Open V1pr opened 2 years ago
Meanwhile I managed to start promxy with TLS, but it was not easy. If I use the sample file from prometheus:
tls_server_config:
# Certificate and key files for server to use to authenticate to client.
cert_file: /etc/ssl/certs/my-cert.pem
key_file: /etc/ssl/private/my-key.pem
# Server policy for client authentication. Maps to ClientAuth Policies.
# For more detail on clientAuth options:
# https://golang.org/pkg/crypto/tls/#ClientAuthType
#
# NOTE: If you want to enable client authentication, you need to use
# RequireAndVerifyClientCert. Other values are insecure.
# [ client_auth_type: <string> | default = "NoClientCert" ]
# CA certificate for client certificate authentication to the server.
# [ client_ca_file: <filename> ]
# Minimum TLS version that is acceptable.
# [ min_version: <string> | default = "TLS12" ]
# Maximum TLS version that is acceptable.
# [ max_version: <string> | default = "TLS13" ]
# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
# Go default cipher suites are used. Available cipher suites are documented
# in the go documentation:
# https://golang.org/pkg/crypto/tls/#pkg-constants
# [ cipher_suites:
# [ - <string> ] ]
# prefer_server_cipher_suites controls whether the server selects the
# client's most preferred ciphersuite, or the server's most preferred
# ciphersuite. If true then the server's preference, as expressed in
# the order of elements in cipher_suites, is used.
# [ prefer_server_cipher_suites: <bool> | default = true ]
# Elliptic curves that will be used in an ECDHE handshake, in preference
# order. Available curves are documented in the go documentation:
# https://golang.org/pkg/crypto/tls/#CurveID
# [ curve_preferences:
# [ - <string> ] ]
#http_server_config:
# Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
# This can not be changed on the fly.
# [ http2: <boolean> | default = true ]
# List of headers that can be added to HTTP responses.
# [ headers:
# Set the Content-Security-Policy header to HTTP responses.
# Unset if blank.
# [ Content-Security-Policy: <string> ]
# Set the X-Frame-Options header to HTTP responses.
# Unset if blank. Accepted values are deny and sameorigin.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# [ X-Frame-Options: <string> ]
# Set the X-Content-Type-Options header to HTTP responses.
# Unset if blank. Accepted value is nosniff.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# [ X-Content-Type-Options: <string> ]
# Set the X-XSS-Protection header to all responses.
# Unset if blank. Accepted value is nosniff.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# [ X-XSS-Protection: <string> ]
# Set the Strict-Transport-Security header to HTTP responses.
# Unset if blank.
# Please make sure that you use this with care as this header might force
# browsers to load Prometheus and the other applications hosted on the same
# domain and subdomains over HTTPS.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# [ Strict-Transport-Security: <string> ] ]
# Usernames and hashed passwords that have full access to the web
# server via basic authentication. If empty, no basic authentication is
# required. Passwords are hashed with bcrypt.
# basic_auth_users:
# [ <string>: <secret> ... ]
I'm getting this error:
line 1: field tls_server_config not found in type web.TLSStruct
However, if I only have this in web.config.yaml:
# Certificate and key files for server to use to authenticate to client.
cert_file: /etc/ssl/certs/my-cert.pem
key_file: /etc/ssl/private/my-key.pem
promxy starts with these flags:
/usr/local/bin/promxy/promxy --config=/etc/promxy/config.yaml --web.config.file=/etc/promxy/web.config.yaml
I don't know, if this is ok or not, but this worked for me.
This seems like what it is currently wired up to do (https://github.com/jacksontj/promxy/blob/master/pkg/server/api.go#L84) specifically that TLSStruct section; since this doesn't match the upstream config format we should either wrap (so it does) or change the option name (to be less confusing).
与此同时,我设法使用 TLS 启动 promxy,但这并不容易。如果我使用普罗米修斯的示例文件:
tls_server_config: # Certificate and key files for server to use to authenticate to client. cert_file: /etc/ssl/certs/my-cert.pem key_file: /etc/ssl/private/my-key.pem # Server policy for client authentication. Maps to ClientAuth Policies. # For more detail on clientAuth options: # https://golang.org/pkg/crypto/tls/#ClientAuthType # # NOTE: If you want to enable client authentication, you need to use # RequireAndVerifyClientCert. Other values are insecure. # [ client_auth_type: <string> | default = "NoClientCert" ] # CA certificate for client certificate authentication to the server. # [ client_ca_file: <filename> ] # Minimum TLS version that is acceptable. # [ min_version: <string> | default = "TLS12" ] # Maximum TLS version that is acceptable. # [ max_version: <string> | default = "TLS13" ] # List of supported cipher suites for TLS versions up to TLS 1.2. If empty, # Go default cipher suites are used. Available cipher suites are documented # in the go documentation: # https://golang.org/pkg/crypto/tls/#pkg-constants # [ cipher_suites: # [ - <string> ] ] # prefer_server_cipher_suites controls whether the server selects the # client's most preferred ciphersuite, or the server's most preferred # ciphersuite. If true then the server's preference, as expressed in # the order of elements in cipher_suites, is used. # [ prefer_server_cipher_suites: <bool> | default = true ] # Elliptic curves that will be used in an ECDHE handshake, in preference # order. Available curves are documented in the go documentation: # https://golang.org/pkg/crypto/tls/#CurveID # [ curve_preferences: # [ - <string> ] ] #http_server_config: # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS. # This can not be changed on the fly. # [ http2: <boolean> | default = true ] # List of headers that can be added to HTTP responses. # [ headers: # Set the Content-Security-Policy header to HTTP responses. # Unset if blank. # [ Content-Security-Policy: <string> ] # Set the X-Frame-Options header to HTTP responses. # Unset if blank. Accepted values are deny and sameorigin. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # [ X-Frame-Options: <string> ] # Set the X-Content-Type-Options header to HTTP responses. # Unset if blank. Accepted value is nosniff. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options # [ X-Content-Type-Options: <string> ] # Set the X-XSS-Protection header to all responses. # Unset if blank. Accepted value is nosniff. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # [ X-XSS-Protection: <string> ] # Set the Strict-Transport-Security header to HTTP responses. # Unset if blank. # Please make sure that you use this with care as this header might force # browsers to load Prometheus and the other applications hosted on the same # domain and subdomains over HTTPS. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # [ Strict-Transport-Security: <string> ] ] # Usernames and hashed passwords that have full access to the web # server via basic authentication. If empty, no basic authentication is # required. Passwords are hashed with bcrypt. # basic_auth_users: # [ <string>: <secret> ... ]
我收到此错误:
line 1: field tls_server_config not found in type web.TLSStruct
但是,如果我只在 web.config.yaml 中包含此内容:
# Certificate and key files for server to use to authenticate to client. cert_file: /etc/ssl/certs/my-cert.pem key_file: /etc/ssl/private/my-key.pem
promxy 以这些标志开头:
/usr/local/bin/promxy/promxy --config=/etc/promxy/config.yaml --web.config.file=/etc/promxy/web.config.yaml
我不知道这是否可以,但这对我有用。
Hello, have you resolved this issue?
Hi,
I've seen a (experimental) WebConfigFile flag in the main.go. Please be so kind and provice some example, how is it possible to configure TLS (and/or auth). (main goal is to enable TLS on promxy 'frontend').
Thanks,