From 3ed82e6ceb7e57903e82a0b8f41edebcf2ddc696 Mon Sep 17 00:00:00 2001 From: vixentael Date: Wed, 13 Mar 2019 18:09:45 +0200 Subject: [PATCH] More user-friendly config descriptions for AcraConnector, AcraServer (#329) * better config descriptions * Update cmd/acra-server/acra-server.go Co-Authored-By: Lagovas * Update cmd/acra-server/acra-server.go Co-Authored-By: Lagovas * Update cmd/acra-connector/acra-connector.go * regen configs --- cmd/acra-connector/acra-connector.go | 4 ++-- cmd/acra-server/acra-server.go | 10 +++++----- configs/acra-connector.yaml | 4 ++-- configs/acra-server.yaml | 10 +++++----- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cmd/acra-connector/acra-connector.go b/cmd/acra-connector/acra-connector.go index 79006b75e..529bbacf7 100644 --- a/cmd/acra-connector/acra-connector.go +++ b/cmd/acra-connector/acra-connector.go @@ -229,12 +229,12 @@ func main() { tlsCert := flag.String("tls_cert", "", "Path to certificate") tlsAcraserverSNI := flag.String("tls_acraserver_sni", "", "Expected Server Name (SNI) from AcraServer") tlsAuthType := flag.Int("tls_auth", int(tls.RequireAndVerifyClientCert), "Set authentication mode that will be used in TLS connection with AcraServer/AcraTranslator. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert") - noEncryptionTransport := flag.Bool("acraserver_transport_encryption_disable", false, "Use raw transport (tcp/unix socket) between acraserver and acraproxy/client (don't use this flag if you not connect to database with ssl/tls") + noEncryptionTransport := flag.Bool("acraserver_transport_encryption_disable", false, "Enable this flag to omit AcraConnector and connect client app to AcraServer directly using raw transport (tcp/unix socket). From security perspective please use at least TLS encryption (over tcp socket) between AcraServer and client app.") connectionString := flag.String("incoming_connection_string", network.BuildConnectionString(cmd.DefaultAcraConnectorConnectionProtocol, cmd.DefaultAcraConnectorHost, cmd.DefaultAcraConnectorPort, ""), "Connection string like tcp://x.x.x.x:yyyy or unix:///path/to/socket") connectionAPIString := flag.String("incoming_connection_api_string", network.BuildConnectionString(cmd.DefaultAcraConnectorConnectionProtocol, cmd.DefaultAcraConnectorHost, cmd.DefaultAcraConnectorAPIPort, ""), "Connection string like tcp://x.x.x.x:yyyy or unix:///path/to/socket") acraServerConnectionString := flag.String("acraserver_connection_string", "", "Connection string to AcraServer like tcp://x.x.x.x:yyyy or unix:///path/to/socket") acraServerAPIConnectionString := flag.String("acraserver_api_connection_string", "", "Connection string to Acra's API like tcp://x.x.x.x:yyyy or unix:///path/to/socket") - prometheusAddress := flag.String("incoming_connection_prometheus_metrics_string", "", "URL which will be used to expose Prometheus metrics (use /metrics address to pull metrics)") + prometheusAddress := flag.String("incoming_connection_prometheus_metrics_string", "", "URL (tcp://host:port) which will be used to expose Prometheus metrics (use /metrics address to pull metrics)") connectorModeString := flag.String("mode", "AcraServer", "Expected mode of connection. Possible values are: AcraServer or AcraTranslator. Corresponded connection host/port/string/session_id will be used.") acraTranslatorHost := flag.String("acratranslator_connection_host", cmd.DefaultAcraTranslatorGRPCHost, "IP or domain to AcraTranslator daemon") diff --git a/cmd/acra-server/acra-server.go b/cmd/acra-server/acra-server.go index b91fa43cf..ef0bffb96 100644 --- a/cmd/acra-server/acra-server.go +++ b/cmd/acra-server/acra-server.go @@ -85,7 +85,7 @@ func main() { apiPort := flag.Int("incoming_connection_api_port", cmd.DefaultAcraServerAPIPort, "Port for AcraServer for HTTP API") keysDir := flag.String("keys_dir", keystore.DefaultKeyDirShort, "Folder from which will be loaded keys") - keysCacheSize := flag.Int("keystore_cache_size", keystore.InfiniteCacheSize, "Count of keys that will be stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache") + keysCacheSize := flag.Int("keystore_cache_size", keystore.InfiniteCacheSize, "Maximum number of keys stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache") _ = flag.Bool("pgsql_hex_bytea", false, "Hex format for Postgresql bytea data (default)") pgEscapeFormat := flag.Bool("pgsql_escape_bytea", false, "Escape format for Postgresql bytea data") @@ -106,12 +106,12 @@ func main() { enableHTTPAPI := flag.Bool("http_api_enable", false, "Enable HTTP API") useTLS := flag.Bool("acraconnector_tls_transport_enable", false, "Use tls to encrypt transport between AcraServer and AcraConnector/client") - tlsKey := flag.String("tls_key", "", "Path to private key that will be used in TLS handshake with AcraConnector as server's key and Postgresql as client's key") + tlsKey := flag.String("tls_key", "", "Path to private key that will be used in AcraServer's TLS handshake with AcraConnector as server's key and database as client's key") tlsCert := flag.String("tls_cert", "", "Path to tls certificate") tlsCA := flag.String("tls_ca", "", "Path to root certificate which will be used with system root certificates to validate Postgresql's and AcraConnector's certificate") - tlsDbSNI := flag.String("tls_db_sni", "", "Expected Server Name (SNI) from Postgresql") - tlsAuthType := flag.Int("tls_auth", int(tls.RequireAndVerifyClientCert), "Set authentication mode that will be used in TLS connection with Postgresql. