config: rename protocols to tls_protocols
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
parent
4a15775f65
commit
7da5d8fcea
7 changed files with 18 additions and 18 deletions
|
@ -205,7 +205,7 @@ The configuration file contains the following sections:
|
|||
- `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
|
||||
- `client_auth_type`, integer. Set to `1` to require a client certificate and verify it. Set to `2` to request a client certificate during the TLS handshake and verify it if given, in this mode the client is allowed not to send a certificate. At least one certification authority must be defined in order to verify client certificates. If no certification authority is defined, this setting is ignored. Default: 0.
|
||||
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||
- `protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
- `tls_protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
- `prefix`, string. Prefix for WebDAV resources, if empty WebDAV resources will be available at the `/` URI. If defined it must be an absolute URI, for example `/dav`. Default: "".
|
||||
- `proxy_allowed`, list of IP addresses and IP ranges allowed to set client IP proxy header such as `X-Forwarded-For`. Any client IP proxy headers, if set on requests from a connection address not in this list, will be silently ignored. Default: empty.
|
||||
- `client_ip_proxy_header`, string. Defines the allowed client IP proxy header such as `X-Forwarded-For`, `X-Real-IP` etc. Default: empty
|
||||
|
@ -315,7 +315,7 @@ The configuration file contains the following sections:
|
|||
- `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
|
||||
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
||||
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||
- `protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
- `tls_protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
- `proxy_allowed`, list of IP addresses and IP ranges allowed to set client IP proxy header such as `X-Forwarded-For`, `X-Real-IP` and any other headers defined in the `security` section. Any of the indicated headers, if set on requests from a connection address not in this list, will be silently ignored. Default: empty.
|
||||
- `client_ip_proxy_header`, string. Defines the allowed client IP proxy header such as `X-Forwarded-For`, `X-Real-IP` etc. Default: empty
|
||||
- `client_ip_header_depth`, integer. Some client IP headers such as `X-Forwarded-For` can contain multiple IP address, this setting define the position to trust starting from the right. For example if we have: `10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1` and the depth is `0`, SFTPGo will use `13.0.0.1` as client IP, if depth is `1`, `12.0.0.1` will be used and so on. Default: `0`.
|
||||
|
@ -401,7 +401,7 @@ The configuration file contains the following sections:
|
|||
- `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
|
||||
- `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
|
||||
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||
- `protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
- `tls_protocols`, list of string. HTTPS protocols in preference order. Supported values: `http/1.1`, `h2`. Default: `http/1.1`, `h2`.
|
||||
|
||||
</details>
|
||||
<details><summary><font size=4>HTTP clients</font></summary>
|
||||
|
|
|
@ -1297,7 +1297,7 @@ func getWebDAVBindingHTTPSConfigsFromEnv(idx int, binding *webdavd.Binding) bool
|
|||
isSet = true
|
||||
}
|
||||
|
||||
protocols, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%d__PROTOCOLS", idx))
|
||||
protocols, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%d__TLS_PROTOCOLS", idx))
|
||||
if ok {
|
||||
binding.Protocols = protocols
|
||||
isSet = true
|
||||
|
@ -1877,7 +1877,7 @@ func getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo
|
|||
isSet = true
|
||||
}
|
||||
|
||||
protocols, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%d__PROTOCOLS", idx))
|
||||
protocols, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%d__TLS_PROTOCOLS", idx))
|
||||
if ok {
|
||||
binding.Protocols = protocols
|
||||
isSet = true
|
||||
|
@ -2180,7 +2180,7 @@ func setViperDefaults() {
|
|||
viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile)
|
||||
viper.SetDefault("telemetry.min_tls_version", globalConf.TelemetryConfig.MinTLSVersion)
|
||||
viper.SetDefault("telemetry.tls_cipher_suites", globalConf.TelemetryConfig.TLSCipherSuites)
|
||||
viper.SetDefault("telemetry.protocols", globalConf.TelemetryConfig.Protocols)
|
||||
viper.SetDefault("telemetry.tls_protocols", globalConf.TelemetryConfig.Protocols)
|
||||
viper.SetDefault("smtp.host", globalConf.SMTPConfig.Host)
|
||||
viper.SetDefault("smtp.port", globalConf.SMTPConfig.Port)
|
||||
viper.SetDefault("smtp.from", globalConf.SMTPConfig.From)
|
||||
|
|
|
@ -1099,7 +1099,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
|
