fftls

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 29, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// HTTPConfTLSCAFile the TLS certificate authority file for the HTTP server
	HTTPConfTLSCAFile = "caFile"
	// HTTPConfTLSCA the TLS certificate authority in PEM format, this option is ignored if HTTPConfTLSCAFile is also set
	HTTPConfTLSCA = "ca"
	// HTTPConfTLSCertFile the TLS certificate file for the HTTP server
	HTTPConfTLSCertFile = "certFile"
	// HTTPConfTLSCert the TLS certificate in PEM format, this option is ignored if HTTPConfTLSCertFile is also set
	HTTPConfTLSCert = "cert"
	// HTTPConfTLSClientAuth whether the HTTP server requires a mutual TLS connection
	HTTPConfTLSClientAuth = "clientAuth"
	// HTTPConfTLSEnabled whether TLS is enabled for the HTTP server
	HTTPConfTLSEnabled = "enabled"
	// HTTPConfTLSKeyFile the private key file for TLS on the server
	HTTPConfTLSKeyFile = "keyFile"
	// HTTPConfTLSKey the TLS certificate key in PEM format, this option is ignored if HTTPConfTLSKeyFile is also set
	HTTPConfTLSKey = "key"

	// HTTPConfTLSInsecureSkipHostVerify disables host verification - insecure (for dev only)
	HTTPConfTLSInsecureSkipHostVerify = "insecureSkipHostVerify"

	// HTTPConfTLSRequiredDNAttributes provides a set of regular expressions, to match against the DN of the client. Requires HTTPConfTLSClientAuth
	HTTPConfTLSRequiredDNAttributes = "requiredDNAttributes"
)
View Source
const (
	// CertMetricsSubsystem is the metrics subsystem under which the certificate expiry gauge is
	// registered, i.e. ff_tls_certificate_expiry.
	CertMetricsSubsystem = "tls"
)

Variables

View Source
var SubjectDNKnownAttributes = map[string]func(pkix.Name) []string{
	"C": func(n pkix.Name) []string {
		return n.Country
	},
	"O": func(n pkix.Name) []string {
		return n.Organization
	},
	"OU": func(n pkix.Name) []string {
		return n.OrganizationalUnit
	},
	"CN": func(n pkix.Name) []string {
		if n.CommonName == "" {
			return []string{}
		}
		return []string{n.CommonName}
	},
	"SERIALNUMBER": func(n pkix.Name) []string {
		if n.SerialNumber == "" {
			return []string{}
		}
		return []string{n.SerialNumber}
	},
	"L": func(n pkix.Name) []string {
		return n.Locality
	},
	"ST": func(n pkix.Name) []string {
		return n.Province
	},
	"STREET": func(n pkix.Name) []string {
		return n.StreetAddress
	},
	"POSTALCODE": func(n pkix.Name) []string {
		return n.PostalCode
	},
}

Functions

func ConstructTLSConfig

func ConstructTLSConfig(ctx context.Context, conf config.Section, tlsType TLSType) (*tls.Config, error)

func EnableCertificateMetrics

func EnableCertificateMetrics(ctx context.Context, metricsRegistry metric.MetricsRegistry) error

EnableCertificateMetrics registers a gauge (in the "tls" subsystem) that is set to the unix timestamp at which loaded TLS certificates expire. Once enabled, every subsequent NewTLSConfig / ConstructTLSConfig call records the gauge for each CA certificate, and for the configured client or server certificate - distinguished by the "type" label (ca/client/server). Because certificate expiry is static, these are only recorded once when the certificate material is read - never per-connection.

It is safe to call this multiple times; only the first call registers the metric. Callers that build both client and server TLS configs only need to call it once for the shared registry.

func InitTLSConfig

func InitTLSConfig(conf config.Section)

func NewTLSConfig

func NewTLSConfig(ctx context.Context, config *Config, tlsType TLSType) (*tls.Config, error)

Types

type Config

type Config struct {
	Enabled                bool                   `ffstruct:"tlsconfig" json:"enabled"`
	ClientAuth             bool                   `ffstruct:"tlsconfig" json:"clientAuth,omitempty"`
	CAFile                 string                 `ffstruct:"tlsconfig" json:"caFile,omitempty"`
	CA                     string                 `ffstruct:"tlsconfig" json:"ca,omitempty"`
	CertFile               string                 `ffstruct:"tlsconfig" json:"certFile,omitempty"`
	Cert                   string                 `ffstruct:"tlsconfig" json:"cert,omitempty"`
	KeyFile                string                 `ffstruct:"tlsconfig" json:"keyFile,omitempty"`
	Key                    string                 `ffstruct:"tlsconfig" json:"key,omitempty"`
	InsecureSkipHostVerify bool                   `ffstruct:"tlsconfig" json:"insecureSkipHostVerify"`
	RequiredDNAttributes   map[string]interface{} `ffstruct:"tlsconfig" json:"requiredDNAttributes,omitempty"`
}

func GenerateConfig

func GenerateConfig(conf config.Section) *Config

type TLSType

type TLSType string
const (
	ServerType TLSType = "server"
	ClientType TLSType = "client"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL