auto upgrade to HTTPS

cmd/client/command/common.go

@@ -23,6 +23,7 @@ import (
  "fmt"
  "io"
  "net/http"
+ "strings"
 
  "github.com/megaease/easegress/pkg/util/codectool"
  "github.com/spf13/cobra"
@@ -32,7 +33,7 @@ type (
  // GlobalFlags is the global flags for the whole client.
  GlobalFlags struct {
  Server string
- SSL  bool
+ ForceTLS bool
  InsecureSkipVerify bool
  OutputFormat string
  }
@@ -115,14 +116,17 @@ const (
 
  // MeshIngressURL is the mesh ingress path.
  MeshIngressURL = apiURL + "/mesh/ingresses/%s"
+
+ // HTTPProtocal is prefix for HTTP protocal
+ HTTPProtocal = "http:https://"
+ // HTTPSProtocal is prefix for HTTPS protocal
+ HTTPSProtocal = "https://"
 )
 
 func makeURL(urlTemplate string, a ...interface{}) string {
- var p string
- if CommandlineGlobalFlags.SSL {
- p = "https://"
- } else {
- p = "http:https://"
+ p := HTTPProtocal
+ if CommandlineGlobalFlags.ForceTLS {
+ p = HTTPSProtocal
  }
  return p + CommandlineGlobalFlags.Server + fmt.Sprintf(urlTemplate, a...)
 }
@@ -141,30 +145,22 @@ func handleRequest(httpMethod string, url string, yamlBody []byte, cmd *cobra.Co
  }
  }
 
- req, err := http.NewRequest(httpMethod, url, bytes.NewReader(jsonBody))
- if err != nil {
- ExitWithError(err)
- }
-
  tr := http.Transport{
  TLSClientConfig: &tls.Config{InsecureSkipVerify: CommandlineGlobalFlags.InsecureSkipVerify},
  }
  client := &http.Client{Transport: &tr}
- resp, err := client.Do(req)
- if err != nil {
- ExitWithErrorf("%s failed: %v", cmd.Short, err)
- }
- defer resp.Body.Close()
+ resp, body := doRequest(httpMethod, url, jsonBody, client, cmd)
 
- body, err := io.ReadAll(resp.Body)
- if err != nil {
- ExitWithErrorf("%s failed: %v", cmd.Short, err)
+ if resp.StatusCode == 400 && strings.Contains(string(body), "Client sent an HTTP request to an HTTPS server") {
+ fmt.Println("Warning: upgraded to HTTPS, it's better to turn on option --force-tls")
+ url = strings.ReplaceAll(url, HTTPProtocal, HTTPSProtocal)
+ resp, body = doRequest(httpMethod, url, jsonBody, client, cmd)
  }
 
  if !successfulStatusCode(resp.StatusCode) {
  msg := string(body)
  apiErr := &APIErr{}
- err = codectool.Unmarshal(body, apiErr)
+ err := codectool.Unmarshal(body, apiErr)
  if err == nil {
  msg = apiErr.Message
  }
@@ -176,6 +172,24 @@ func handleRequest(httpMethod string, url string, yamlBody []byte, cmd *cobra.Co
  }
 }
 
+func doRequest(httpMethod string, url string, jsonBody []byte, client *http.Client, cmd *cobra.Command) (*http.Response, []byte) {
+ req, err := http.NewRequest(httpMethod, url, bytes.NewReader(jsonBody))
+ if err != nil {
+ ExitWithError(err)
+ }
+ resp, err := client.Do(req)
+ if err != nil {
+ ExitWithErrorf("%s failed: %v", cmd.Short, err)
+ }
+ defer resp.Body.Close()
+
+ body, err := io.ReadAll(resp.Body)
+ if err != nil {
+ ExitWithErrorf("%s failed: %v", cmd.Short, err)
+ }
+ return resp, body
+}
+
 func printBody(body []byte) {
  var output []byte
  switch CommandlineGlobalFlags.OutputFormat {

cmd/client/main.go

@@ -118,8 +118,8 @@ func main() {
 
  rootCmd.PersistentFlags().StringVar(&command.CommandlineGlobalFlags.Server,
  "server", "localhost:2381", "The address of the Easegress endpoint")
- rootCmd.PersistentFlags().BoolVar(&command.CommandlineGlobalFlags.SSL,
- "ssl", false, "Whether to use secure transport protocal(https)")
+ rootCmd.PersistentFlags().BoolVar(&command.CommandlineGlobalFlags.ForceTLS,
+ "force-tls", false, "Whether to forcibly use secure transport protocal(https), if not, client will auto upgraded to HTTPS on-demand")
  rootCmd.PersistentFlags().BoolVar(&command.CommandlineGlobalFlags.InsecureSkipVerify,
  "insecure-skip-verify", false, "Whether to verify the server's certificate chain and host name")
  rootCmd.PersistentFlags().StringVarP(&command.CommandlineGlobalFlags.OutputFormat,

pkg/api/server.go

@@ -84,7 +84,7 @@ func MustNewServer(opt *option.Options, cls cluster.Cluster, super *supervisor.S
 
  go func() {
  var err error
- if s.opt.SSL {
+ if s.opt.TLS {
  logger.Infof("api server (https) running in %s", opt.APIAddr)
  err = s.server.ListenAndServeTLS(s.opt.CertFile, s.opt.KeyFile)
  } else {

pkg/option/option.go

@@ -69,7 +69,7 @@ type Options struct {
  Name string `yaml:"name" env:"EG_NAME"`
  Labels map[string]string `yaml:"labels" env:"EG_LABELS"`
  APIAddr string `yaml:"api-addr"`
- SSL bool `yaml:"ssl"`
+ TLS bool `yaml:"tls"`
  CertFile string `yaml:"cert-file"`
  KeyFile string `yaml:"key-file"`
  Debug bool `yaml:"debug"`
@@ -141,7 +141,7 @@ func New() *Options {
  opt.flags.BoolVar(&opt.UseStandaloneEtcd, "use-standalone-etcd", false, "Use standalone etcd instead of embedded .")
  addClusterVars(opt)
  opt.flags.StringVar(&opt.APIAddr, "api-addr", "localhost:2381", "Address([host]:port) to listen on for administration traffic.")
- opt.flags.BoolVar(&opt.SSL, "ssl", false, "Flag to use secure transport protocol(https).")
+ opt.flags.BoolVar(&opt.TLS, "tls", false, "Flag to use secure transport protocol(https).")
  opt.flags.StringVar(&opt.CertFile, "cert-file", "", "Flag to set the certificate file for https.")
  opt.flags.StringVar(&opt.KeyFile, "key-file", "", "Flag to set the private key file for https.")
  opt.flags.BoolVar(&opt.Debug, "debug", false, "Flag to set lowest log level from INFO downgrade DEBUG.")
@@ -347,7 +347,7 @@ func (opt *Options) validate() error {
  if !opt.UseInitialCluster() && opt.MemberDir == "" {
  return fmt.Errorf("empty member-dir")
  }
- if opt.SSL && (opt.CertFile == "" || opt.KeyFile == "") {
+ if opt.TLS && (opt.CertFile == "" || opt.KeyFile == "") {
  return fmt.Errorf("empty cert file or key file")
  }