Improve TLS settings

This commit is contained in:
rnhmjoj 2015-08-11 15:41:59 +02:00
parent 6308071545
commit 44b28de95e
4 changed files with 29 additions and 16 deletions

View File

@ -33,11 +33,15 @@ The default values are:
hostname = "localhost" hostname = "localhost"
port = 3000 port = 3000
urltable = "$XDG_CONFIG_HOME/breve" urltable = "$XDG_CONFIG_HOME/breve"
tls {
cert = "/usr/share/tls/breve.crt" cert = "/usr/share/tls/breve.crt"
key = "/usr/share/tls/breve.key" key = "/usr/share/tls/breve.key"
chain = []
}
``` ```
`urltable` is the location of breve url hashtable `urltable` is the location of breve url hashtable
`chain` is a list of chain certificate files
## License ## License

View File

@ -29,7 +29,7 @@ executable breve
other-modules: Application, Views, Breve.Settings, other-modules: Application, Views, Breve.Settings,
Breve.Generator, Breve.UrlTable Breve.Generator, Breve.UrlTable
other-extensions: OverloadedStrings other-extensions: OverloadedStrings
build-depends: base >=4.8 && <5.0, warp, warp-tls, build-depends: base >=4.8 && <5.0, warp, warp-tls, tls,
Spock, blaze-html, http-types, Spock, blaze-html, http-types,
wai, wai-middleware-static, wai-extra, wai, wai-middleware-static, wai-extra,
transformers, mtl, transformers, mtl,

View File

@ -1,21 +1,25 @@
{-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE OverloadedStrings #-}
module Breve.Settings where module Breve.Settings where
import Control.Monad (when) import Control.Monad (when)
import System.Environment (lookupEnv) import System.Environment (lookupEnv)
import System.Environment.XDG.BaseDir import System.Environment.XDG.BaseDir
import System.Directory (doesFileExist) import System.Directory (doesFileExist)
import Data.Text (Text, pack)
import Data.Configurator import Data.Configurator
import Data.Monoid import Data.Monoid
import Data.Text (Text, pack)
import Network.Wai.Handler.WarpTLS (tlsSettings, TLSSettings) import Network.Wai.Handler.WarpTLS (TLSSettings (..), tlsSettingsChain)
import Network.TLS (Version (..))
import Network.TLS.Extra (ciphersuite_strong)
data AppSettings = AppSettings data AppSettings = AppSettings
{ bindHost :: Text { bindHost :: Text
, bindPort :: Int , bindPort :: Int
, bindUrl :: Text , bindUrl :: Text
, urlTable :: FilePath , urlTable :: FilePath
, tlsSetts :: TLSSettings , tlsSettings :: TLSSettings
} }
@ -33,9 +37,10 @@ settings = do
config <- load [Required configPath] config <- load [Required configPath]
host <- lookupDefault "localhost" config "hostname" host <- lookupDefault "localhost" config "hostname"
port <- lookupDefault 3000 config "port" port <- lookupDefault 3000 config "port"
cert <- lookupDefault "/usr/share/tls/breve.crt" config "cert"
key <- lookupDefault "/usr/share/tls/breve.key" config "key"
urls <- lookupDefault urlsPath config "urltable" urls <- lookupDefault urlsPath config "urltable"
cert <- lookupDefault "/usr/share/tls/breve.crt" config "tls.cert"
key <- lookupDefault "/usr/share/tls/breve.key" config "tls.key"
chain <- lookupDefault [] config "tls.chain"
createEmptyIfMissing urls createEmptyIfMissing urls
@ -43,11 +48,15 @@ settings = do
url = if port == 443 url = if port == 443
then base then base
else base <> ":" <> pack (show port) else base <> ":" <> pack (show port)
tls = (tlsSettingsChain cert chain key)
{ tlsAllowedVersions = [TLS12, TLS11]
, tlsCiphers = ciphersuite_strong
}
return AppSettings return AppSettings
{ bindHost = host { bindHost = host
, bindPort = port , bindPort = port
, bindUrl = url <> "/" , bindUrl = url <> "/"
, urlTable = urls , urlTable = urls
, tlsSetts = tlsSettings cert key , tlsSettings = tls
} }

View File

@ -13,8 +13,8 @@ import Network.Wai.Handler.WarpTLS (runTLS, TLSSettings)
import Network.Wai.Handler.Warp (run, defaultSettings, setPort) import Network.Wai.Handler.Warp (run, defaultSettings, setPort)
runBreve :: TLSSettings -> Int -> SpockT IO () -> IO () runBreve :: TLSSettings -> Int -> SpockT IO () -> IO ()
runBreve tls port spock = runBreve tlsSettings port spock =
spockAsApp (spockT id spock) >>= runTLS tls settings spockAsApp (spockT id spock) >>= runTLS tlsSettings settings
where settings = setPort port defaultSettings where settings = setPort port defaultSettings
@ -34,4 +34,4 @@ main = do
when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost) when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost)
putStrLn ("Serving on " ++ unpack bindUrl) putStrLn ("Serving on " ++ unpack bindUrl)
runBreve tlsSetts bindPort (app bindUrl table) runBreve tlsSettings bindPort (app bindUrl table)