-
-
Notifications
You must be signed in to change notification settings - Fork 645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unix socket implementation #621
Conversation
Just because I was curious if SSL over unix sockets actually did anything here are the results TLDR: Yes
Does it actually encrypt the data passed through we can MITM with socat sudo mv /var/run/test.sock /var/run/test.o.sock
sudo socat -t100 -x -v UNIX-LISTEN:/var/run/test.sock,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/test.o.sock
However, there is nio advantage to this as if they can already MITM the unix file, you already got bigger issues than this 😆 |
Implemented graceful shutdown for all server types. Put cleanup within a defer function which will return once we get a signal through chan |
I want to make one more change, and that is moving the listener creation within the run functions I do that tomorrow as its 11pm here |
So might of gone out of scope abit, however, the redirect to https could of been a middleware within gin itself so I have now done this LMK if you think this is out of scope. The redirect function are now obsolete and now used I can reuse them within the We now only run one http server on two listeners, the functions chains are ensured that the One change in functionality is since gin is handling the upgrade http -> https the 302's are now logged within gin itself ** However, further testing this means on |
Are the http .well-known requests now redirected to https? They must go directly to the letsencrypt handler, otherwise no TLS can be obtained and https likely doesn't work. I'd say this is all in scope, |
I tested it just with it let's encrypt enabled flag and it worked on non https connection with redirect flag. Because the handler is wrapped the acme stuff happens first then the https upgrade is run afterwards if the url didn't pass the acme handler filter. |
Implemented error handling now, so if user did supply http and tls unix sockets the other would be cleaned up if the other failed to bind. It best to avoid log.Fatal as we dont actually handle the error and nothing get cleaned up. Useful learning experience about the different waitgroups there are.
|
With this you can configure a unix socket in server.listenaddr and server.ssl.listenaddr by prefixing the socket path with unix: Co-authored-by: Jannis Mattheis <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #621 +/- ##
==========================================
+ Coverage 86.14% 86.89% +0.75%
==========================================
Files 45 44 -1
Lines 1609 1587 -22
==========================================
- Hits 1386 1379 -7
+ Misses 138 124 -14
+ Partials 85 84 -1 ☔ View full report in Codecov by Sentry. |
Fixes #237
Tested http and https unix sockets both work, (Even thought ssl unix sockets dont make much sense 🤷🏻 )
Nginx work fine with both
Pushing early PR since we have to work on cli tool to interact with sockets, Feel free to comment look forward to hearing from you.