diff options
-rw-r--r-- | docker-compose.yaml | 6 | ||||
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | hived.go | 15 |
3 files changed, 19 insertions, 4 deletions
diff --git a/docker-compose.yaml b/docker-compose.yaml index 8a404a1..3be8194 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -16,13 +16,17 @@ services: depends_on: - redis entrypoint: /hived/docker-entrypoint.sh + volumes: + - /etc/letsencrypt/archive/api.terminaldweller.com/:/certs/ + cap_drop: + - ALL redis: image: redis:6.2-alpine networks: - hivednet restart: unless-stopped ports: - - "6379:6379" + - "127.0.0.1:6379:6379" environment: - ALLOW_EMPTY_PASSWORD=yes volumes: @@ -6,9 +6,7 @@ require ( github.com/Knetic/govaluate v3.0.0+incompatible github.com/go-redis/redis/v8 v8.6.0 github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible - github.com/golang/protobuf v1.4.2 github.com/gorilla/mux v1.8.0 github.com/rs/zerolog v1.20.0 github.com/technoweenie/multipartstreamer v1.0.1 // indirect - google.golang.org/protobuf v1.23.0 ) @@ -5,6 +5,7 @@ import ( "context" "crypto/hmac" "crypto/sha512" + "crypto/tls" "encoding/hex" "encoding/json" "errors" @@ -601,11 +602,23 @@ func robotsHandler(w http.ResponseWriter, r *http.Request) { func startServer(gracefulWait time.Duration) { r := mux.NewRouter() + cfg := &tls.Config{ + MinVersion: tls.VersionTLS13, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + } srv := &http.Server{ Addr: "0.0.0.0:" + *flagPort, WriteTimeout: time.Second * 15, ReadTimeout: time.Second * 15, Handler: r, + TLSConfig: cfg, } r.HandleFunc("/health", healthHandler) r.HandleFunc("/price", priceHandler) @@ -615,7 +628,7 @@ func startServer(gracefulWait time.Duration) { r.HandleFunc("/robots.txt", robotsHandler) go func() { - if err := srv.ListenAndServe(); err != nil { + if err := srv.ListenAndServeTLS("/certs/fullchain.pem", "/certs/privkey.pem"); err != nil { log.Fatal().Err(err) } }() |