'tls'

2026-04-26 19:48:34 +00:00 · 2017-08-26 14:17:18 +08:00
parent 9e036ff724
commit 0bbcaa582a
6 changed files with 188 additions and 18 deletions
--- a/broker/config.go
+++ b/broker/config.go
@@ -1,8 +1,10 @@
 package broker

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
-	"errors"
+	"fmt"
 	"io/ioutil"

 	log "github.com/cihub/seelog"
@@ -16,6 +18,14 @@ type Config struct {
 	Host    string    `json:"host"`
 	Port    string    `json:"port"`
 	Cluster RouteInfo `json:"cluster"`
+	TlsHost string    `json:"tlsHost"`
+	TlsPort string    `json:"tlsPort"`
+	WsPath  string    `json:"wsPath"`
+	WsPort  string    `json:"wsPort"`
+	WsTLS   bool      `json:"wsTLS"`
+	TlsInfo TLSInfo   `json:"tlsInfo"`
+	Acl     bool      `json:"acl"`
+	AclConf string    `json:"aclConf"`
 }

 type RouteInfo struct {
@@ -24,12 +34,23 @@ type RouteInfo struct {
 	Routes []string `json:"routes"`
 }

+type TLSInfo struct {
+	Verify   bool   `json:"verify"`
+	CaFile   string `json:"caFile"`
+	CertFile string `json:"certFile"`
+	KeyFile  string `json:"keyFile"`
+}
+
 func LoadConfig() (*Config, error) {
+
 	content, err := ioutil.ReadFile(CONFIGFILE)
 	if err != nil {
 		log.Error("Read config file error: ", err)
 		return nil, err
 	}
+
+	log.Info(string(content))
+
 	var config Config
 	err = json.Unmarshal(content, &config)
 	if err != nil {
@@ -41,8 +62,6 @@ func LoadConfig() (*Config, error) {
 		if config.Host == "" {
 			config.Host = "0.0.0.0"
 		}
-	} else {
-		return nil, errors.New("Listen port nil")
 	}

 	if config.Cluster.Port != "" {
@@ -51,5 +70,54 @@ func LoadConfig() (*Config, error) {
 		}
 	}

+	if config.TlsPort != "" {
+		if config.TlsInfo.CertFile == "" || config.TlsInfo.KeyFile == "" {
+			log.Error("tls config error, no cert or key file.")
+			return nil, err
+		}
+		if config.TlsHost == "" {
+			config.TlsHost = "0.0.0.0"
+		}
+	}
+
+	return &config, nil
+}
+
+func NewTLSConfig(tlsInfo TLSInfo) (*tls.Config, error) {
+
+	cert, err := tls.LoadX509KeyPair(tlsInfo.CertFile, tlsInfo.KeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing X509 certificate/key pair: %v", err)
+	}
+	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		return nil, fmt.Errorf("error parsing certificate: %v", err)
+	}
+
+	// Create TLSConfig
+	// We will determine the cipher suites that we prefer.
+	config := tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	// Require client certificates as needed
+	if tlsInfo.Verify {
+		config.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+	// Add in CAs if applicable.
+	if tlsInfo.CaFile != "" {
+		rootPEM, err := ioutil.ReadFile(tlsInfo.CaFile)
+		if err != nil || rootPEM == nil {
+			return nil, err
+		}
+		pool := x509.NewCertPool()
+		ok := pool.AppendCertsFromPEM([]byte(rootPEM))
+		if !ok {
+			return nil, fmt.Errorf("failed to parse root ca certificate")
+		}
+		config.ClientCAs = pool
+	}
+
 	return &config, nil
 }