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert") - noEncryptionTransport := flag.Bool("acraconnector_transport_encryption_disable", false, "Use raw transport (tcp/unix socket) between AcraServer and AcraConnector/client (don't use this flag if you not connect to database with ssl/tls") + tlsDbSNI := flag.String("tls_db_sni", "", "Expected Server Name (SNI) from database") + tlsAuthType := flag.Int("tls_auth", int(tls.RequireAndVerifyClientCert), "Set authentication mode that will be used in TLS connection with AcraConnector. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert") + noEncryptionTransport := flag.Bool("acraconnector_transport_encryption_disable", false, "Use raw transport (tcp/unix socket) between AcraServer and AcraConnector/client (don't use this flag if you not connect to database with SSL/TLS") clientID := flag.String("client_id", "", "Expected client ID of AcraConnector in mode without encryption") acraConnectionString := flag.String("incoming_connection_string", network.BuildConnectionString(cmd.DefaultAcraServerConnectionProtocol, cmd.DefaultAcraServerHost, cmd.DefaultAcraServerPort, ""), "Connection string like tcp://x.x.x.x:yyyy or unix:///path/to/socket") acraAPIConnectionString := flag.String("incoming_connection_api_string", network.BuildConnectionString(cmd.DefaultAcraServerConnectionProtocol, cmd.DefaultAcraServerHost, cmd.DefaultAcraServerAPIPort, ""), "Connection string for api like tcp://x.x.x.x:yyyy or unix:///path/to/socket") diff --git a/configs/acra-connector.yaml b/configs/acra-connector.yaml index ade9ed955..a3bffcfd0 100644 --- a/configs/acra-connector.yaml +++ b/configs/acra-connector.yaml @@ -20,7 +20,7 @@ acraserver_securesession_id: acra_server # Use tls to encrypt transport between AcraServer and AcraConnector/client acraserver_tls_transport_enable: false -# Use raw transport (tcp/unix socket) between acraserver and acraproxy/client (don't use this flag if you not connect to database with ssl/tls +# Enable this flag to omit AcraConnector and connect client app to AcraServer directly using raw transport (tcp/unix socket). From security perspective please use at least TLS encryption (over tcp socket) between AcraServer and client app. acraserver_transport_encryption_disable: false # IP or domain to AcraTranslator daemon @@ -62,7 +62,7 @@ incoming_connection_api_string: tcp://127.0.0.1:9191/ # Port to AcraConnector incoming_connection_port: 9494 -# URL which will be used to expose Prometheus metrics (use /metrics address to pull metrics) +# URL (tcp://host:port) which will be used to expose Prometheus metrics (use /metrics address to pull metrics) incoming_connection_prometheus_metrics_string: # Connection string like tcp://x.x.x.x:yyyy or unix:///path/to/socket diff --git a/configs/acra-server.yaml b/configs/acra-server.yaml index 6d42e9a0d..1d5d0bf80 100644 --- a/configs/acra-server.yaml +++ b/configs/acra-server.yaml @@ -5,7 +5,7 @@ acracensor_config_file: # Use tls to encrypt transport between AcraServer and AcraConnector/client acraconnector_tls_transport_enable: false -# Use raw transport (tcp/unix socket) between AcraServer and AcraConnector/client (don't use this flag if you not connect to database with ssl/tls +# Use raw transport (tcp/unix socket) between AcraServer and AcraConnector/client (don't use this flag if you not connect to database with SSL/TLS acraconnector_transport_encryption_disable: false # Acrastruct may be injected into any place of data cell @@ -83,7 +83,7 @@ jaeger_collector_endpoint: # Folder from which will be loaded keys keys_dir: .acrakeys -# Count of keys that will be stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache +# Maximum number of keys stored in in-memory LRU cache in encrypted form. 0 - no limits, -1 - turn off cache keystore_cache_size: 0 # Logging format: plaintext, json or CEF @@ -113,7 +113,7 @@ postgresql_enable: false # Id that will be sent in secure session securesession_id: acra_server -# Set authentication mode that will be used in TLS connection with Postgresql. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert +# Set authentication mode that will be used in TLS connection with AcraConnector. Values in range 0-4 that set auth type (https://golang.org/pkg/crypto/tls/#ClientAuthType). Default is tls.RequireAndVerifyClientCert tls_auth: 4 # Path to root certificate which will be used with system root certificates to validate Postgresql's and AcraConnector's certificate @@ -122,10 +122,10 @@ tls_ca: # Path to tls certificate tls_cert: -# Expected Server Name (SNI) from Postgresql +# Expected Server Name (SNI) from database tls_db_sni: -# Path to private key that will be used in TLS handshake with AcraConnector as server's key and Postgresql as client's key +# Path to private key that will be used in AcraServer's TLS handshake with AcraConnector as server's key and database as client's key tls_key: # Export trace data to jaeger