From 2a15d51703232a5e84147eddcd620b40bb8589eb Mon Sep 17 00:00:00 2001 From: Flavio Meyer Date: Thu, 6 Feb 2020 15:59:27 +0100 Subject: [PATCH] Adding HTTPS support for REST API interface --- Dockerfile | 2 ++ README.md | 38 +++++++++++++++++++++++++++++++++++--- centos.Dockerfile | 2 ++ clamrest.go | 19 ++++++++++++------- docker-compose.yml | 3 ++- server.crt | 12 ++++++++++++ server.key | 9 +++++++++ 7 files changed, 74 insertions(+), 11 deletions(-) create mode 100644 server.crt create mode 100644 server.key diff --git a/Dockerfile b/Dockerfile index 5ba7c5f..18516b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,12 +21,14 @@ RUN freshclam --quiet --no-dns --checks=2 # Build go package ADD . /go/src/clamav-rest/ +ADD ./server.* /etc/ssl/clamav-rest/ RUN cd /go/src/clamav-rest && go build -v COPY entrypoint.sh /usr/bin/ RUN mv /go/src/clamav-rest/clamav-rest /usr/bin/ && rm -Rf /go/src/clamav-rest EXPOSE 9000 +EXPOSE 9443 ENV MAX_SCAN_SIZE=100M ENV MAX_FILE_SIZE=25M diff --git a/README.md b/README.md index eeda1e6..7d71f04 100644 --- a/README.md +++ b/README.md @@ -36,10 +36,12 @@ The following image tags are available: Run clamav-rest docker image: ```bash -docker run -p 9000:9000 -itd --name clamav-rest ajilaag/clamav-rest +docker run -p 9000:9000 -p 9443:9443 -itd --name clamav-rest ajilaag/clamav-rest ``` Test that service detects common test virus signature: + +**HTTP** ```bash $ curl -i -F "file=@eicar.com.txt" http://localhost:9000/scan HTTP/1.1 100 Continue @@ -52,7 +54,22 @@ Content-Length: 56 { Status: "FOUND", Description: "Eicar-Test-Signature" } ``` +**HTTPS** +```bash +$ curl -i -k -F "file=@eicar.com.txt" https://localhost:9443/scan +HTTP/1.1 100 Continue + +HTTP/1.1 406 Not Acceptable +Content-Type: application/json; charset=utf-8 +Date: Mon, 28 Aug 2017 20:22:34 GMT +Content-Length: 56 + +{ Status: "FOUND", Description: "Eicar-Test-Signature" } +``` + Test that service returns 200 for clean file: + +**HTTP** ```bash $ curl -i -F "file=@clamrest.go" http://localhost:9000/scan @@ -65,6 +82,21 @@ Content-Length: 33 { Status: "OK", Description: "" } ``` +**HTTPS** +```bash +$ curl -i -k -F "file=@clamrest.go" https://localhost:9443/scan + +HTTP/1.1 100 Continue + +HTTP/1.1 200 OK +Content-Type: application/json; charset=utf-8 +Date: Mon, 28 Aug 2017 20:23:16 GMT +Content-Length: 33 + +{ Status: "OK", Description: "" } +``` + + ## Status Codes - 200 - clean file = no KNOWN infections @@ -108,7 +140,7 @@ Below is the complete list of available options that can be used to customize yo For debugging and maintenance purposes you may want access the containers shell. ```bash -docker exec -it (whatever your container name is e.g. clamav) bash +docker exec -it (whatever your container name is e.g. clamav-rest) /bin/sh ``` # Developing @@ -118,7 +150,7 @@ Build golang (linux) binary and docker image: ```bash # env GOOS=linux GOARCH=amd64 go build docker build . -t clamav-go-rest -docker run -p 9000:9000 -itd --name clamav-rest clamav-go-rest +docker run -p 9000:9000 -p 9443:9443 -itd --name clamav-rest clamav-go-rest ``` # References diff --git a/centos.Dockerfile b/centos.Dockerfile index 715dbfd..e655f03 100644 --- a/centos.Dockerfile +++ b/centos.Dockerfile @@ -30,12 +30,14 @@ RUN sed -i 's/^Example$/# Example/g' /etc/clamd.d/scan.conf \ # Build go package ADD . /go/src/clamav-rest/ +ADD ./server.