server: drop in-process TLS — HTTP-only behind reverse proxy
Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx; making the server do TLS too means double cert config, dual ACME plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY, remove TLSEnabled() and the ListenAndServeTLS branch. Replace the cookie's "Secure if TLS-in-process" check with a new RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets RM_COOKIE_SECURE=false; production is always behind a TLS proxy and the cookie stays Secure. Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a Caddyfile snippet and a hard "do not expose RM_LISTEN publicly" warning. enrollResponse keeps cert_pin_sha256 in the shape but the server can't introspect a cert it doesn't terminate — operator pastes the proxy's hash into -cert-pin at install time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -16,14 +16,21 @@ import (
|
||||
// Config holds runtime parameters resolved from env + (optionally) a
|
||||
// YAML file. Env wins over YAML so operators can tweak a single var
|
||||
// without rewriting the file.
|
||||
//
|
||||
// The server is HTTP-only by design: the expected deployment fronts it
|
||||
// with a TLS-terminating reverse proxy (Caddy/Traefik/nginx). See
|
||||
// spec.md §11 for the rationale.
|
||||
type Config struct {
|
||||
Listen string `yaml:"listen"`
|
||||
DataDir string `yaml:"data_dir"`
|
||||
BaseURL string `yaml:"base_url"`
|
||||
TLSCert string `yaml:"tls_cert"`
|
||||
TLSKey string `yaml:"tls_key"`
|
||||
SecretKeyFile string `yaml:"secret_key_file"`
|
||||
TrustedProxies []string `yaml:"trusted_proxies"`
|
||||
// CookieSecure controls the Secure attribute on session cookies.
|
||||
// Defaults to true. Set RM_COOKIE_SECURE=false only for local HTTP
|
||||
// testing — production deployments are always behind a TLS proxy
|
||||
// and the cookie must be Secure.
|
||||
CookieSecure bool `yaml:"cookie_secure"`
|
||||
}
|
||||
|
||||
// Load resolves config in this order:
|
||||
@@ -35,8 +42,9 @@ type Config struct {
|
||||
// safe to start.
|
||||
func Load(yamlPath string) (Config, error) {
|
||||
c := Config{
|
||||
Listen: ":8443",
|
||||
DataDir: "/data",
|
||||
Listen: ":8080",
|
||||
DataDir: "/data",
|
||||
CookieSecure: true,
|
||||
}
|
||||
|
||||
if yamlPath != "" {
|
||||
@@ -60,15 +68,17 @@ func Load(yamlPath string) (Config, error) {
|
||||
if v, ok := os.LookupEnv("RM_BASE_URL"); ok {
|
||||
c.BaseURL = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TLS_CERT"); ok {
|
||||
c.TLSCert = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TLS_KEY"); ok {
|
||||
c.TLSKey = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_SECRET_KEY_FILE"); ok {
|
||||
c.SecretKeyFile = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_COOKIE_SECURE"); ok {
|
||||
// Anything other than "false"/"0" leaves the safe default.
|
||||
if v == "false" || v == "0" {
|
||||
c.CookieSecure = false
|
||||
} else {
|
||||
c.CookieSecure = true
|
||||
}
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TRUSTED_PROXY"); ok {
|
||||
// Comma-separated CIDRs; allow whitespace for readability.
|
||||
parts := strings.Split(v, ",")
|
||||
@@ -103,12 +113,5 @@ func (c *Config) validate() error {
|
||||
return fmt.Errorf("config: RM_TRUSTED_PROXY entry %q is not a valid CIDR: %w", cidr, err)
|
||||
}
|
||||
}
|
||||
// TLS pair: either both set or both unset (HTTP-only mode for dev).
|
||||
if (c.TLSCert == "") != (c.TLSKey == "") {
|
||||
return fmt.Errorf("config: RM_TLS_CERT and RM_TLS_KEY must be set together (or both unset)")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// TLSEnabled is true when both cert and key are configured.
|
||||
func (c Config) TLSEnabled() bool { return c.TLSCert != "" && c.TLSKey != "" }
|
||||
|
||||
@@ -6,14 +6,14 @@ import (
|
||||
)
|
||||
|
||||
func TestDefaultsValid(t *testing.T) {
|
||||
t.Setenv("RM_LISTEN", ":8443")
|
||||
t.Setenv("RM_LISTEN", ":8080")
|
||||
t.Setenv("RM_DATA_DIR", "/tmp/rm-test")
|
||||
|
||||
c, err := Load("")
|
||||
if err != nil {
|
||||
t.Fatalf("load: %v", err)
|
||||
}
|
||||
if c.Listen != ":8443" {
|
||||
if c.Listen != ":8080" {
|
||||
t.Errorf("listen: %q", c.Listen)
|
||||
}
|
||||
if c.SecretKeyFile != "/tmp/rm-test/secret.key" {
|
||||
@@ -50,7 +50,7 @@ func TestEnvOverridesYAML(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestTrustedProxyParsing(t *testing.T) {
|
||||
t.Setenv("RM_LISTEN", ":8443")
|
||||
t.Setenv("RM_LISTEN", ":8080")
|
||||
t.Setenv("RM_DATA_DIR", "/tmp/x")
|
||||
t.Setenv("RM_TRUSTED_PROXY", "10.0.0.0/8, 192.168.1.0/24")
|
||||
|
||||
@@ -67,7 +67,7 @@ func TestTrustedProxyParsing(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestTrustedProxyRejectsGarbage(t *testing.T) {
