Add an option to disable the HTTPS security checks (megaease#145)

* add an option to disable the HTTPS security checks * add some improvment * add the debug info
onyas · Jun 20, 2022 · 1c5315b · 1c5315b
1 parent 89cc8be
commit 1c5315b
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -493,6 +493,8 @@ http:
  ca: /path/to/file.ca
  cert: /path/to/file.crt
  key: /path/to/file.key
+ # TLS
+ insecure: true # skip any security checks, useful for self-signed and expired certs. default: false
  # HTTP successful response code range, default is [0, 499].
  success_code:
  - [200,206] # the code >=200 and <= 206

diff --git a/global/global.go b/global/global.go
@@ -95,9 +95,10 @@ type Retry struct {
 
 // TLS is the configuration for TLS files
 type TLS struct {
- CA string `yaml:"ca"`
- Cert string `yaml:"cert"`
- Key string `yaml:"key"`
+ CA string `yaml:"ca"`
+ Cert string `yaml:"cert"`
+ Key string `yaml:"key"`
+ Insecure bool `yaml:"insecure"`
 }
 
 // The normalize() function logic as below:
@@ -128,7 +129,12 @@ func ReverseMap[K comparable, V comparable](m map[K]V) map[V]K {
 
 // Config return a tls.Config object
 func (t *TLS) Config() (*tls.Config, error) {
- if len(t.CA) <= 0 || len(t.Cert) <= 0 || len(t.Key) <= 0 {
+ if len(t.CA) <= 0 {
+ // the insecure is true but no ca/cert/key, then return a tls config
+ if t.Insecure == true {
+ log.Debug("[TLS] Insecure is true but the CA is empty, return a tls config")
+ return &tls.Config{InsecureSkipVerify: true}, nil
+ }
  return nil, nil
  }
 
@@ -139,13 +145,25 @@ func (t *TLS) Config() (*tls.Config, error) {
  caCertPool := x509.NewCertPool()
  caCertPool.AppendCertsFromPEM(cert)
 
+ // only have CA file, go TLS
+ if len(t.Cert) <= 0 || len(t.Key) <= 0 {
+ log.Debug("[TLS] Only have CA file, go TLS")
+ return &tls.Config{
+ RootCAs: caCertPool,
+ InsecureSkipVerify: t.Insecure,
+ }, nil
+ }
+
+ // have both CA and cert/key, go mTLS way
+ log.Debug("[TLS] Have both CA and cert/key, go mTLS way")
  certificate, err := tls.LoadX509KeyPair(t.Cert, t.Key)
  if err != nil {
  return nil, err
  }
  return &tls.Config{
- RootCAs: caCertPool,
- Certificates: []tls.Certificate{certificate},
+ RootCAs: caCertPool,
+ Certificates: []tls.Certificate{certificate},
+ InsecureSkipVerify: t.Insecure,
  }, nil
 }
 

diff --git a/global/global_test.go b/global/global_test.go
@@ -138,15 +138,25 @@ func makeCert(path string, caCert *x509.Certificate, caKey *rsa.PrivateKey, subj
 }
 
 func TestTLS(t *testing.T) {
+ // no TLS
  _tls := TLS{}
  conn, e := _tls.Config()
  assert.Nil(t, conn)
  assert.Nil(t, e)
 
+ // only have insecure option
+ _tls = TLS{
+ Insecure: true,
+ }
+ conn, e = _tls.Config()
+ assert.NotNil(t, conn)
+ assert.Nil(t, e)
+
  path := GetWorkDir() + "/certs/"
  os.MkdirAll(path, 0755)
  defer os.RemoveAll(path)
 
+ //mTLS
  _tls = TLS{
  CA: filepath.Join(path, "./ca.crt"),
  Cert: filepath.Join(path, "./test.crt"),
@@ -194,6 +204,16 @@ func TestTLS(t *testing.T) {
  assert.NotNil(t, e)
  assert.Nil(t, conn)
  monkey.UnpatchAll()
+
+ //TLS
+ _tls = TLS{
+ CA: filepath.Join(path, "./ca.crt"),
+ Insecure: false,
+ }
+ conn, e = _tls.Config()
+ assert.Nil(t, e)
+ assert.NotNil(t, conn)
+ assert.Nil(t, conn.Certificates)
 }
 
 func TestNormalize(t *testing.T) {

diff --git a/probe/http/http.go b/probe/http/http.go
@@ -23,6 +23,7 @@ import (
  "io/ioutil"
  "net/http"
  "net/url"
+ "strconv"
  "strings"
 
  "github.com/megaease/easeprobe/global"
@@ -87,6 +88,9 @@ func (h *HTTP) Config(gConf global.ProbeSettings) error {
  return err
  }
 
+ // security check
+ log.Debugf("[%s] the security checks %s", h.ProbeName, strconv.FormatBool(h.Insecure))
+
  h.client = &http.Client{
  Timeout: h.Timeout(),
  Transport: &http.Transport{