github.com/minio/console@v1.3.0/api/config.go (about) 1 // This file is part of MinIO Console Server 2 // Copyright (c) 2021 MinIO, Inc. 3 // 4 // This program is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Affero General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // This program is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Affero General Public License for more details. 13 // 14 // You should have received a copy of the GNU Affero General Public License 15 // along with this program. If not, see <http://www.gnu.org/licenses/>. 16 17 package api 18 19 import ( 20 "crypto/x509" 21 "net" 22 "strconv" 23 "strings" 24 25 "github.com/minio/console/pkg/auth/idp/oauth2" 26 xcerts "github.com/minio/pkg/v2/certs" 27 "github.com/minio/pkg/v2/env" 28 xnet "github.com/minio/pkg/v2/net" 29 ) 30 31 var ( 32 // Port console default port 33 Port = "9090" 34 35 // Hostname console hostname 36 // avoid listening on 0.0.0.0 by default 37 // instead listen on all IPv4 and IPv6 38 // - Hostname should be empty. 39 Hostname = "" 40 41 // TLSPort console tls port 42 TLSPort = "9443" 43 44 // TLSRedirect console tls redirect rule 45 TLSRedirect = "on" 46 47 ConsoleResourceName = "console-ui" 48 ) 49 50 var ( 51 // GlobalRootCAs is CA root certificates, a nil value means system certs pool will be used 52 GlobalRootCAs *x509.CertPool 53 // GlobalPublicCerts has certificates Console will use to serve clients 54 GlobalPublicCerts []*x509.Certificate 55 // GlobalTLSCertsManager custom TLS Manager for SNI support 56 GlobalTLSCertsManager *xcerts.Manager 57 ) 58 59 // MinIOConfig represents application configuration passed in from the MinIO 60 // server to the console. 61 type MinIOConfig struct { 62 OpenIDProviders oauth2.OpenIDPCfg 63 } 64 65 // GlobalMinIOConfig is the global application configuration passed in from the 66 // MinIO server. 67 var GlobalMinIOConfig MinIOConfig 68 69 func getMinIOServer() string { 70 return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000")) 71 } 72 73 func getSubnetProxy() string { 74 return strings.TrimSpace(env.Get(ConsoleSubnetProxy, "")) 75 } 76 77 func GetMinIORegion() string { 78 return strings.TrimSpace(env.Get(ConsoleMinIORegion, "")) 79 } 80 81 func getMinIOEndpoint() string { 82 u, err := xnet.ParseHTTPURL(getMinIOServer()) 83 if err != nil { 84 panic(err) 85 } 86 return u.Host 87 } 88 89 func getMinIOEndpointIsSecure() bool { 90 u, err := xnet.ParseHTTPURL(getMinIOServer()) 91 if err != nil { 92 panic(err) 93 } 94 return u.Scheme == "https" 95 } 96 97 // GetHostname gets console hostname set on env variable, 98 // default one or defined on run command 99 func GetHostname() string { 100 return strings.ToLower(env.Get(ConsoleHostname, Hostname)) 101 } 102 103 // GetPort gets console por set on env variable 104 // or default one 105 func GetPort() int { 106 port, err := strconv.Atoi(env.Get(ConsolePort, Port)) 107 if err != nil { 108 port = 9090 109 } 110 return port 111 } 112 113 // GetTLSPort gets console tls port set on env variable 114 // or default one 115 func GetTLSPort() int { 116 port, err := strconv.Atoi(env.Get(ConsoleTLSPort, TLSPort)) 117 if err != nil { 118 port = 9443 119 } 120 return port 121 } 122 123 // If GetTLSRedirect is set to true, then only allow HTTPS requests. Default is true. 124 func GetTLSRedirect() string { 125 return strings.ToLower(env.Get(ConsoleSecureTLSRedirect, TLSRedirect)) 126 } 127 128 // Get secure middleware env variable configurations 129 func GetSecureAllowedHosts() []string { 130 allowedHosts := env.Get(ConsoleSecureAllowedHosts, "") 131 if allowedHosts != "" { 132 return strings.Split(allowedHosts, ",") 133 } 134 return []string{} 135 } 136 137 // AllowedHostsAreRegex determines, if the provided AllowedHosts slice contains valid regular expressions. Default is false. 138 func GetSecureAllowedHostsAreRegex() bool { 139 return strings.ToLower(env.Get(ConsoleSecureAllowedHostsAreRegex, "off")) == "on" 140 } 141 142 // If FrameDeny is set to true, adds the X-Frame-Options header with the value of `DENY`. Default is true. 143 func GetSecureFrameDeny() bool { 144 return strings.ToLower(env.Get(ConsoleSecureFrameDeny, "on")) == "on" 145 } 146 147 // If ContentTypeNosniff is true, adds the X-Content-Type-Options header with the value `nosniff`. Default is true. 148 func GetSecureContentTypeNonSniff() bool { 149 return strings.ToLower(env.Get(ConsoleSecureContentTypeNoSniff, "on")) == "on" 150 } 151 152 // If BrowserXssFilter is true, adds the X-XSS-Protection header with the value `1; mode=block`. Default is true. 153 func GetSecureBrowserXSSFilter() bool { 154 return strings.ToLower(env.Get(ConsoleSecureBrowserXSSFilter, "on")) == "on" 155 } 156 157 // ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value. Default is "". 