diff --git a/data.go b/data.go index ad37247..e13f9c5 100644 --- a/data.go +++ b/data.go @@ -7,7 +7,7 @@ package main import ( "encoding/json" - "fmt" + "log" "github.com/shirou/gopsutil/load" "github.com/shirou/gopsutil/net" @@ -65,6 +65,7 @@ type Configuration struct { Providers []string `json:"providers` // list of JWKS providers MinTLSVersion string `json:"minTLSVersion"` // minimum TLS version MaxTLSVersion string `json:"maxTLSVersion"` // maximum TLS version + CipherSuites string `json:"cipher_suites"` // use custom CipherSuites InsecureSkipVerify bool `json:"insecureSkipVerify"` // tls configuration option LetsEncrypt bool `json:"lets_encrypt"` // start LetsEncrypt HTTPs server DomainNames []string `json:"domain_names"` // list of domain names to use for LetsEncrypt @@ -82,8 +83,10 @@ func (c Configuration) String() string { data, err := json.MarshalIndent(c, "", " ") if err == nil { return string(data) + } else { + log.Println("unable to marshal Configuration object", err) } - return fmt.Sprintf("%+v", c) + return "" } // ServerSettings controls server parameters diff --git a/utils.go b/utils.go index 7787733..8c9c6db 100644 --- a/utils.go +++ b/utils.go @@ -236,6 +236,41 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er log.Println("use maxTLSVersion", maxVer) tlsConfig.MaxVersion = uint16(maxVer) } + if Config.CipherSuites == "frontend" { + tlsConfig.CipherSuites = []uint16{ + // TLS 1.0 - 1.2 cipher suites. + tls.TLS_RSA_WITH_RC4_128_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + + // TLS 1.3 cipher suites. + tls.TLS_AES_128_GCM_SHA256, + tls.TLS_AES_256_GCM_SHA384, + tls.TLS_CHACHA20_POLY1305_SHA256, + + // fallback + tls.TLS_FALLBACK_SCSV, + } + } // setup HTTPs server addr := fmt.Sprintf(":%d", Config.Port) server := &http.Server{