Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebConfigFile #489

Open
V1pr opened this issue Jan 19, 2022 · 3 comments
Open

WebConfigFile #489

V1pr opened this issue Jan 19, 2022 · 3 comments
Labels
enhancement

Comments

@V1pr
Copy link

V1pr commented Jan 19, 2022

Hi,

I've seen a (experimental) WebConfigFile flag in the main.go. Please be so kind and provice some example, how is it possible to configure TLS (and/or auth). (main goal is to enable TLS on promxy 'frontend').

Thanks,

     Tom
@V1pr
Copy link
Author

V1pr commented Jan 19, 2022
edited
Loading

Meanwhile I managed to start promxy with TLS, but it was not easy. If I use the sample file from prometheus:

tls_server_config:
   # Certificate and key files for server to use to authenticate to client.
  cert_file: /etc/ssl/certs/my-cert.pem
  key_file: /etc/ssl/private/my-key.pem

  # Server policy for client authentication. Maps to ClientAuth Policies.
  # For more detail on clientAuth options:
  # https://golang.org/pkg/crypto/tls/#ClientAuthType
  #
  # NOTE: If you want to enable client authentication, you need to use
  # RequireAndVerifyClientCert. Other values are insecure.
#  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server.
# [ client_ca_file: <filename> ]

  # Minimum TLS version that is acceptable.
#  [ min_version: <string> | default = "TLS12" ]

  # Maximum TLS version that is acceptable.
#  [ max_version: <string> | default = "TLS13" ]

  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
#  [ cipher_suites:
#    [ - <string> ] ]

  # prefer_server_cipher_suites controls whether the server selects the
  # client's most preferred ciphersuite, or the server's most preferred
  # ciphersuite. If true then the server's preference, as expressed in
  # the order of elements in cipher_suites, is used.
#  [ prefer_server_cipher_suites: <bool> | default = true ]

  # Elliptic curves that will be used in an ECDHE handshake, in preference
  # order. Available curves are documented in the go documentation:
  # https://golang.org/pkg/crypto/tls/#CurveID
#  [ curve_preferences:
#    [ - <string> ] ]

#http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
#  [ http2: <boolean> | default = true ]
  # List of headers that can be added to HTTP responses.
#  [ headers:
    # Set the Content-Security-Policy header to HTTP responses.
    # Unset if blank.
#    [ Content-Security-Policy: <string> ]
    # Set the X-Frame-Options header to HTTP responses.
    # Unset if blank. Accepted values are deny and sameorigin.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
#    [ X-Frame-Options: <string> ]
    # Set the X-Content-Type-Options header to HTTP responses.
    # Unset if blank. Accepted value is nosniff.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
#    [ X-Content-Type-Options: <string> ]
    # Set the X-XSS-Protection header to all responses.
    # Unset if blank. Accepted value is nosniff.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
#    [ X-XSS-Protection: <string> ]
    # Set the Strict-Transport-Security header to HTTP responses.
    # Unset if blank.
    # Please make sure that you use this with care as this header might force
    # browsers to load Prometheus and the other applications hosted on the same
    # domain and subdomains over HTTPS.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
#    [ Strict-Transport-Security: <string> ] ]

# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
# basic_auth_users:
#  [ <string>: <secret> ... ]

I'm getting this error:

line 1: field tls_server_config not found in type web.TLSStruct

However, if I only have this in web.config.yaml:

# Certificate and key files for server to use to authenticate to client.
cert_file: /etc/ssl/certs/my-cert.pem
key_file: /etc/ssl/private/my-key.pem

promxy starts with these flags:

/usr/local/bin/promxy/promxy --config=/etc/promxy/config.yaml --web.config.file=/etc/promxy/web.config.yaml

I don't know, if this is ok or not, but this worked for me.

@jacksontj
Copy link
Owner

This seems like what it is currently wired up to do (https://github.com/jacksontj/promxy/blob/master/pkg/server/api.go#L84) specifically that TLSStruct section; since this doesn't match the upstream config format we should either wrap (so it does) or change the option name (to be less confusing).

@As9530272755
Copy link

与此同时,我设法使用 TLS 启动 promxy,但这并不容易。如果我使用普罗米修斯的示例文件:

tls_server_config:
   # Certificate and key files for server to use to authenticate to client.
  cert_file: /etc/ssl/certs/my-cert.pem
  key_file: /etc/ssl/private/my-key.pem

  # Server policy for client authentication. Maps to ClientAuth Policies.
  # For more detail on clientAuth options:
  # https://golang.org/pkg/crypto/tls/#ClientAuthType
  #
  # NOTE: If you want to enable client authentication, you need to use
  # RequireAndVerifyClientCert. Other values are insecure.
#  [ client_auth_type: <string> | default = "NoClientCert" ]

  # CA certificate for client certificate authentication to the server.
# [ client_ca_file: <filename> ]

  # Minimum TLS version that is acceptable.
#  [ min_version: <string> | default = "TLS12" ]

  # Maximum TLS version that is acceptable.
#  [ max_version: <string> | default = "TLS13" ]

  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
  # Go default cipher suites are used. Available cipher suites are documented
  # in the go documentation:
  # https://golang.org/pkg/crypto/tls/#pkg-constants
#  [ cipher_suites:
#    [ - <string> ] ]

  # prefer_server_cipher_suites controls whether the server selects the
  # client's most preferred ciphersuite, or the server's most preferred
  # ciphersuite. If true then the server's preference, as expressed in
  # the order of elements in cipher_suites, is used.
#  [ prefer_server_cipher_suites: <bool> | default = true ]

  # Elliptic curves that will be used in an ECDHE handshake, in preference
  # order. Available curves are documented in the go documentation:
  # https://golang.org/pkg/crypto/tls/#CurveID
#  [ curve_preferences:
#    [ - <string> ] ]

#http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
#  [ http2: <boolean> | default = true ]
  # List of headers that can be added to HTTP responses.
#  [ headers:
    # Set the Content-Security-Policy header to HTTP responses.
    # Unset if blank.
#    [ Content-Security-Policy: <string> ]
    # Set the X-Frame-Options header to HTTP responses.
    # Unset if blank. Accepted values are deny and sameorigin.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
#    [ X-Frame-Options: <string> ]
    # Set the X-Content-Type-Options header to HTTP responses.
    # Unset if blank. Accepted value is nosniff.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
#    [ X-Content-Type-Options: <string> ]
    # Set the X-XSS-Protection header to all responses.
    # Unset if blank. Accepted value is nosniff.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
#    [ X-XSS-Protection: <string> ]
    # Set the Strict-Transport-Security header to HTTP responses.
    # Unset if blank.
    # Please make sure that you use this with care as this header might force
    # browsers to load Prometheus and the other applications hosted on the same
    # domain and subdomains over HTTPS.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
#    [ Strict-Transport-Security: <string> ] ]

# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
# basic_auth_users:
#  [ <string>: <secret> ... ]

我收到此错误:

line 1: field tls_server_config not found in type web.TLSStruct

但是,如果我只在 web.config.yaml 中包含此内容:

# Certificate and key files for server to use to authenticate to client.
cert_file: /etc/ssl/certs/my-cert.pem
key_file: /etc/ssl/private/my-key.pem

promxy 以这些标志开头:

/usr/local/bin/promxy/promxy --config=/etc/promxy/config.yaml --web.config.file=/etc/promxy/web.config.yaml

我不知道这是否可以,但这对我有用。

Hello, have you resolved this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacksontj @V1pr @As9530272755