diff --git a/src/pkg/tls/config.go b/src/pkg/tls/config.go index a013c3ce..a73ba6e1 100644 --- a/src/pkg/tls/config.go +++ b/src/pkg/tls/config.go @@ -12,25 +12,26 @@ import ( // ClientConfig represents the standard client TLS config. type ClientConfig struct { - TLSCA string - TLSCert string - TLSKey string - TLSKeyPwd string - InsecureSkipVerify bool - ServerName string - TLSMinVersion string + TLSCA string `toml:"tls_ca"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + TLSKeyPwd string `toml:"tls_key_pwd"` + InsecureSkipVerify bool `toml:"insecure_skip_verify"` + ServerName string `toml:"tls_server_name"` + TLSMinVersion string `toml:"tls_min_version"` + TLSMaxVersion string `toml:"tls_max_version"` } // ServerConfig represents the standard server TLS config. type ServerConfig struct { - TLSCert string - TLSKey string - TLSKeyPwd string - TLSAllowedCACerts []string - TLSCipherSuites []string - TLSMinVersion string - TLSMaxVersion string - TLSAllowedDNSNames []string + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + TLSKeyPwd string `toml:"tls_key_pwd"` + TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` + TLSCipherSuites []string `toml:"tls_cipher_suites"` + TLSMinVersion string `toml:"tls_min_version"` + TLSMaxVersion string `toml:"tls_max_version"` + TLSAllowedDNSNames []string `toml:"tls_allowed_dns_names"` } // TLSConfig returns a tls.Config, may be nil without error if TLS is not @@ -70,6 +71,16 @@ func (c *ClientConfig) TLSConfig() (*tls.Config, error) { tlsConfig.MinVersion = tls.VersionTLS13 } + if c.TLSMaxVersion == "1.0" { + tlsConfig.MaxVersion = tls.VersionTLS10 + } else if c.TLSMaxVersion == "1.1" { + tlsConfig.MaxVersion = tls.VersionTLS11 + } else if c.TLSMaxVersion == "1.2" { + tlsConfig.MaxVersion = tls.VersionTLS12 + } else if c.TLSMaxVersion == "1.3" { + tlsConfig.MaxVersion = tls.VersionTLS13 + } + return tlsConfig, nil } diff --git a/src/webapi/config/config.go b/src/webapi/config/config.go index 432ebb74..d74b3386 100644 --- a/src/webapi/config/config.go +++ b/src/webapi/config/config.go @@ -14,6 +14,7 @@ import ( "github.com/didi/nightingale/v5/src/pkg/logx" "github.com/didi/nightingale/v5/src/pkg/oidcc" "github.com/didi/nightingale/v5/src/pkg/ormx" + "github.com/didi/nightingale/v5/src/pkg/tls" "github.com/didi/nightingale/v5/src/storage" ) @@ -112,6 +113,9 @@ type ClusterOptions struct { DialTimeout int64 KeepAlive int64 + UseTLS bool + tls.ClientConfig + MaxIdleConnsPerHost int } diff --git a/src/webapi/prom/prom.go b/src/webapi/prom/prom.go index 10a04fc0..2ad98e76 100644 --- a/src/webapi/prom/prom.go +++ b/src/webapi/prom/prom.go @@ -65,6 +65,9 @@ func initClustersFromConfig() error { for i := 0; i < len(opts); i++ { cluster := newClusterByOption(opts[i]) + if cluster == nil { + continue + } Clusters.Put(opts[i].Name, cluster) } @@ -165,7 +168,17 @@ func loadClustersFromAPI() { MaxIdleConnsPerHost: 32, } - Clusters.Put(item.Name, newClusterByOption(opt)) + if strings.HasPrefix(opt.Prom, "https") { + opt.UseTLS = true + opt.InsecureSkipVerify = true + } + + cluster := newClusterByOption(opt) + if cluster == nil { + continue + } + + Clusters.Put(item.Name, cluster) continue } } @@ -173,7 +186,6 @@ func loadClustersFromAPI() { func newClusterByOption(opt config.ClusterOptions) *ClusterType { transport := &http.Transport{ - // TLSClientConfig: tlsConfig, Proxy: http.ProxyFromEnvironment, DialContext: (&net.Dialer{ Timeout: time.Duration(opt.DialTimeout) * time.Millisecond, @@ -182,6 +194,15 @@ func newClusterByOption(opt config.ClusterOptions) *ClusterType { MaxIdleConnsPerHost: opt.MaxIdleConnsPerHost, } + if opt.UseTLS { + tlsConfig, err := opt.TLSConfig() + if err != nil { + logger.Errorf("new cluster %s fail: %v", opt.Name, err) + return nil + } + transport.TLSClientConfig = tlsConfig + } + cli, err := api.NewClient(api.Config{ Address: opt.Prom, RoundTripper: transport, @@ -189,6 +210,7 @@ func newClusterByOption(opt config.ClusterOptions) *ClusterType { if err != nil { logger.Errorf("new client fail: %v", err) + return nil } cluster := &ClusterType{