This is an automated email from the ASF dual-hosted git repository.
rob pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new ee05239 Update TO for minimum TLS version (#4933)
ee05239 is described below
commit ee05239537fe665b1bd481ea37a62424e20c64a1
Author: Hank Beatty <[email protected]>
AuthorDate: Wed Aug 19 23:24:58 2020 -0400
Update TO for minimum TLS version (#4933)
* Update TO for minimum TLS version
This update allows an administrator to set minimum TLS version for Traffic
Ops.
* gofmt
Co-authored-by: Robert Butts <[email protected]>
---
CHANGELOG.md | 2 ++
docs/source/admin/traffic_ops.rst | 6 ++++++
traffic_ops/app/conf/cdn.conf | 5 ++++-
traffic_ops/traffic_ops_golang/config/config.go | 8 ++++++--
traffic_ops/traffic_ops_golang/traffic_ops_golang.go | 8 +++++++-
5 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9ab0ec..b87778b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
- Updated /deliveryservices/{{ID}}/servers to use multiple interfaces in API v3
- Updated /deliveryservices/{{ID}}/servers/eligible to use multiple interfaces
in API v3
- Added the ability to view Hash ID field (aka xmppID) on Traffic Portals'
server summary page
+- Added the ability to set TLS config provided here:
https://golang.org/pkg/crypto/tls/#Config in Traffic Ops
- Added an indiciator to the Traffic Monitor UI when using a disk backup of
Traffic ops.
- Added debugging functionality to CDN-in-a-Box for Traffic Stats.
- Added GitHub Actions workflow for building RPMs and running the CDN-in-a-Box
readiness check
@@ -75,6 +76,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
### Deprecated
- Deprecated the non-nullable `DeliveryService` Go struct and other structs
that use it. `DeliveryServiceNullable` structs should be used instead.
+- Deprecated the `insecure` option in `traffic_ops_golang` in favor of
`"tls_config": { "InsecureSkipVerify": <bool> }`
- Importing Traffic Ops Go clients via the un-versioned
`github.com/apache/trafficcontrol/traffic_ops/client` is now deprecated in
favor of versioned import paths e.g.
`github.com/apache/trafficcontrol/traffic_ops/v3-client`.
### Removed
diff --git a/docs/source/admin/traffic_ops.rst
b/docs/source/admin/traffic_ops.rst
index 9ae357b..572d668 100644
--- a/docs/source/admin/traffic_ops.rst
+++ b/docs/source/admin/traffic_ops.rst
@@ -399,6 +399,10 @@ This file deals with the configuration parameters of
running Traffic Ops itself.
:db_query_timeout_seconds: An optional field specifying a timeout on
database *transactions* (not actually single queries in most cases) within API
route handlers. Effectively this is a timeout on a single handler's ability to
interact with the Traffic Ops Database. Default if not specified is the value
of `DefaultDBQueryTimeoutSecs
<https://godoc.org/github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config#pkg-constants>`_.
:idle_timeout: An optional timeout in seconds for idle client
connections to Traffic Ops. If set to zero, the value of ``read_timeout`` will
be used instead. If both are zero, then the value of ``read_header_timeout``
will be used. If all three fields are zero, there is no timeout and connections
will be kept alive indefinitely - **not** recommended. Default if not specified
is zero.
:insecure: An optional boolean which, if set to ``true`` will cause
Traffic Ops to skip verification of client certificates whenever
necessary/possible. If set to ``false``, the normal verification behavior is
exhibited. Default if not specified is ``false``.
+
+ .. deprecated:: 5.0
+ Future versions of Traffic Ops will not support this
legacy configuration option, see tls_config: { InsecureSkipVerify: <bool> }
instead
+
:log_location_debug: This optional field, if specified, should either
be the location of a file to which debug-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``.
:log_location_error: This optional field, if specified, should either
be the location of a file to which error-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``. This field [...]
:log_location_event: This optional field, if specified, should either
be the location of a file to which event-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``.
@@ -443,6 +447,8 @@ This file deals with the configuration parameters of
running Traffic Ops itself.
:disabled_routes: A list of API route IDs to disable. Requests
matching these routes will receive a 503 response. To find the route ID for a
given path you would like to disable, run ``./traffic_ops_golang`` using the
:option:`--api-routes` option to view all the route information, including
route IDs and paths.
:ignore_unknown_routes: If ``false`` (default) return an error
and prevent startup if unknown route IDs are found. Otherwise, log a warning
and continue startup.
+ :tls_config: An optional stanza for TLS configuration. The values of
which conform to the :godoc:`crypto/tls.Config` structure.
+
:use_ims:
.. versionadded:: 5.0
diff --git a/traffic_ops/app/conf/cdn.conf b/traffic_ops/app/conf/cdn.conf
index 74edf88..531e5d4 100644
--- a/traffic_ops/app/conf/cdn.conf
+++ b/traffic_ops/app/conf/cdn.conf
@@ -40,7 +40,10 @@
"disabled_routes": []
},
"profiling_enabled": false,
- "supported_ds_metrics": [ "kbps", "tps_total", "tps_2xx", "tps_3xx",
"tps_4xx", "tps_5xx" ]
+ "supported_ds_metrics": [ "kbps", "tps_total", "tps_2xx", "tps_3xx",
"tps_4xx", "tps_5xx" ],
+ "tls_config": {
+ "MinVersion": 769
+ }
},
"use_ims": false,
"cors" : {
diff --git a/traffic_ops/traffic_ops_golang/config/config.go
b/traffic_ops/traffic_ops_golang/config/config.go
index 90ef515..099bcb6 100644
--- a/traffic_ops/traffic_ops_golang/config/config.go
+++ b/traffic_ops/traffic_ops_golang/config/config.go
@@ -20,6 +20,7 @@ package config
*/
import (
+ "crypto/tls"
"encoding/json"
"errors"
"fmt"
@@ -70,6 +71,9 @@ type ConfigHypnotoad struct {
// ConfigTrafficOpsGolang carries settings specific to traffic_ops_golang
server
type ConfigTrafficOpsGolang struct {
+ // Deprecated in 5.0
+ Insecure bool `json:"insecure"`
+ // end deprecated
Port string `json:"port"`
ProxyTimeout int
`json:"proxy_timeout"`
ProxyKeepAlive int
`json:"proxy_keep_alive"`
@@ -85,7 +89,6 @@ type ConfigTrafficOpsGolang struct {
LogLocationInfo string
`json:"log_location_info"`
LogLocationDebug string
`json:"log_location_debug"`
LogLocationEvent string
`json:"log_location_event"`
- Insecure bool `json:"insecure"`
MaxDBConnections int
`json:"max_db_connections"`
DBMaxIdleConnections int
`json:"db_max_idle_connections"`
DBConnMaxLifetimeSeconds int
`json:"db_conn_max_lifetime_seconds"`
@@ -100,7 +103,8 @@ type ConfigTrafficOpsGolang struct {
WhitelistedOAuthUrls []string
`json:"whitelisted_oauth_urls"`
OAuthClientSecret string
`json:"oauth_client_secret"`
RoutingBlacklist `json:"routing_blacklist"`
- SupportedDSMetrics []string `json:"supported_ds_metrics"`
+ SupportedDSMetrics []string `json:"supported_ds_metrics"`
+ TLSConfig *tls.Config `json:"tls_config"`
// CRConfigUseRequestHost is whether to use the client request host
header in the CRConfig. If false, uses the tm.url parameter.
// This defaults to false. Traffic Ops used to always use the host
header, setting this true will resume that legacy behavior.
diff --git a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
index 1c24aba..13dcd65 100644
--- a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
+++ b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
@@ -168,13 +168,19 @@ func main() {
server := &http.Server{
Addr: ":" + cfg.Port,
- TLSConfig: &tls.Config{InsecureSkipVerify:
cfg.Insecure},
+ TLSConfig: cfg.TLSConfig,
ReadTimeout: time.Duration(cfg.ReadTimeout) * time.Second,
ReadHeaderTimeout: time.Duration(cfg.ReadHeaderTimeout) *
time.Second,
WriteTimeout: time.Duration(cfg.WriteTimeout) *
time.Second,
IdleTimeout: time.Duration(cfg.IdleTimeout) * time.Second,
ErrorLog: log.Error,
}
+ if server.TLSConfig == nil {
+ server.TLSConfig = &tls.Config{}
+ }
+ // Deprecated in 5.0
+ server.TLSConfig.InsecureSkipVerify = cfg.Insecure
+ // end deprecated block
go func() {
if cfg.KeyPath == "" {
