github.com/minio/console@v1.3.0/api/tls.go

github.com/minio/console@v1.3.0/api/tls.go (about)

     1  // This file is part of MinIO Console Server
     2  // Copyright (c) 2021 MinIO, Inc.
     3  //
     4  // This program is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Affero General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // This program is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12  // GNU Affero General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Affero General Public License
    15  // along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package api
    18  
    19  import (
    20  	"crypto/tls"
    21  	"net"
    22  	"net/http"
    23  	"time"
    24  )
    25  
    26  type ConsoleTransport struct {
    27  	Transport *http.Transport
    28  	ClientIP  string
    29  }
    30  
    31  func (t *ConsoleTransport) RoundTrip(req *http.Request) (*http.Response, error) {
    32  	req.Header.Add("X-Forwarded-For", t.ClientIP)
    33  	resp, err := t.Transport.RoundTrip(req)
    34  	return resp, err
    35  }
    36  
    37  // PrepareSTSClientTransport :
    38  func PrepareSTSClientTransport(insecure bool, remoteAddress string) *ConsoleTransport {
    39  	// This takes github.com/minio/madmin-go/v3/transport.go as an example
    40  	//
    41  	// DefaultTransport - this default transport is similar to
    42  	// http.DefaultTransport but with additional param  DisableCompression
    43  	// is set to true to avoid decompressing content with 'gzip' encoding.
    44  	DefaultTransport := &http.Transport{
    45  		Proxy: http.ProxyFromEnvironment,
    46  		DialContext: (&net.Dialer{
    47  			Timeout:   10 * time.Second,
    48  			KeepAlive: 15 * time.Second,
    49  		}).DialContext,
    50  		MaxIdleConns:          1024,
    51  		MaxIdleConnsPerHost:   1024,
    52  		IdleConnTimeout:       90 * time.Second,
    53  		TLSHandshakeTimeout:   10 * time.Second,
    54  		ExpectContinueTimeout: 10 * time.Second,
    55  		DisableCompression:    true,
    56  		TLSClientConfig: &tls.Config{
    57  			// Can't use SSLv3 because of POODLE and BEAST
    58  			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
    59  			// Can't use TLSv1.1 because of RC4 cipher usage
    60  			MinVersion:         tls.VersionTLS12,
    61  			InsecureSkipVerify: insecure,
    62  			RootCAs:            GlobalRootCAs,
    63  		},
    64  	}
    65  	t := &ConsoleTransport{
    66  		Transport: DefaultTransport,
    67  		ClientIP:  remoteAddress,
    68  	}
    69  	return t
    70  }
    71  
    72  // PrepareConsoleHTTPClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
    73  // custom configurations include the use of CA certificates
    74  func PrepareConsoleHTTPClient(insecure bool, clientIP string) *http.Client {
    75  	transport := PrepareSTSClientTransport(insecure, clientIP)
    76  	// Return http client with default configuration
    77  	c := &http.Client{
    78  		Transport: transport,
    79  	}
    80  	return c
    81  }