* /etc/ssl/clamav-rest/ RUN cd /go/src/clamav-rest/ && go build -v COPY entrypoint.sh /usr/bin/ RUN mv /go/src/clamav-rest/clamav-rest /usr/bin/ && rm -Rf /go/src/clamav-rest EXPOSE 9000 +EXPOSE 9443 RUN freshclam --quiet diff --git a/clamrest.go b/clamrest.go index a58edc7..a58d659 100644 --- a/clamrest.go +++ b/clamrest.go @@ -10,6 +10,7 @@ import ( "os" "strings" "time" + "github.com/dutchcoders/go-clamd" ) @@ -157,6 +158,11 @@ func waitForClamD(port string, times int) { func main() { + const ( + PORT = ":9000" + SSL_PORT = ":9443" + ) + opts = make(map[string]string) for _, e := range os.Environ() { @@ -178,10 +184,9 @@ func main() { http.HandleFunc("/scanPath", scanPathHandler) http.HandleFunc("/", home) - //Listen on port PORT - if opts["PORT"] == "" { - opts["PORT"] = "9000" - } - fmt.Printf("Listening on port " + opts["PORT"]) - http.ListenAndServe(":"+opts["PORT"], nil) -} \ No newline at end of file + // Start the HTTPS server in a goroutine + go http.ListenAndServeTLS(SSL_PORT, "/etc/ssl/clamav-rest/server.crt", "/etc/ssl/clamav-rest/server.key", nil) + + // Start the HTTP server + http.ListenAndServe(PORT, nil) +} diff --git a/docker-compose.yml b/docker-compose.yml index 6b80100..32c1cbe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,4 +5,5 @@ services: mem_limit: 1048576000 image: ajilaag/clamav-rest ports: - - "9000:9000" \ No newline at end of file + - "9000:9000" + - "9443:9443" \ No newline at end of file diff --git a/server.crt b/server.crt new file mode 100644 index 0000000..abe9a76 --- /dev/null +++ b/server.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2TCCAV8CCQDifaD7KfcXjzAKBggqhkjOPQQDBDBWMQswCQYDVQQGEwJDSDEQ +MA4GA1UECAwHTHVjZXJuZTEPMA0GA1UEBwwGU3Vyc2VlMREwDwYDVQQKDAhhamls +YSBBRzERMA8GA1UECwwIYWppbGEgQUcwHhcNMjAwMjA1MTI1MTQzWhcNMzAwMjAy +MTI1MTQzWjBWMQswCQYDVQQGEwJDSDEQMA4GA1UECAwHTHVjZXJuZTEPMA0GA1UE +BwwGU3Vyc2VlMREwDwYDVQQKDAhhamlsYSBBRzERMA8GA1UECwwIYWppbGEgQUcw +djAQBgcqhkjOPQIBBgUrgQQAIgNiAARqaWNMhncO9fc3bhLHNvcpT+Oml4yXEMX3 +gUXb3SNeyW5dE74x6hxQQ04qIB/UmC5zi+USJmvrbUwm+nFehqBvn5S8aZgeXklL +MpKFzXepzsgHIisYG3U943+7Fj6m67cwCgYIKoZIzj0EAwQDaAAwZQIxAKatG/Zw +TR2yYRPExR8bFalQYle1JqNbHcfv8p2bqb9+ISqIaXmJde5S+5gvez0VOwIwKIpE +gteclRk6IQy9NKxCsoflcMwXI4r45Tffi3PV7x2O4rMbPGVwyk4IGms9hb+S +-----END CERTIFICATE----- diff --git a/server.key b/server.key new file mode 100644 index 0000000..9613e87 --- /dev/null +++ b/server.key @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDBZM2J/UKtGWJ5iu/VWRb5tUt2G41EcQKrgmrJT473hackaLP0C1peI +ubjs6qbBmaigBwYFK4EEACKhZANiAARqaWNMhncO9fc3bhLHNvcpT+Oml4yXEMX3 +gUXb3SNeyW5dE74x6hxQQ04qIB/UmC5zi+USJmvrbUwm+nFehqBvn5S8aZgeXklL +MpKFzXepzsgHIisYG3U943+7Fj6m67c= +-----END EC PRIVATE KEY-----