func (*RootCmd) proxyServer() *clibase.Cmd {
logger.Debug(ctx, "tracing closed", slog.Error(traceCloseErr))
}()
httpServers, err := cli.ConfigureHTTPServers(inv, cfg)
httpServers, err := cli.ConfigureHTTPServers(logger, inv, cfg)
if err != nil {
return xerrors.Errorf("configure http(s): %w", err)
}

9
enterprise/cli/testdata/coder_server_--help.golden vendored
View File

@ -250,12 +250,21 @@ can safely ignore these settings.
--tls-address host:port, $CODER_TLS_ADDRESS (default: 127.0.0.1:3443)
HTTPS bind address of the server.
--tls-allow-insecure-ciphers bool, $CODER_TLS_ALLOW_INSECURE_CIPHERS (default: false)
By default, only ciphers marked as 'secure' are allowed to be used.
See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
--tls-cert-file string-array, $CODER_TLS_CERT_FILE
Path to each certificate for TLS. It requires a PEM-encoded file. To
configure the listener to use a CA certificate, concatenate the
primary certificate and the CA certificate together. The primary
certificate should appear first in the combined file.
--tls-ciphers string-array, $CODER_TLS_CIPHERS
Specify specific TLS ciphers that allowed to be used. See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
--tls-client-auth string, $CODER_TLS_CLIENT_AUTH (default: none)
Policy the server will follow for TLS Client Authentication. Accepted
values are "none", "request", "require-any", "verify-if-given", or

2
site/src/api/typesGenerated.ts generated
View File

@ -882,6 +882,8 @@ export interface TLSConfig {
readonly min_version: string;
readonly client_cert_file: string;
readonly client_key_file: string;
readonly supported_ciphers: string[];
readonly allow_insecure_ciphers: boolean;
}
// From codersdk/deployment.go