diff --git a/go.mod b/go.mod index 7b5c3cf..9c72386 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/haproxytech/haproxy-consul-connect go 1.13 require ( + github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect github.com/criteo/haproxy-spoe-go v0.0.0-20190925130734-97891c13d324 github.com/d4l3k/messagediff v1.2.1 // indirect diff --git a/go.sum b/go.sum index 141c90a..5f79963 100644 --- a/go.sum +++ b/go.sum @@ -8,6 +8,8 @@ github.com/Azure/go-autorest v10.15.3+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxS github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/DataDog/datadog-go v2.2.0+incompatible h1:V5BKkxACZLjzHjSgBbr2gvLA2Ae49yhc6CSY7MLy5k4= github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw= +github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo= github.com/Microsoft/go-winio v0.4.3 h1:M3NHMuPgMSUPdE5epwNUHlRPSVzHs8HpRTrVXhR0myo= github.com/Microsoft/go-winio v0.4.3/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/NYTimes/gziphandler v1.0.1 h1:iLrQrdwjDd52kHDA5op2UBJFjmOb9g+7scBan4RN8F0= diff --git a/haproxy/config.go b/haproxy/config.go index 4412408..ad7baab 100644 --- a/haproxy/config.go +++ b/haproxy/config.go @@ -2,21 +2,26 @@ package haproxy import ( "io/ioutil" + "math/rand" "os" "path" "runtime" + "time" "text/template" + "github.com/GehirnInc/crypt" + _ "github.com/GehirnInc/crypt/sha256_crypt" "github.com/haproxytech/haproxy-consul-connect/lib" log "github.com/sirupsen/logrus" ) const ( dataplaneUser = "haproxy" - dataplanePass = "pass" ) +var dataplanePass string + var baseCfgTmpl = ` global master-worker @@ -27,7 +32,7 @@ global nbthread {{.NbThread}} userlist controller - user {{.DataplaneUser}} insecure-password {{.DataplanePass}} + user {{.DataplaneUser}} password {{.DataplanePass}} ` const spoeConfTmpl = ` @@ -105,12 +110,15 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) { } defer cfgFile.Close() + dataplanePass = createRandomString(6) + hashPass, _ := hashPassword(dataplanePass) + err = tmpl.Execute(cfgFile, baseParams{ NbThread: runtime.GOMAXPROCS(0), SocketPath: cfg.StatsSock, LogsPath: cfg.LogsSock, DataplaneUser: dataplaneUser, - DataplanePass: dataplanePass, + DataplanePass: hashPass, }) if err != nil { sd.Done() @@ -131,3 +139,18 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) { return cfg, nil } + +func hashPassword(password string) (string, error) { + crypter := crypt.SHA256.New() + return crypter.Generate([]byte(password), []byte("$5$salt")) +} + +func createRandomString(n int) string { + var dictionary = []rune("_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz") + b := make([]rune, n) + rand.Seed(time.Now().UnixNano()) + for i := range b { + b[i] = dictionary[rand.Intn(len(dictionary))] + } + return string(b) +}