|||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT", "8000")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS", "0")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES", "TLS_RSA_WITH_AES_128_CBC_SHA ")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PROTOCOLS", "http/1.1 ")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS", "http/1.1 ")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED", "192.168.10.1")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER", "X-Forwarded-For")
|
||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH", "2")
|
||||
|
@ -1118,7 +1118,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
|
|||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER")
|
||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH")
|
||||
|
@ -1198,7 +1198,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
|||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION", "13")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROTOCOLS", "h2, http/1.1")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS", "h2, http/1.1")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED", " 192.168.9.1 , 172.16.25.0/24")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER", "X-Real-IP")
|
||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH", "2")
|
||||
|
@ -1268,7 +1268,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
|||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER")
|
||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH")
|
||||
|
@ -1573,7 +1573,7 @@ func TestConfigFromEnv(t *testing.T) {
|
|||
os.Setenv("SFTPGO_KMS__SECRETS__URL", "local")
|
||||
os.Setenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH", "path")
|
||||
os.Setenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
|
||||
os.Setenv("SFTPGO_TELEMETRY__PROTOCOLS", "h2")
|
||||
os.Setenv("SFTPGO_TELEMETRY__TLS_PROTOCOLS", "h2")
|
||||
os.Setenv("SFTPGO_HTTPD__SETUP__INSTALLATION_CODE", "123")
|
||||
os.Setenv("SFTPGO_ACME__HTTP01_CHALLENGE__PORT", "5002")
|
||||
t.Cleanup(func() {
|
||||
|
@ -1586,7 +1586,7 @@ func TestConfigFromEnv(t *testing.T) {
|
|||
os.Unsetenv("SFTPGO_KMS__SECRETS__URL")
|
||||
os.Unsetenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH")
|
||||
os.Unsetenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES")
|
||||
os.Unsetenv("SFTPGO_TELEMETRY__PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_TELEMETRY__TLS_PROTOCOLS")
|
||||
os.Unsetenv("SFTPGO_HTTPD__SETUP__INSTALLATION_CODE")
|
||||
os.Unsetenv("SFTPGO_ACME__HTTP01_CHALLENGE_PORT")
|
||||
})
|
||||
|
|
|
@ -505,7 +505,7 @@ type Binding struct {
|
|||
// The order matters, the ciphers listed first will be the preferred ones.
|
||||
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||
// HTTP protocols in preference order. Supported values: http/1.1, h2
|
||||
Protocols []string `json:"protocols" mapstructure:"protocols"`
|
||||
Protocols []string `json:"tls_protocols" mapstructure:"tls_protocols"`
|
||||
// List of IP addresses and IP ranges allowed to set client IP proxy headers and
|
||||
// X-Forwarded-Proto header.
|
||||
ProxyAllowed []string `json:"proxy_allowed" mapstructure:"proxy_allowed"`
|
||||
|
|
|
@ -80,7 +80,7 @@ type Conf struct {
|
|||
// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
|
||||
MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
|
||||
// HTTP protocols to enable in preference order. Supported values: http/1.1, h2
|
||||
Protocols []string `json:"protocols" mapstructure:"protocols"`
|
||||
Protocols []string `json:"tls_protocols" mapstructure:"tls_protocols"`
|
||||
}
|
||||
|
||||
// ShouldBind returns true if there service must be started
|
||||
|
|
|
@ -134,7 +134,7 @@ type Binding struct {
|
|||
// The order matters, the ciphers listed first will be the preferred ones.
|
||||
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||
// HTTP protocols to enable in preference order. Supported values: http/1.1, h2
|
||||
Protocols []string `json:"protocols" mapstructure:"protocols"`
|
||||
Protocols []string `json:"tls_protocols" mapstructure:"tls_protocols"`
|
||||
// Prefix for WebDAV resources, if empty WebDAV resources will be available at the
|
||||
// root ("/") URI. If defined it must be an absolute URI.
|
||||
Prefix string `json:"prefix" mapstructure:"prefix"`
|
||||
|
|
|
@ -155,7 +155,7 @@
|
|||
"min_tls_version": 12,
|
||||
"client_auth_type": 0,
|
||||
"tls_cipher_suites": [],
|
||||
"protocols": [],
|
||||
"tls_protocols": [],
|
||||
"prefix": "",
|
||||
"proxy_allowed": [],
|
||||
"client_ip_proxy_header": "",
|
||||
|
@ -268,7 +268,7 @@
|
|||
"min_tls_version": 12,
|
||||
"client_auth_type": 0,
|
||||
"tls_cipher_suites": [],
|
||||
"protocols": [],
|
||||
"tls_protocols": [],
|
||||
"proxy_allowed": [],
|
||||
"client_ip_proxy_header": "",
|
||||
"client_ip_header_depth": 0,
|
||||
|
@ -373,7 +373,7 @@
|
|||
"certificate_key_file": "",
|
||||
"min_tls_version": 12,
|
||||
"tls_cipher_suites": [],
|
||||
"protocols": []
|
||||
"tls_protocols": []
|
||||
},
|
||||
"http": {
|
||||
"timeout": 20,
|
||||
|
|
Loading…
Reference in a new issue