158 // Passing a template string will replace `$NONCE` with a dynamic nonce value of 16 bytes for each request which can be 159 // later retrieved using the Nonce function. 160 func GetSecureContentSecurityPolicy() string { 161 return env.Get(ConsoleSecureContentSecurityPolicy, "") 162 } 163 164 // ContentSecurityPolicyReportOnly allows the Content-Security-Policy-Report-Only header value to be set with a custom value. Default is "". 165 func GetSecureContentSecurityPolicyReportOnly() string { 166 return env.Get(ConsoleSecureContentSecurityPolicyReportOnly, "") 167 } 168 169 // HostsProxyHeaders is a set of header keys that may hold a proxied hostname value for the request. 170 func GetSecureHostsProxyHeaders() []string { 171 allowedHosts := env.Get(ConsoleSecureHostsProxyHeaders, "") 172 if allowedHosts != "" { 173 return strings.Split(allowedHosts, ",") 174 } 175 return []string{} 176 } 177 178 // TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host. 179 func GetSecureTLSHost() string { 180 tlsHost := env.Get(ConsoleSecureTLSHost, "") 181 if tlsHost == "" && Hostname != "" { 182 return net.JoinHostPort(Hostname, TLSPort) 183 } 184 return "" 185 } 186 187 // STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header. 188 func GetSecureSTSSeconds() int64 { 189 seconds, err := strconv.Atoi(env.Get(ConsoleSecureSTSSeconds, "0")) 190 if err != nil { 191 seconds = 0 192 } 193 return int64(seconds) 194 } 195 196 // If STSIncludeSubdomains is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. Default is false. 197 func GetSecureSTSIncludeSubdomains() bool { 198 return strings.ToLower(env.Get(ConsoleSecureSTSIncludeSubdomains, "off")) == "on" 199 } 200 201 // If STSPreload is set to true, the `preload` flag will be appended to the Strict-Transport-Security header. Default is false. 202 func GetSecureSTSPreload() bool { 203 return strings.ToLower(env.Get(ConsoleSecureSTSPreload, "off")) == "on" 204 } 205 206 // If TLSTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301). 207 func GetSecureTLSTemporaryRedirect() bool { 208 return strings.ToLower(env.Get(ConsoleSecureTLSTemporaryRedirect, "off")) == "on" 209 } 210 211 // STS header is only included when the connection is HTTPS. 212 func GetSecureForceSTSHeader() bool { 213 return strings.ToLower(env.Get(ConsoleSecureForceSTSHeader, "off")) == "on" 214 } 215 216 // ReferrerPolicy allows the Referrer-Policy header with the value to be set with a custom value. Default is "". 217 func GetSecureReferrerPolicy() string { 218 return env.Get(ConsoleSecureReferrerPolicy, "") 219 } 220 221 // FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "". 222 func GetSecureFeaturePolicy() string { 223 return env.Get(ConsoleSecureFeaturePolicy, "") 224 } 225 226 func getLogSearchAPIToken() string { 227 if v := env.Get(ConsoleLogQueryAuthToken, ""); v != "" { 228 return v 229 } 230 return env.Get(LogSearchQueryAuthToken, "") 231 } 232 233 func getLogSearchURL() string { 234 return env.Get(ConsoleLogQueryURL, "") 235 } 236 237 func getPrometheusURL() string { 238 return env.Get(PrometheusURL, "") 239 } 240 241 func getPrometheusAuthToken() string { 242 return env.Get(PrometheusAuthToken, "") 243 } 244 245 func getPrometheusJobID() string { 246 return env.Get(PrometheusJobID, "minio-job") 247 } 248 249 func getPrometheusExtraLabels() string { 250 return env.Get(PrometheusExtraLabels, "") 251 } 252 253 func getMaxConcurrentUploadsLimit() int64 { 254 cu, err := strconv.ParseInt(env.Get(ConsoleMaxConcurrentUploads, "10"), 10, 64) 255 if err != nil { 256 return 10 257 } 258 259 return cu 260 } 261 262 func getMaxConcurrentDownloadsLimit() int64 { 263 cu, err := strconv.ParseInt(env.Get(ConsoleMaxConcurrentDownloads, "20"), 10, 64) 264 if err != nil { 265 return 20 266 } 267 268 return cu 269 } 270 271 func getConsoleDevMode() bool { 272 return strings.ToLower(env.Get(ConsoleDevMode, "off")) == "on" 273 } 274 275 func getConsoleAnimatedLogin() bool { 276 return strings.ToLower(env.Get(ConsoleAnimatedLogin, "on")) == "on" 277 }