mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-11-18 13:07:35 -06:00
Db tls (#102)
* go mod tidy * complete example config * add tls support for db connection * add certpool to tlsConfig * add some lil docker scripts
This commit is contained in:
Tobi Smethurst
GitHub
parent
bbc2494c58
commit
677490bc4e
10 changed files with 302 additions and 45 deletions
|
|
@ -22,10 +22,14 @@ import (
|
|||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/mail"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
|
|
@ -133,6 +137,53 @@ func derivePGOptions(c *config.Config) (*pg.Options, error) {
|
|||
return nil, errors.New("no database set")
|
||||
}
|
||||
|
||||
var tlsConfig *tls.Config
|
||||
switch c.DBConfig.TLSMode {
|
||||
case config.DBTLSModeDisable, config.DBTLSModeUnset:
|
||||
break // nothing to do
|
||||
case config.DBTLSModeEnable:
|
||||
tlsConfig = &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
}
|
||||
case config.DBTLSModeRequire:
|
||||
tlsConfig = &tls.Config{
|
||||
InsecureSkipVerify: false,
|
||||
}
|
||||
}
|
||||
|
||||
if tlsConfig != nil && c.DBConfig.TLSCACert != "" {
|
||||
// load the system cert pool first -- we'll append the given CA cert to this
|
||||
certPool, err := x509.SystemCertPool()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error fetching system CA cert pool: %s", err)
|
||||
}
|
||||
|
||||
// open the file itself and make sure there's something in it
|
||||
caCertBytes, err := os.ReadFile(c.DBConfig.TLSCACert)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error opening CA certificate at %s: %s", c.DBConfig.TLSCACert, err)
|
||||
}
|
||||
if len(caCertBytes) == 0 {
|
||||
return nil, fmt.Errorf("ca cert at %s was empty", c.DBConfig.TLSCACert)
|
||||
}
|
||||
|
||||
// make sure we have a PEM block
|
||||
caPem, _ := pem.Decode(caCertBytes)
|
||||
if caPem == nil {
|
||||
return nil, fmt.Errorf("could not parse cert at %s into PEM", c.DBConfig.TLSCACert)
|
||||
}
|
||||
|
||||
// parse the PEM block into the certificate
|
||||
caCert, err := x509.ParseCertificate(caPem.Bytes)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not parse cert at %s into x509 certificate: %s", c.DBConfig.TLSCACert, err)
|
||||
}
|
||||
|
||||
// we're happy, add it to the existing pool and then use this pool in our tls config
|
||||
certPool.AddCert(caCert)
|
||||
tlsConfig.RootCAs = certPool
|
||||
}
|
||||
|
||||
// We can rely on the pg library we're using to set
|
||||
// sensible defaults for everything we don't set here.
|
||||
options := &pg.Options{
|
||||
|
|
@ -141,6 +192,7 @@ func derivePGOptions(c *config.Config) (*pg.Options, error) {
|
|||
Password: c.DBConfig.Password,
|
||||
Database: c.DBConfig.Database,
|
||||
ApplicationName: c.ApplicationName,
|
||||
TLSConfig: tlsConfig,
|
||||
}
|
||||
|
||||
return options, nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue