diff --git a/Dockerfile b/Dockerfile index 992de08..2130dce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,4 +49,5 @@ COPY --chown=app:app --from=compile-stage /app/static /static # copy the data folder with the correct permissions for the volume mount COPY --chown=app:app --from=compile-stage /app/data /data VOLUME /data +COPY --chown=app:app --from=compile-stage /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT ["/beacon"] diff --git a/auth/heimdall/heimdall.go b/auth/heimdall/heimdall.go index e046013..4f2cf10 100644 --- a/auth/heimdall/heimdall.go +++ b/auth/heimdall/heimdall.go @@ -3,11 +3,14 @@ package heimdall import ( "bufio" "context" + "crypto/tls" + "crypto/x509" "encoding/json" "errors" "io" "log" "net/http" + "os" "slices" "time" @@ -43,8 +46,21 @@ var ( ) func New(dir directory.Directory[resource.Resource[resource.Content]]) *HeimdallAuth { + pool := x509.NewCertPool() + certFile, err := os.ReadFile(config.CaCertificatesFilePath) + if err != nil { + panic("Could not open " + config.CaCertificatesFilePath + ": " + err.Error()) + } + ok := pool.AppendCertsFromPEM(certFile) + if !ok { + panic("Certificates were not parsed correctly from: " + config.CaCertificatesFilePath) + } auth := HeimdallAuth{ - client: http.DefaultClient, + client: &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{RootCAs: pool}, + }, + }, } go func() { for { diff --git a/config/config.go b/config/config.go index 54d7be3..8b66044 100644 --- a/config/config.go +++ b/config/config.go @@ -39,8 +39,9 @@ var ( LegacyDatabasePassword string = GetString("DB_PASSWORD", "postgres") LegacyDatabaseName string = GetString("DB_NAME", "LHP") DatabaseQueryInterval time.Duration = GetDuration("DB_QUERY_PERIOD", 1*time.Second) - // jwt (unfinished test) - JWTPrivateKey []byte = []byte(GetString("JWT_PRIVATE_KEY", "")) // generates a new random key if empty + + // TLS certificates (for https client) + CaCertificatesFilePath string = GetString("CA_CERTIFICATES_FILE_PATH", "/etc/ssl/certs/ca-certificates.crt") // logging VerboseLogging bool = GetBool("VERBOSE_LOGGING", false)