Add SSL support to HTTP server

tarantool · Nov 19, 2024 · 8c15e9f · 8c15e9f
1 parent 32ff9f0
commit 8c15e9f
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -17,8 +17,15 @@ Changed
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - Update ``vshard`` dependency to `0.1.30 <https://github.com/tarantool/vshard/releases/tag/0.1.30>`_.
+
 - Update ``http`` dependency to `1.7.0 <https://github.com/tarantool/http/releases/tag/1.7.0>`_.
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Added
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- SSL support to HTTP server.
+
 -------------------------------------------------------------------------------
 [2.12.4] - 2024-09-16
 -------------------------------------------------------------------------------
@@ -28,6 +35,7 @@ Changed
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - Update ``vshard`` dependency to `0.1.29 <https://github.com/tarantool/vshard/releases/tag/0.1.29>`_.
+
 - Update ``http`` dependency to `1.6.0 <https://github.com/tarantool/http/releases/tag/1.6.0>`_.
 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/cartridge.lua b/cartridge.lua
@@ -785,9 +785,28 @@ local function cfg(opts, box_opts)
         opts.webui_enabled = true
     end
     if opts.http_enabled then
+        local ssl_opts, err = argparse.get_opts({
+            http_ssl_cert_file = 'string',
+            http_ssl_key_file = 'string',
+            http_ssl_password = 'string',
+            http_ssl_password_file = 'string',
+            http_ssl_ca_file = 'string',
+            http_ssl_ciphers = 'string',
+        })
+        if err ~= nil then
+            return nil, err
+        end
         local httpd = http.new(
             opts.http_host, opts.http_port,
-            { log_requests = false }
+            {
+                log_requests = false,
+                ssl_cert_file = ssl_opts.http_ssl_cert_file,
+                ssl_key_file = ssl_opts.http_ssl_key_file,
+                ssl_password = ssl_opts.http_ssl_password,
+                ssl_password_file = ssl_opts.http_ssl_password_file,
+                ssl_ca_file = ssl_opts.http_ssl_ca_file,
+                ssl_ciphers = ssl_opts.http_ssl_ciphers,
+            }
         )
 
         local ok, err = HttpInitError:pcall(httpd.start, httpd)

diff --git a/rst/cartridge_admin.rst b/rst/cartridge_admin.rst
@@ -1793,7 +1793,7 @@ SSL in Cartridge
 -------------------------------------------------------------------------------
 
 Tarantool Enterprise supports the use of SSL connections to encrypt client-server
-communications for increased security. To enable SSL in Cartridge for Replication
+communications for increased security. To enable SSL in Cartridge for replication
 and inner cluster communications, you can use environment variables or
 ``cartridge.cfg`` options.
 
@@ -1806,6 +1806,20 @@ You also need to add cfg options or environment variables for the next ssl optio
 `this article
 <https://www.tarantool.io/ru/doc/latest/concepts/configuration/configuration_connections/#securing-connections-with-ssl>`_.
 
+To enable http encryption, use environment variables:
+
+*   ``TARANTOOL_HTTP_SSL_CERT_FILE``;
+
+*   ``TARANTOOL_HTTP_SSL_KEY_FILE``;
+
+*   ``TARANTOOL_HTTP_SSL_PASSWORD``;
+
+*   ``TARANTOOL_HTTP_SSL_PASSWORD_FILE``;
+
+*   ``TARANTOOL_HTTP_SSL_CA_FILE``;
+
+*   ``TARANTOOL_HTTP_SSL_CIPHERS``.
+
 
 .. _cartridge-change-cookie: