set http version explicitly to remove http2 support (#121)

grantleehoffman · web-flow · commit 21ba935106b9 · 2021-09-24T13:17:44.000-07:00
* set http version explicitly to remove http2 support
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Updated vault api lib to v1.1.1 to try to resolve dependabot resolution
   issues.
 * Change build test exceptions declaration (linting).
+* Explicitly set http1.1 for service.
 
 ### Security
 * Updated argo-workflows to v3.1.8 to address CVE-2021-37914
diff --git a/service/main.go b/service/main.go
@@ -4,6 +4,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"os"
@@ -87,7 +88,18 @@ func main() {
 	level.Info(logger).Log("message", "starting web service", "vault addr", env.VaultAddress, "argoAddr", env.ArgoAddress)
 
 	r := setupRouter(h)
-	err = http.ListenAndServeTLS(fmt.Sprintf(":%d", env.Port), "ssl/certificate.crt", "ssl/certificate.key", r)
+	srv := &http.Server{
+		Addr:    fmt.Sprintf(":%d", env.Port),
+		Handler: r,
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			NextProtos: []string{
+				"http/1.1",
+			},
+		},
+	}
+
+	err = srv.ListenAndServeTLS("ssl/certificate.crt", "ssl/certificate.key")
 	if err != nil {
 		level.Error(logger).Log("message", "error starting service", "error", err)
 		panic("error starting service")
