[v1] Add HTTP TLS (issue #393)

cmd/exporter/main.go

@@ -36,6 +36,13 @@ func main() {
 
 	port, host := config.Port, config.Host
 	logstashUrl := config.LogstashUrl
+	enableSSL := config.EnableSSL == "TRUE"
+	sslCertDir := config.SSLCertDir
+	sslKeyDir := config.SSLKeyDir
+	tlsConfig, err := config.SetupTLS()
+	if err != nil {
+		log.Fatalf("failed to setup tls: %s",err)
+	}
 
 	slog.Debug("application starting... ")
 	versionInfo := config.GetVersionInfo()
@@ -56,8 +63,15 @@ func main() {
 	prometheus.MustRegister(collectorManager)
 
 	slog.Info("starting server on", "host", host, "port", port)
-	if err := appServer.ListenAndServe(); err != nil {
+	if enableSSL {
+		appServer.TLSConfig = tlsConfig
+		err = appServer.ListenAndServeTLS(sslCertDir, sslKeyDir)
+	} else {
+		err = appServer.ListenAndServe()
+	}
+
+	if err != nil {
 		slog.Error("failed to listen and serve", "err", err)
-		os.Exit(1)
+	    os.Exit(1)
 	}
 }

config/server_config.go

@@ -1,6 +1,21 @@
 package config
 
 var (
+	// SSL determines if the exporter should use HTTPS instead of HTTP
+	// Defaults to "FALSE"
+	// Can be overridden by setting the SSL environment variable
+	EnableSSL = getEnvWithDefault("ENABLE_SSL", "FALSE")
+
+	// SSL_CERT_DIR specifies the directory path containing the SSL certificate file
+	// Must be set if SSL is "TRUE"
+	// Can be overridden by setting the SSL_CERT_DIR environment variable
+	SSLCertDir = getEnvWithDefault("SSL_CERT_DIR","")
+
+	// SSL_KEY_DIR specifies the directory path containing the SSL private key file
+	// Must be set if SSL is "TRUE"
+	// Can be overridden by setting the SSL_KEY_DIR environment variable
+	SSLKeyDir = getEnvWithDefault("SSL_KEY_DIR","")
+
 	// Port is the port the exporter will listen on.
 	// Defaults to 9198
 	// Can be overridden by setting the PORT environment variable

config/tls_config.go

@@ -0,0 +1,55 @@
+package config
+
+import (
+    "fmt"
+    "crypto/tls"
+	"strings"
+)
+
+var(
+	SSLCipherList = getEnvWithDefault("SSL_CIPHER_LIST","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA")
+	SSLMinVersion = getEnvWithDefault("SSL_MIN_VERSION","1.2")
+)
+
+func SetupTLS() (*tls.Config, error) {
+	var cipherSuites []uint16
+	if SSLCipherList != "" {
+		cipherMap := make(map[string]uint16)
+		for _, suite := range tls.CipherSuites() {
+			cipherMap[suite.Name] = suite.ID
+		}
+		for _, suite := range tls.InsecureCipherSuites() {
+			cipherMap[suite.Name] = suite.ID
+		}
+
+		for _, cipher := range strings.Split(SSLCipherList, ",") {
+			cipher = strings.TrimSpace(cipher)
+			if id, exists := cipherMap[cipher]; exists {
+				cipherSuites = append(cipherSuites, id)
+			} else {
+				return nil, fmt.Errorf("unsupported cipher suite: %s", cipher)
+			}
+		}
+	}
+
+	var minVersion uint16
+	switch SSLMinVersion {
+	case "1.0":
+		minVersion = tls.VersionTLS10
+	case "1.1":
+		minVersion = tls.VersionTLS11
+	case "1.2":
+		minVersion = tls.VersionTLS12
+	case "1.3", "":
+		minVersion = tls.VersionTLS13 
+	default:
+		return nil, fmt.Errorf("invalid TLS version: %s", SSLMinVersion)
+	}
+
+	tlsConfig := &tls.Config{
+		MinVersion:   minVersion,
+		CipherSuites: cipherSuites,
+	}
+
+	return tlsConfig, nil
+}

config/tls_config_test.go

@@ -0,0 +1,33 @@
+package config
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+func TestSetupTLS(t *testing.T) {
+	tlsConfig, err := SetupTLS()
+
+	if err != nil {
+		t.Fatalf("Unexpected error setting up TLS: %v", err)
+	}
+
+	if tlsConfig == nil {
+		t.Fatal("Expected TLS config, got nil")
+	}
+
+	if tlsConfig.MinVersion != tls.VersionTLS12 {
+		t.Errorf("Expected MinVersion TLS 1.2, got %d", tlsConfig.MinVersion)
+	}
+
+	expectedCipherSuites := []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	}
+
+	if len(tlsConfig.CipherSuites) != len(expectedCipherSuites) {
+		t.Errorf("Expected %d cipher suites, got %d", len(expectedCipherSuites), len(tlsConfig.CipherSuites))
+	}
+}