From 647e1794537564a1b2e0ccdef8699b9c02d9032a Mon Sep 17 00:00:00 2001
From: David McKay <david@rawkode.dev>
Date: Tue, 15 Oct 2019 12:32:31 +0100
Subject: [PATCH] feat(tls): add options to run HTTP over TLS

---
 cmd/influxd/launcher/launcher.go | 48 ++++++++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 5 deletions(-)

diff --git a/cmd/influxd/launcher/launcher.go b/cmd/influxd/launcher/launcher.go
index 59d389dec5..e586bfe2d9 100644
--- a/cmd/influxd/launcher/launcher.go
+++ b/cmd/influxd/launcher/launcher.go
@@ -2,6 +2,7 @@ package launcher
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -238,6 +239,18 @@ func buildLauncherCommand(l *Launcher, cmd *cobra.Command) {
 			Flag:  "vault-tls-server-name",
 			Desc:  "name to use as the SNI host when connecting via TLS.",
 		},
+		{
+			DestP:   &l.httpTlsCert,
+			Flag:    "tls-cert",
+			Default: "",
+			Desc:    "TLS certificate for HTTPs",
+		},
+		{
+			DestP:   &l.httpTlsKey,
+			Flag:    "tls-key",
+			Default: "",
+			Desc:    "TLS key for HTTPs",
+		},
 	}
 
 	cli.BindOptions(cmd, opts)
@@ -273,8 +286,10 @@ type Launcher struct {
 
 	queryController *control.Controller
 
-	httpPort   int
-	httpServer *nethttp.Server
+	httpPort    int
+	httpServer  *nethttp.Server
+	httpTlsCert string
+	httpTlsKey  string
 
 	natsServer *nats.Server
 	natsPort   int
@@ -776,6 +791,23 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 		return err
 	}
 
+	var cer tls.Certificate
+	transport := "http"
+
+	if m.httpTlsCert != "" && m.httpTlsKey != "" {
+		var err error
+		cer, err = tls.LoadX509KeyPair(m.httpTlsCert, m.httpTlsKey)
+
+		if err != nil {
+			httpLogger.Error("failed to load x509 key pair", zap.Error(err))
+			httpLogger.Info("Stopping")
+			return err
+		}
+		transport = "https"
+
+		m.httpServer.TLSConfig = &tls.Config{}
+	}
+
 	if addr, ok := ln.Addr().(*net.TCPAddr); ok {
 		m.httpPort = addr.Port
 	}
@@ -783,10 +815,16 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 	m.wg.Add(1)
 	go func(logger *zap.Logger) {
 		defer m.wg.Done()
-		logger.Info("Listening", zap.String("transport", "http"), zap.String("addr", m.httpBindAddress), zap.Int("port", m.httpPort))
+		logger.Info("Listening", zap.String("transport", transport), zap.String("addr", m.httpBindAddress), zap.Int("port", m.httpPort))
 
-		if err := m.httpServer.Serve(ln); err != nethttp.ErrServerClosed {
-			logger.Error("failed http service", zap.Error(err))
+		if cer.Certificate != nil {
+			if err := m.httpServer.ServeTLS(ln, m.httpTlsCert, m.httpTlsKey); err != nethttp.ErrServerClosed {
+				logger.Error("failed https service", zap.Error(err))
+			}
+		} else {
+			if err := m.httpServer.Serve(ln); err != nethttp.ErrServerClosed {
+				logger.Error("failed http service", zap.Error(err))
+			}
 		}
 		logger.Info("Stopping")
 	}(httpLogger)