Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StartTLS #243

Closed
valero90 opened this issue Sep 28, 2020 · 11 comments · Fixed by #888
Closed

StartTLS #243

valero90 opened this issue Sep 28, 2020 · 11 comments · Fixed by #888
Labels
enhancement New feature or request

Comments

@valero90
Copy link

Would it be possible to add an option to accept SSL connections to make HTTPS connections?
@gulien
Copy link
Collaborator

gulien commented Sep 28, 2020

Hello @valero90

IMO I think it is not in the scope of Gotenberg and it should be handled by a proxy!

@thomass4t
Copy link

Hello,
Proxy would be possible, but I would also vote for SSL-Support.
The used Go-Module seems to support it with a one-liner:
https://echo.labstack.com/cookbook/http2#step-1-generate-a-self-signed-x509-tls-certificate

Two additional configuration options would be needed to parameterize key and certificate location.
Maybe the link helps to estimate the effort and compare pros and cons.

Greetings, Thomas

@stale
Copy link

stale bot commented Aug 22, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Aug 22, 2021
@gulien gulien added the enhancement New feature or request label Aug 27, 2021
@stale stale bot removed the wontfix This will not be worked on label Aug 27, 2021
@jonasgeiler
Copy link
Contributor

I think this is something still worth pursuing, even if this issue has been staled for some time. At our company we need to encrypt any traffic between our Kubernetes pods/containers using SSL and therefore we would need to encrypt Gotenberg traffic as well. Our current solution is embedding an nginx reverse proxy into the Gotenberg container image and using that to communicate with Gotenberg, but this is not the best solution in my opinion...

I would be very happy to work on an SSL feature for Gotenberg, if you want. Even if Gotenberg is not intended to be exposed to the internet, as stated in the docs, it can't hurt to have SSL support for companies like ours.

@gulien
Copy link
Collaborator

gulien commented May 24, 2024

Sure feel free to open a PR! 😄

@HoffmannTom
Copy link

Many security standards and contracts require TLS 1.2 and above and secure crypto suites.
If possible and if time allows, you might check these two settings when implementing TLS :)
Just a wish from my side 😇
Security is always a process ...

@jonasgeiler jonasgeiler mentioned this issue May 26, 2024
Merged
3 tasks
@jonasgeiler
Copy link
Contributor

@gulien wrote:
Sure feel free to open a PR! 😄

PR is out! Open for review 👀

@HoffmannTom wrote:
Many security standards and contracts require TLS 1.2 and above and secure crypto suites.
If possible and if time allows, you might check these two settings when implementing TLS :)
Just a wish from my side 😇
Security is always a process ...

I'm just using the StartTLS method from Echo which probably uses a few Go internals for TLS/SSL encryption and communication. Not sure which TLS versions and crypto suites Go supports, but that's outside the control of Gotenberg (fortunately).

@HoffmannTom
Copy link

@jonasgeiler
I took a look at the link and the TLS configuration is within the TLS-Object.

TLSConfig: &tls.Config{
      MinVersion: tls.VersionTLS12
    }

I found an example here: https://gist.github.com/denji/12b3a568f092ab951456
Disabling TLS1.1 and below is currently a good practise to prevent the usage of weak protocols.
Configuring ciphers is probably too much in the first step.
Thanks for your effort :)

@jonasgeiler
Copy link
Contributor

@HoffmannTom wrote:
(at)jonasgeiler I took a look at the link and the TLS configuration is within the TLS-Object.

TLSConfig: &tls.Config{
      MinVersion: tls.VersionTLS12
    }

I found an example here: https://gist.github.com/denji/12b3a568f092ab951456 Disabling TLS1.1 and below is currently a good practise to prevent the usage of weak protocols. Configuring ciphers is probably too much in the first step. Thanks for your effort :)

Hmmm unfortunately I am not quite sure how to implement this with Echo. The StartTLS method does quite a few things underneath that I would have to do manually... I don't think I am experienced enough with Go for this, but feel free to create a PR in my fork or after my PR has been merged.

@HoffmannTom
Copy link

The example with TLSConfig is in the link you shared. It's the example right beneath startTLS.
https://echo.labstack.com/docs/start-server#https-server
I only added the MinVersion.
Otherwise, it can be added later on also, as you mentioned.

@jonasgeiler
Copy link
Contributor

jonasgeiler commented May 26, 2024
edited

@HoffmannTom wrote:
The example with TLSConfig is in the link you shared. It's the example right beneath startTLS. https://echo.labstack.com/docs/start-server#https-server I only added the MinVersion. Otherwise, it can be added later on also, as you mentioned.

I saw the section you have linked before, but the problem I've described still remains. StartTLS does a few things underneath and I would have to check how complicated it is to replicate those things manually. I'll look into it but no promises.

EDIT

Okay, forget anything I've said. Apparently Go already sets the TLS minimum version to 1.2 by default, so we don't have to do anything! See here for more info: https://pkg.go.dev/crypto/tls#Config

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added TLS/SSL support jonasgeiler/gotenberg
5 participants
@valero90 @gulien @jonasgeiler @thomass4t @HoffmannTom