Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix:fasthttp server with tlsConfig #1595

Merged
merged 5 commits into from
Jul 18, 2023
Merged

Conversation

zxpdmw
Copy link
Contributor

@zxpdmw zxpdmw commented Jul 16, 2023

// fasthttp tls Sample code
func main() {
	r := router.New()
	r.GET("/hello", func(ctx *fasthttp.RequestCtx) {
		ctx.Response.SetBody([]byte("hello workflow"))
	})
	s := &fasthttp.Server{
		Handler:   r.Handler,
		TLSConfig: &tls.Config{},
	}
	if err := s.ListenAndServeTLS("0.0.0.0:443", "", ""); err != nil {
		log.Println(err)
	}
}


// net/http  tls Sample code
func main() {
	http.HandleFunc("/hello", func(writer http.ResponseWriter, request *http.Request) {
		fmt.Fprint(writer, "hello world")
	})
	s := http.Server{
		Addr: "0.0.0.0:443",
		TLSConfig: &tls.Config{},
	}
	if err := s.ListenAndServeTLS("", ""); err != nil {
		log.Println(err)
	}
}

The code is as above, due to the company's security requirements, we need to encrypt and store the SSL certificate and password. Before using it, we need to decrypt and construct *tls.Config. The native http server is listening to the tls port and passing in an empty certificate and key. After that, the TLS port can be monitored normally, but it cannot be monitored normally by calling ListenAndServeTLS with fasthttp to pass in an empty certificate and key. I compared the source code of native http and fasthttp and found that native http has done compatibility processing but fasthttp has not, so there is got this pr.

net/http source code

// ServeTLS accepts incoming connections on the Listener l, creating a
// new service goroutine for each. The service goroutines perform TLS
// setup and then read requests, calling srv.Handler to reply to them.
//
// Files containing a certificate and matching private key for the
// server must be provided if neither the Server's
// TLSConfig.Certificates nor TLSConfig.GetCertificate are populated.
// If the certificate is signed by a certificate authority, the
// certFile should be the concatenation of the server's certificate,
// any intermediates, and the CA's certificate.
//
// ServeTLS always returns a non-nil error. After Shutdown or Close, the
// returned error is ErrServerClosed.
func (srv *Server) ServeTLS(l net.Listener, certFile, keyFile string) error {
	// Setup HTTP/2 before srv.Serve, to initialize srv.TLSConfig
	// before we clone it and create the TLS Listener.
	if err := srv.setupHTTP2_ServeTLS(); err != nil {
		return err
	}

	config := cloneTLSConfig(srv.TLSConfig)
	if !strSliceContains(config.NextProtos, "http/1.1") {
		config.NextProtos = append(config.NextProtos, "http/1.1")
	}

	configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil
	if !configHasCert || certFile != "" || keyFile != "" {
		var err error
		config.Certificates = make([]tls.Certificate, 1)
		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
		if err != nil {
			return err
		}
	}

	tlsListener := tls.NewListener(l, config)
	return srv.Serve(tlsListener)
}

server.go Outdated Show resolved Hide resolved
server.go Outdated Show resolved Hide resolved
server.go Show resolved Hide resolved
server.go Outdated Show resolved Hide resolved
zxpdmw and others added 2 commits July 17, 2023 07:32
Co-authored-by: Erik Dubbelboer <[email protected]>
server.go Outdated Show resolved Hide resolved
server.go Show resolved Hide resolved
@erikdubbelboer erikdubbelboer merged commit 6eb2249 into valyala:master Jul 18, 2023
@erikdubbelboer
Copy link
Collaborator

Thanks!

@zxpdmw zxpdmw deleted the zhangweiyu branch July 20, 2023 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants