Added HTTPS/TLS support.

mhindery · Nov 28, 2016 · aef090c · aef090c
1 parent 533848c
commit aef090c
Showing 1 changed file with 60 additions and 5 deletions.
diff --git a/mongodb_exporter.go b/mongodb_exporter.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -30,11 +31,22 @@ var (
 	listenAddressFlag = flag.String("web.listen-address", ":9104", "Address on which to expose metrics and web interface.")
 	metricsPathFlag   = flag.String("web.metrics-path", "/metrics", "Path under which to expose metrics.")
 	webAuthFile       = flag.String("web.auth-file", "", "Path to YAML file with server_user, server_password options for http basic auth (overrides HTTP_AUTH env var).")
+	sslCertFile       = flag.String("web.ssl-cert-file", "", "Path to SSL certificate file.")
+	sslKeyFile        = flag.String("web.ssl-key-file", "", "Path to SSL key file.")
 
 	mongodbURIFlag    = flag.String("mongodb.uri", mongodbDefaultUri(), "Mongodb URI, format: [mongodb://][user:pass@]host1[:port1][,host2[:port2],...][/database][?options]")
 	enabledGroupsFlag = flag.String("groups.enabled", "asserts,durability,background_flushing,connections,extra_info,global_lock,index_counters,network,op_counters,op_counters_repl,memory,locks,metrics", "Comma-separated list of groups to use, for more info see: docs.mongodb.org/manual/reference/command/serverStatus/")
 )
 
+var landingPage = []byte(`<html>
+<head><title>MongoDB exporter</title></head>
+<body>
+<h1>MongoDB exporter</h1>
+<p><a href='` + *metricsPathFlag + `'>Metrics</a></p>
+</body>
+</html>
+`)
+
 func printVersion() {
 	fmt.Printf("mongodb_exporter version: %s, git commit hash: %s\n", version, versionGitCommit)
 }
@@ -102,12 +114,55 @@ func startWebServer() {
 
 	registerCollector()
 
-	http.Handle(*metricsPathFlag, handler)
-	fmt.Printf("Listening on %s\n", *listenAddressFlag)
-	err := http.ListenAndServe(*listenAddressFlag, nil)
+	if *sslCertFile != "" && *sslKeyFile == "" || *sslCertFile == "" && *sslKeyFile != "" {
+		panic("One of the flags -web.ssl-cert or -web.ssl-key is missed to enable HTTPS/TLS")
+	}
+	ssl := false
+	if *sslCertFile != "" && *sslKeyFile != "" {
+		if _, err := os.Stat(*sslCertFile); os.IsNotExist(err) {
+			panic(fmt.Sprintf("SSL certificate file does not exist: %s", *sslCertFile))
+		}
+		if _, err := os.Stat(*sslKeyFile); os.IsNotExist(err) {
+			panic(fmt.Sprintf("SSL key file does not exist: %s", *sslKeyFile))
+		}
+		ssl = true
+		fmt.Println("HTTPS/TLS is enabled")
+	}
 
-	if err != nil {
-		panic(err)
+	fmt.Printf("Listening on %s\n", *listenAddressFlag)
+	if ssl {
+		// https
+		mux := http.NewServeMux()
+		mux.Handle(*metricsPathFlag, handler)
+		mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+			w.Write(landingPage)
+		})
+		tlsCfg := &tls.Config{
+			MinVersion:               tls.VersionTLS12,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			},
+		}
+		srv := &http.Server{
+			Addr:         *listenAddressFlag,
+			Handler:      mux,
+			TLSConfig:    tlsCfg,
+			TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
+		}
+		panic(srv.ListenAndServeTLS(*sslCertFile, *sslKeyFile))
+	} else {
+		// http
+		http.Handle(*metricsPathFlag, handler)
+		http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			w.Write(landingPage)
+		})
+		panic(http.ListenAndServe(*listenAddressFlag, nil))
 	}
 }