Improve TLS settings

This commit is contained in:
rnhmjoj 2015-08-11 15:41:59 +02:00
parent 6308071545
commit 44b28de95e
4 changed files with 29 additions and 16 deletions

View File

@ -33,11 +33,15 @@ The default values are:
hostname = "localhost"
port = 3000
urltable = "$XDG_CONFIG_HOME/breve"
tls {
cert = "/usr/share/tls/breve.crt"
key = "/usr/share/tls/breve.key"
chain = []
}
```
`urltable` is the location of breve url hashtable
`chain` is a list of chain certificate files
## License

View File

@ -29,7 +29,7 @@ executable breve
other-modules: Application, Views, Breve.Settings,
Breve.Generator, Breve.UrlTable
other-extensions: OverloadedStrings
build-depends: base >=4.8 && <5.0, warp, warp-tls,
build-depends: base >=4.8 && <5.0, warp, warp-tls, tls,
Spock, blaze-html, http-types,
wai, wai-middleware-static, wai-extra,
transformers, mtl,

View File

@ -1,21 +1,25 @@
{-# LANGUAGE OverloadedStrings #-}
module Breve.Settings where
import Control.Monad (when)
import System.Environment (lookupEnv)
import System.Environment.XDG.BaseDir
import System.Directory (doesFileExist)
import Data.Text (Text, pack)
import Data.Configurator
import Data.Monoid
import Data.Text (Text, pack)
import Network.Wai.Handler.WarpTLS (tlsSettings, TLSSettings)
import Network.Wai.Handler.WarpTLS (TLSSettings (..), tlsSettingsChain)
import Network.TLS (Version (..))
import Network.TLS.Extra (ciphersuite_strong)
data AppSettings = AppSettings
{ bindHost :: Text
, bindPort :: Int
, bindUrl :: Text
, urlTable :: FilePath
, tlsSetts :: TLSSettings
, tlsSettings :: TLSSettings
}
@ -33,9 +37,10 @@ settings = do
config <- load [Required configPath]
host <- lookupDefault "localhost" config "hostname"
port <- lookupDefault 3000 config "port"
cert <- lookupDefault "/usr/share/tls/breve.crt" config "cert"
key <- lookupDefault "/usr/share/tls/breve.key" config "key"
urls <- lookupDefault urlsPath config "urltable"
cert <- lookupDefault "/usr/share/tls/breve.crt" config "tls.cert"
key <- lookupDefault "/usr/share/tls/breve.key" config "tls.key"
chain <- lookupDefault [] config "tls.chain"
createEmptyIfMissing urls
@ -43,11 +48,15 @@ settings = do
url = if port == 443
then base
else base <> ":" <> pack (show port)
tls = (tlsSettingsChain cert chain key)
{ tlsAllowedVersions = [TLS12, TLS11]
, tlsCiphers = ciphersuite_strong
}
return AppSettings
{ bindHost = host
, bindPort = port
, bindUrl = url <> "/"
, urlTable = urls
, tlsSetts = tlsSettings cert key
, tlsSettings = tls
}

View File

@ -13,8 +13,8 @@ import Network.Wai.Handler.WarpTLS (runTLS, TLSSettings)
import Network.Wai.Handler.Warp (run, defaultSettings, setPort)
runBreve :: TLSSettings -> Int -> SpockT IO () -> IO ()
runBreve tls port spock =
spockAsApp (spockT id spock) >>= runTLS tls settings
runBreve tlsSettings port spock =
spockAsApp (spockT id spock) >>= runTLS tlsSettings settings
where settings = setPort port defaultSettings
@ -34,4 +34,4 @@ main = do
when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost)
putStrLn ("Serving on " ++ unpack bindUrl)
runBreve tlsSetts bindPort (app bindUrl table)
runBreve tlsSettings bindPort (app bindUrl table)