|
||||
t.Setenv("RM_LISTEN", ":8443")
|
||||
t.Setenv("RM_LISTEN", ":8080")
|
||||
t.Setenv("RM_DATA_DIR", "/tmp/x")
|
||||
t.Setenv("RM_TRUSTED_PROXY", "not-a-cidr")
|
||||
|
||||
@@ -76,14 +76,25 @@ func TestTrustedProxyRejectsGarbage(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSPairConsistency(t *testing.T) {
|
||||
t.Setenv("RM_LISTEN", ":8443")
|
||||
func TestCookieSecureDefaultAndOverride(t *testing.T) {
|
||||
t.Setenv("RM_LISTEN", ":8080")
|
||||
t.Setenv("RM_DATA_DIR", "/tmp/x")
|
||||
t.Setenv("RM_TLS_CERT", "/some/cert.pem")
|
||||
// key intentionally unset
|
||||
|
||||
if _, err := Load(""); err == nil {
|
||||
t.Fatal("expected error: cert without key")
|
||||
c, err := Load("")
|
||||
if err != nil {
|
||||
t.Fatalf("load: %v", err)
|
||||
}
|
||||
if !c.CookieSecure {
|
||||
t.Errorf("CookieSecure should default to true")
|
||||
}
|
||||
|
||||
t.Setenv("RM_COOKIE_SECURE", "false")
|
||||
c, err = Load("")
|
||||
if err != nil {
|
||||
t.Fatalf("load: %v", err)
|
||||
}
|
||||
if c.CookieSecure {
|
||||
t.Errorf("CookieSecure should be false when RM_COOKIE_SECURE=false")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -71,7 +71,7 @@ func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
||||
Value: token,
|
||||
Path: "/",
|
||||
HttpOnly: true,
|
||||
Secure: s.deps.Cfg.TLSEnabled(),
|
||||
Secure: s.deps.Cfg.CookieSecure,
|
||||
SameSite: stdhttp.SameSiteLaxMode,
|
||||
Expires: sess.ExpiresAt,
|
||||
})
|
||||
@@ -97,7 +97,7 @@ func (s *Server) handleLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
||||
Path: "/",
|
||||
MaxAge: -1,
|
||||
HttpOnly: true,
|
||||
Secure: s.deps.Cfg.TLSEnabled(),
|
||||
Secure: s.deps.Cfg.CookieSecure,
|
||||
SameSite: stdhttp.SameSiteLaxMode,
|
||||
})
|
||||
w.WriteHeader(stdhttp.StatusNoContent)
|
||||
|
||||
@@ -27,9 +27,12 @@ type enrollRequest struct {
|
||||
|
||||
// enrollResponse hands the agent the credentials it'll use forever.
|
||||
// AgentToken is shown exactly once; the server stores its hash.
|
||||
// CertPinSHA256 is the SHA-256 of the server's certificate, base64;
|
||||
// the agent pins this on every reconnect so a stolen DB at the
|
||||
// control plane can't be replayed against an attacker's TLS endpoint.
|
||||
//
|
||||
// CertPinSHA256 is reserved for future use. The server is HTTP-only
|
||||
// and sits behind a reverse proxy that owns the TLS cert; pinning is
|
||||
// configured at the agent install step (`-cert-pin`) by the operator
|
||||
// pasting in the proxy's cert hash. The field stays in the response
|
||||
// shape so we can populate it later if the topology changes.
|
||||
type enrollResponse struct {
|
||||
HostID string `json:"host_id"`
|
||||
AgentToken string `json:"agent_token"`
|
||||
@@ -109,9 +112,11 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
|
||||
writeJSON(w, stdhttp.StatusCreated, enrollResponse{
|
||||
HostID: hostID,
|
||||
AgentToken: agentToken,
|
||||
// CertPinSHA256 is populated by a TLS-aware future revision.
|
||||
// For now (HTTP-or-TLS-by-Caddy) we leave it empty and rely
|
||||
// on the agent trusting its OS root store.
|
||||
// CertPinSHA256: the server is HTTP-only and sits behind a
|
||||
// reverse proxy that owns the cert. The operator pastes the
|
||||
// proxy's cert hash into the install command (`-cert-pin`)
|
||||
// when they want pinning; the server cannot introspect a
|
||||
// cert it doesn't terminate.
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
@@ -86,6 +86,9 @@ func (s *Server) routes(r chi.Router) {
|
||||
|
||||
// Run-now: dispatch a job to a host's agent.
|
||||
r.Post("/hosts/{id}/jobs", s.handleRunNow)
|
||||
|
||||
// Snapshot projection (refreshed by the agent after each backup).
|
||||
r.Get("/hosts/{id}/snapshots", s.handleListHostSnapshots)
|
||||
})
|
||||
|
||||
// Agent ↔ server WebSocket. Bearer-authenticated inside the handler.
|
||||
@@ -109,16 +112,9 @@ func (s *Server) routes(r chi.Router) {
|
||||
}
|
||||
|
||||
// Start begins listening. Blocks until ListenAndServe returns
|
||||
// (typically only on Shutdown). Pass the result to errgroup.Group.Go.
|
||||
// (typically only on Shutdown). The server is HTTP-only by design;
|
||||
// production deployments terminate TLS at a reverse proxy in front.
|
||||
func (s *Server) Start() error {
|
||||
cfg := s.deps.Cfg
|
||||
if cfg.TLSEnabled() {
|
||||
err := s.srv.ListenAndServeTLS(cfg.TLSCert, cfg.TLSKey)
|
||||
if errors.Is(err, stdhttp.ErrServerClosed) {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
err := s.srv.ListenAndServe()
|
||||
if errors.Is(err, stdhttp.ErrServerClosed) {
|
||||
return nil
|
||||
|
||||
Reference in New Issue
Block a user