add configurable 'shutdown-timeout' for HTTP server (#13771)

fixes #12317
2025-11-07 04:42:56 -05:00 · 2021-11-29 09:06:56 -08:00
parent 99d87c5ca2
commit e49c184595
5 changed files with 107 additions and 60 deletions
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@@ -20,7 +20,8 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"net"
+	"io/ioutil"
+	"log"
 	"net/url"
 	"os"
 	"os/signal"
@@ -269,10 +270,13 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 		addrs = append(addrs, globalMinioAddr)
 	}

-	httpServer := xhttp.NewServer(addrs, setCriticalErrorHandler(corsHandler(router)), getCert)
-	httpServer.BaseContext = func(listener net.Listener) context.Context {
-		return GlobalContext
-	}
+	httpServer := xhttp.NewServer(addrs).
+		UseHandler(setCriticalErrorHandler(corsHandler(router))).
+		UseTLSConfig(newTLSConfig(getCert)).
+		UseShutdownTimeout(ctx.Duration("shutdown-timeout")).
+		UseBaseContext(GlobalContext).
+		UseCustomLogger(log.New(ioutil.Discard, "", 0)) // Turn-off random logging by Go stdlib
+
 	go func() {
 		globalHTTPServerErrorCh <- httpServer.Start(GlobalContext)
 	}()
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@@ -23,9 +23,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"math/rand"
-	"net"
 	"os"
 	"os/signal"
 	"strings"
@@ -64,6 +64,12 @@ var ServerFlags = []cli.Flag{
 		Name:  "console-address",
 		Usage: "bind to a specific ADDRESS:PORT for embedded Console UI, ADDRESS can be an IP or hostname",
 	},
+	cli.DurationFlag{
+		Name:   "shutdown-timeout",
+		Value:  xhttp.DefaultShutdownTimeout,
+		Usage:  "shutdown timeout to gracefully shutdown server",
+		Hidden: true,
+	},
 }

 var serverCmd = cli.Command{
@@ -412,12 +418,6 @@ func initConfigSubsystem(ctx context.Context, newObject ObjectLayer) ([]BucketIn
 	return buckets, nil
 }

-type nullWriter struct{}
-
-func (lw nullWriter) Write(b []byte) (int, error) {
-	return len(b), nil
-}
-
 // serverMain handler called for 'minio server' command.
 func serverMain(ctx *cli.Context) {
 	signal.Notify(globalOSSignalCh, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT)
@@ -492,12 +492,13 @@ func serverMain(ctx *cli.Context) {
 		addrs = append(addrs, globalMinioAddr)
 	}

-	httpServer := xhttp.NewServer(addrs, setCriticalErrorHandler(corsHandler(handler)), getCert)
-	httpServer.BaseContext = func(listener net.Listener) context.Context {
-		return GlobalContext
-	}
-	// Turn-off random logging by Go internally
-	httpServer.ErrorLog = log.New(&nullWriter{}, "", 0)
+	httpServer := xhttp.NewServer(addrs).
+		UseHandler(setCriticalErrorHandler(corsHandler(handler))).
+		UseTLSConfig(newTLSConfig(getCert)).
+		UseShutdownTimeout(ctx.Duration("shutdown-timeout")).
+		UseBaseContext(GlobalContext).
+		UseCustomLogger(log.New(ioutil.Discard, "", 0)) // Turn-off random logging by Go stdlib
+
 	go func() {
 		globalHTTPServerErrorCh <- httpServer.Start(GlobalContext)
 	}()
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -46,12 +46,17 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/minio/madmin-go"
 	miniogopolicy "github.com/minio/minio-go/v7/pkg/policy"
+	"github.com/minio/minio/internal/config"
+	"github.com/minio/minio/internal/config/api"
+	xtls "github.com/minio/minio/internal/config/identity/tls"
+	"github.com/minio/minio/internal/fips"
 	"github.com/minio/minio/internal/handlers"
 	xhttp "github.com/minio/minio/internal/http"
 	"github.com/minio/minio/internal/logger"
 	"github.com/minio/minio/internal/logger/message/audit"
 	"github.com/minio/minio/internal/rest"
 	"github.com/minio/pkg/certs"
+	"github.com/minio/pkg/env"
 )

 const (
@@ -1097,3 +1102,34 @@ func speedTest(ctx context.Context, opts speedTestOpts) chan madmin.SpeedTestRes
 	}()
 	return ch
 }
+
+func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
+	if getCert == nil {
+		return nil
+	}
+
+	tlsConfig := &tls.Config{
+		PreferServerCipherSuites: true,
+		MinVersion:               tls.VersionTLS12,
+		NextProtos:               []string{"http/1.1", "h2"},
+		GetCertificate:           getCert,
+	}
+
+	tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn
+	if tlsClientIdentity {
+		tlsConfig.ClientAuth = tls.RequestClientCert
+	}
+
+	secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
+	if secureCiphers || fips.Enabled {
+		// Hardened ciphers
+		tlsConfig.CipherSuites = fips.CipherSuitesTLS()
+		tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
+	} else {
+		// Default ciphers while excluding those with security issues
+		for _, cipher := range tls.CipherSuites() {
+			tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, cipher.ID)
+		}
+	}
+	return tlsConfig
+}