Improve TLS settings
This commit is contained in:
parent
6308071545
commit
44b28de95e
@ -33,11 +33,15 @@ The default values are:
|
|||||||
hostname = "localhost"
|
hostname = "localhost"
|
||||||
port = 3000
|
port = 3000
|
||||||
urltable = "$XDG_CONFIG_HOME/breve"
|
urltable = "$XDG_CONFIG_HOME/breve"
|
||||||
|
tls {
|
||||||
cert = "/usr/share/tls/breve.crt"
|
cert = "/usr/share/tls/breve.crt"
|
||||||
key = "/usr/share/tls/breve.key"
|
key = "/usr/share/tls/breve.key"
|
||||||
|
chain = []
|
||||||
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
`urltable` is the location of breve url hashtable
|
`urltable` is the location of breve url hashtable
|
||||||
|
`chain` is a list of chain certificate files
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ executable breve
|
|||||||
other-modules: Application, Views, Breve.Settings,
|
other-modules: Application, Views, Breve.Settings,
|
||||||
Breve.Generator, Breve.UrlTable
|
Breve.Generator, Breve.UrlTable
|
||||||
other-extensions: OverloadedStrings
|
other-extensions: OverloadedStrings
|
||||||
build-depends: base >=4.8 && <5.0, warp, warp-tls,
|
build-depends: base >=4.8 && <5.0, warp, warp-tls, tls,
|
||||||
Spock, blaze-html, http-types,
|
Spock, blaze-html, http-types,
|
||||||
wai, wai-middleware-static, wai-extra,
|
wai, wai-middleware-static, wai-extra,
|
||||||
transformers, mtl,
|
transformers, mtl,
|
||||||
|
@ -1,21 +1,25 @@
|
|||||||
{-# LANGUAGE OverloadedStrings #-}
|
{-# LANGUAGE OverloadedStrings #-}
|
||||||
|
|
||||||
module Breve.Settings where
|
module Breve.Settings where
|
||||||
|
|
||||||
import Control.Monad (when)
|
import Control.Monad (when)
|
||||||
import System.Environment (lookupEnv)
|
import System.Environment (lookupEnv)
|
||||||
import System.Environment.XDG.BaseDir
|
import System.Environment.XDG.BaseDir
|
||||||
import System.Directory (doesFileExist)
|
import System.Directory (doesFileExist)
|
||||||
|
import Data.Text (Text, pack)
|
||||||
import Data.Configurator
|
import Data.Configurator
|
||||||
import Data.Monoid
|
import Data.Monoid
|
||||||
import Data.Text (Text, pack)
|
|
||||||
import Network.Wai.Handler.WarpTLS (tlsSettings, TLSSettings)
|
import Network.Wai.Handler.WarpTLS (TLSSettings (..), tlsSettingsChain)
|
||||||
|
import Network.TLS (Version (..))
|
||||||
|
import Network.TLS.Extra (ciphersuite_strong)
|
||||||
|
|
||||||
data AppSettings = AppSettings
|
data AppSettings = AppSettings
|
||||||
{ bindHost :: Text
|
{ bindHost :: Text
|
||||||
, bindPort :: Int
|
, bindPort :: Int
|
||||||
, bindUrl :: Text
|
, bindUrl :: Text
|
||||||
, urlTable :: FilePath
|
, urlTable :: FilePath
|
||||||
, tlsSetts :: TLSSettings
|
, tlsSettings :: TLSSettings
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -33,9 +37,10 @@ settings = do
|
|||||||
config <- load [Required configPath]
|
config <- load [Required configPath]
|
||||||
host <- lookupDefault "localhost" config "hostname"
|
host <- lookupDefault "localhost" config "hostname"
|
||||||
port <- lookupDefault 3000 config "port"
|
port <- lookupDefault 3000 config "port"
|
||||||
cert <- lookupDefault "/usr/share/tls/breve.crt" config "cert"
|
|
||||||
key <- lookupDefault "/usr/share/tls/breve.key" config "key"
|
|
||||||
urls <- lookupDefault urlsPath config "urltable"
|
urls <- lookupDefault urlsPath config "urltable"
|
||||||
|
cert <- lookupDefault "/usr/share/tls/breve.crt" config "tls.cert"
|
||||||
|
key <- lookupDefault "/usr/share/tls/breve.key" config "tls.key"
|
||||||
|
chain <- lookupDefault [] config "tls.chain"
|
||||||
|
|
||||||
createEmptyIfMissing urls
|
createEmptyIfMissing urls
|
||||||
|
|
||||||
@ -43,11 +48,15 @@ settings = do
|
|||||||
url = if port == 443
|
url = if port == 443
|
||||||
then base
|
then base
|
||||||
else base <> ":" <> pack (show port)
|
else base <> ":" <> pack (show port)
|
||||||
|
tls = (tlsSettingsChain cert chain key)
|
||||||
|
{ tlsAllowedVersions = [TLS12, TLS11]
|
||||||
|
, tlsCiphers = ciphersuite_strong
|
||||||
|
}
|
||||||
|
|
||||||
return AppSettings
|
return AppSettings
|
||||||
{ bindHost = host
|
{ bindHost = host
|
||||||
, bindPort = port
|
, bindPort = port
|
||||||
, bindUrl = url <> "/"
|
, bindUrl = url <> "/"
|
||||||
, urlTable = urls
|
, urlTable = urls
|
||||||
, tlsSetts = tlsSettings cert key
|
, tlsSettings = tls
|
||||||
}
|
}
|
||||||
|
@ -13,8 +13,8 @@ import Network.Wai.Handler.WarpTLS (runTLS, TLSSettings)
|
|||||||
import Network.Wai.Handler.Warp (run, defaultSettings, setPort)
|
import Network.Wai.Handler.Warp (run, defaultSettings, setPort)
|
||||||
|
|
||||||
runBreve :: TLSSettings -> Int -> SpockT IO () -> IO ()
|
runBreve :: TLSSettings -> Int -> SpockT IO () -> IO ()
|
||||||
runBreve tls port spock =
|
runBreve tlsSettings port spock =
|
||||||
spockAsApp (spockT id spock) >>= runTLS tls settings
|
spockAsApp (spockT id spock) >>= runTLS tlsSettings settings
|
||||||
where settings = setPort port defaultSettings
|
where settings = setPort port defaultSettings
|
||||||
|
|
||||||
|
|
||||||
@ -34,4 +34,4 @@ main = do
|
|||||||
when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost)
|
when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost)
|
||||||
|
|
||||||
putStrLn ("Serving on " ++ unpack bindUrl)
|
putStrLn ("Serving on " ++ unpack bindUrl)
|
||||||
runBreve tlsSetts bindPort (app bindUrl table)
|
runBreve tlsSettings bindPort (app bindUrl table)
|
Loading…
Reference in New Issue
Block a user