From 6fed4824a74c477d54caf2529d3e74191cb650e5 Mon Sep 17 00:00:00 2001 From: Igor Zolotarev <63460867+yngvar-antonsson@users.noreply.github.com> Date: Fri, 22 Nov 2024 13:53:49 +0100 Subject: [PATCH] Add SSL support to HTTP server (#2285) --- CHANGELOG.rst | 8 ++++++++ cartridge.lua | 21 ++++++++++++++++++++- rst/cartridge_admin.rst | 16 +++++++++++++++- 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index eb544a062..6db7a575e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,8 +17,15 @@ Changed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Update ``vshard`` dependency to `0.1.30 `_. + - Update ``http`` dependency to `1.7.0 `_. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Added +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- SSL support to HTTP server. + ------------------------------------------------------------------------------- [2.12.4] - 2024-09-16 ------------------------------------------------------------------------------- @@ -28,6 +35,7 @@ Changed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Update ``vshard`` dependency to `0.1.29 `_. + - Update ``http`` dependency to `1.6.0 `_. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/cartridge.lua b/cartridge.lua index 6684bbb5d..a8f44825e 100644 --- a/cartridge.lua +++ b/cartridge.lua @@ -785,9 +785,28 @@ local function cfg(opts, box_opts) opts.webui_enabled = true end if opts.http_enabled then + local ssl_opts, err = argparse.get_opts({ + http_ssl_cert_file = 'string', + http_ssl_key_file = 'string', + http_ssl_password = 'string', + http_ssl_password_file = 'string', + http_ssl_ca_file = 'string', + http_ssl_ciphers = 'string', + }) + if err ~= nil then + return nil, err + end local httpd = http.new( opts.http_host, opts.http_port, - { log_requests = false } + { + log_requests = false, + ssl_cert_file = ssl_opts.http_ssl_cert_file, + ssl_key_file = ssl_opts.http_ssl_key_file, + ssl_password = ssl_opts.http_ssl_password, + ssl_password_file = ssl_opts.http_ssl_password_file, + ssl_ca_file = ssl_opts.http_ssl_ca_file, + ssl_ciphers = ssl_opts.http_ssl_ciphers, + } ) local ok, err = HttpInitError:pcall(httpd.start, httpd) diff --git a/rst/cartridge_admin.rst b/rst/cartridge_admin.rst index 8141bc00d..10580efae 100644 --- a/rst/cartridge_admin.rst +++ b/rst/cartridge_admin.rst @@ -1793,7 +1793,7 @@ SSL in Cartridge ------------------------------------------------------------------------------- Tarantool Enterprise supports the use of SSL connections to encrypt client-server -communications for increased security. To enable SSL in Cartridge for Replication +communications for increased security. To enable SSL in Cartridge for replication and inner cluster communications, you can use environment variables or ``cartridge.cfg`` options. @@ -1806,6 +1806,20 @@ You also need to add cfg options or environment variables for the next ssl optio `this article `_. +To enable http encryption, use environment variables: + +* ``TARANTOOL_HTTP_SSL_CERT_FILE``; + +* ``TARANTOOL_HTTP_SSL_KEY_FILE``; + +* ``TARANTOOL_HTTP_SSL_PASSWORD``; + +* ``TARANTOOL_HTTP_SSL_PASSWORD_FILE``; + +* ``TARANTOOL_HTTP_SSL_CA_FILE``; + +* ``TARANTOOL_HTTP_SSL_CIPHERS``. + .. _cartridge-change-cookie: