Add TLS server support

config.go

@@ -24,6 +24,12 @@ type InfluxConfig struct {
 	Bucket    string
 }
 
+type ServerConfig struct {
+	Port     int64
+	CertFile string `yaml:"cert_file"`
+	KeyFile  string `yaml:"key_file"`
+}
+
 // Config is the configuration for ForecastMetrics.
 type Config struct {
 	InfluxDB                 InfluxConfig `yaml:"influxdb"`
@@ -33,6 +39,7 @@ type Config struct {
 	HttpCacheDir             string       `yaml:"http_cache_dir"`
 	OverwriteData            bool         `yaml:"overwrite_data"`
 	BingToken                string       `yaml:"bing_token"`
+	ServerConfig             ServerConfig `yaml:"server"`
 	ServerPort               int64        `yaml:"server_port"`
 	AdHocCacheEntries        int          `yaml:"ad_hoc_cache_entries"`
 	Sources                  struct {

forecastmetrics.example.yaml

@@ -19,9 +19,14 @@ http_cache_dir: /var/lib/forecastmetrics/cache
 overwrite_data: false
 # Bing Maps Location API token to provide location lookup for adhoc forecasts, if enabled
 bing_token: your_token_here
-# port to run http server on for adhoc forecasts
-# set to 0 to disable the http server.
-server_port: 8080
+server:
+  # port to run http server on for adhoc forecasts
+  # set to 0 to disable the http server.
+  port: 8080
+  # certificate for serving TLS. Leave blank/remove to disable TLS.
+  cert_file: /path/to/cert.pem
+  # certificate private key for serving TLS. Leave blank/remove to disable TLS.
+  key_file: /path/to/cert.key
 # number of adhoc forecasts to cache
 ad_hoc_cache_entries: 100
 

main.go

@@ -74,7 +74,7 @@ func main() {
 				"accumulated_precip",
 			},
 		}
-		server.Start(config.ServerPort)
+		server.Start(config.ServerConfig)
 	}
 }
 

server.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -24,15 +25,32 @@ type Server struct {
 }
 
 // Start starts the prometheus endpoint.
-func (s *Server) Start(port int64) {
+func (s *Server) Start(config ServerConfig) {
+	server := &http.Server{
+		Addr: fmt.Sprintf(":%d", config.Port),
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS13,
+			CurvePreferences: []tls.CurveID{
+				tls.CurveP256,
+				tls.X25519,
+			},
+		},
+	}
 	// don't 404 on other prometheus endpoints
 	http.HandleFunc("/api/v1/", func(writer http.ResponseWriter, request *http.Request) {
 		writer.WriteHeader(204)
 	})
 	http.Handle("/api/v1/query_range", s)
-	err := http.ListenAndServe(fmt.Sprintf(":%d", port), nil)
-	if err != nil {
-		panic(err)
+	if len(config.CertFile) > 0 && len(config.KeyFile) > 0 {
+		err := server.ListenAndServeTLS(config.CertFile, config.KeyFile)
+		if err != nil {
+			panic(err)
+		}
+	} else {
+		err := server.ListenAndServe()
+		if err != nil {
+			panic(err)
+		}
 	}
 }