summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWolfy-J <[email protected]>2019-12-23 16:41:24 +0300
committerWolfy-J <[email protected]>2019-12-23 16:41:24 +0300
commita006a2d7dde5b01e6478c552d03fb2d592fb579e (patch)
tree523fd449c4d5bd1989c65acc549c08b80582065d
parentd60b38a4867493dbc72124ddf4efc4df775eeb90 (diff)
- bump the minimum TLS version to TLS 1.2
- added `Strict-Transport-Security` header for TLS requests
-rw-r--r--CHANGELOG.md2
-rw-r--r--service/http/service.go19
2 files changed, 19 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4b2a669c..ceeb077d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@ v1.5.3
- "Server closed" error has been supressed
- added the ability to specificy any config value via json flag `-j`
- minor improvements in travis pipeline
+- bump the minimum TLS version to TLS 1.2
+- added `Strict-Transport-Security` header for TLS requests
v1.5.2 (05.12.2019)
-------------------
diff --git a/service/http/service.go b/service/http/service.go
index abe7b3a7..fb4b51df 100644
--- a/service/http/service.go
+++ b/service/http/service.go
@@ -2,6 +2,7 @@ package http
import (
"context"
+ "crypto/tls"
"fmt"
"github.com/sirupsen/logrus"
"github.com/spiral/roadrunner"
@@ -153,7 +154,11 @@ func (s *Service) Serve() error {
if s.https != nil {
go func() {
- httpErr := s.https.ListenAndServeTLS(s.cfg.SSL.Cert, s.cfg.SSL.Key)
+ httpErr := s.https.ListenAndServeTLS(
+ s.cfg.SSL.Cert,
+ s.cfg.SSL.Key,
+ )
+
if httpErr != nil && httpErr != http.ErrServerClosed {
err <- httpErr
} else {
@@ -236,6 +241,10 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return
}
+ if s.https != nil && r.TLS != nil {
+ w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+ }
+
r = attributes.Init(r)
// chaining middleware
@@ -248,7 +257,13 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Init https server.
func (s *Service) initSSL() *http.Server {
- server := &http.Server{Addr: s.tlsAddr(s.cfg.Address, true), Handler: s}
+ server := &http.Server{
+ Addr: s.tlsAddr(s.cfg.Address, true),
+ Handler: s,
+ TLSConfig: &tls.Config{
+ MinVersion: tls.VersionTLS12,
+ },
+ }
s.throw(EventInitSSL, server)
return server