Allow for server to support TLS if desired (#17)

rokett · web-flow · commit b7ce3e4e5953 · 2022-10-20T15:06:25.000-05:00
* Allow for server to support TLS if desired

* Updated readme to cover TLS changes
diff --git a/README.md b/README.md
@@ -22,12 +22,16 @@ Next run the example main:
 go run cmd/guac/guac.go
 ```
 
-Now you can connect with [the example Vue app](https://github.com/wwt/guac-vue).  By default guac will try to connect to a guacd instance at `127.0.0.1:4822`.  If you need to configure something different, you can do so by configuring environment variables; see the configurable parameters below.
+Now you can connect with [the example Vue app](https://github.com/wwt/guac-vue).  By default, guac will try to connect to a guacd instance at `127.0.0.1:4822`.  If you need to configure something different, you can do so by configuring environment variables; see the configurable parameters below.
+
+Guac listens on `http://0.0.0.0:4567`.  If you have a need for the connection to Guac to be secure, you will need to pass a certificate and keyfile to it using the `CERT_PATH` and `CERT_KEY_PATH` environment variables; it will then listen on `https://0.0.0.0:4567`.  The secure connection uses TLS 1.3.
 
 ## Configurable parameters
-| Environment Variable | Description                                     | Default Value  | Required? |
-| -------------------- | ----------------------------------------------- | -------------- | ----------|
-| `GUACD_ADDRESS`      | The address and port that guacd is listening on | 127.0.0.1:4822 | No        |
+| Environment Variable | Description                                                                                              | Default Value  | Required? |
+| -------------------- | -------------------------------------------------------------------------------------------------------- | -------------- | ----------|
+| `CERT_PATH`          | Full path, including filename, to a certificate file in order for guac to listen on HTTPS (TLS 1.3)      |                | No        |
+| `CERT_KEY_PATH`      | Full path, including filename, to the certificate keyfile in order for guac to listen on HTTPS (TLS 1.3) |                | No        |
+| `GUACD_ADDRESS`      | The address and port that guacd is listening on                                                          | 127.0.0.1:4822 | No        |
 
 ## Acknowledgements
 
diff --git a/cmd/guac/guac.go b/cmd/guac/guac.go
@@ -1,8 +1,8 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/json"
-	"fmt"
 	"io"
 	"net"
 	"net/http"
@@ -15,12 +15,30 @@ import (
 )
 
 var (
-	guacdAddr = "127.0.0.1:4822"
+	certPath    string
+	certKeyPath string
+	guacdAddr   = "127.0.0.1:4822"
 )
 
 func main() {
 	logrus.SetLevel(logrus.DebugLevel)
 
+	if os.Getenv("CERT_PATH") != "" {
+		certPath = os.Getenv("CERT_PATH")
+	}
+
+	if os.Getenv("CERT_KEY_PATH") != "" {
+		certKeyPath = os.Getenv("CERT_KEY_PATH")
+	}
+
+	if certPath != "" && certKeyPath == "" {
+		logrus.Fatal("You must set the CERT_KEY_PATH environment variable to specify the full path to the certificate keyfile")
+	}
+
+	if certPath == "" && certKeyPath != "" {
+		logrus.Fatal("You must set the CERT_PATH environment variable to specify the full path to the certificate file")
+	}
+
 	if os.Getenv("GUACD_ADDRESS") != "" {
 		guacdAddr = os.Getenv("GUACD_ADDRESS")
 	}
@@ -62,18 +80,45 @@ func main() {
 		}
 	})
 
-	logrus.Println("Serving on http://0.0.0.0:4567")
+	tlsCfg := tls.Config{}
+	if certPath != "" {
+		cert, err := tls.LoadX509KeyPair(certPath, certKeyPath)
+		if err != nil {
+			logrus.Fatalf("Unable to load certificate keypair: %s\n", err)
+		}
+
+		tlsCfg.MinVersion = tls.VersionTLS13
+		tlsCfg.Certificates = []tls.Certificate{cert}
+		tlsCfg.CurvePreferences = []tls.CurveID{
+			tls.X25519,
+			tls.CurveP256,
+			tls.CurveP384,
+		}
+	}
 
 	s := &http.Server{
 		Addr:           "0.0.0.0:4567",
 		Handler:        mux,
 		ReadTimeout:    guac.SocketTimeout,
 		WriteTimeout:   guac.SocketTimeout,
 		MaxHeaderBytes: 1 << 20,
+		TLSConfig:      &tlsCfg,
 	}
-	err := s.ListenAndServe()
-	if err != nil {
-		fmt.Println(err)
+
+	if certPath != "" {
+		logrus.Println("Serving on https://0.0.0.0:4567")
+
+		err := s.ListenAndServeTLS("", "")
+		if err != nil {
+			logrus.Fatal(err)
+		}
+	} else {
+		logrus.Println("Serving on http://0.0.0.0:4567")
+
+		err := s.ListenAndServe()
+		if err != nil {
+			logrus.Fatal(err)
+		}
 	}
 }
 
