From f76b7c6006b69dac518189876280d4963c374e5c Mon Sep 17 00:00:00 2001
From: masv3971 <masv@sunet.se>
Date: Thu, 11 Apr 2024 15:54:36 +0200
Subject: [PATCH] Add better tls support.

---
 dev_config_docker.yaml           | 4 ++++
 dockerfiles/worker               | 4 ++--
 internal/apigw/httpserver/tls.go | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/dev_config_docker.yaml b/dev_config_docker.yaml
index 0701b070..b409705f 100644
--- a/dev_config_docker.yaml
+++ b/dev_config_docker.yaml
@@ -78,6 +78,10 @@ persistent:
 apigw:
   api_server:
     addr: :8080
+    tls:
+      enabled: false
+      cert_file_path: ""
+      key_file_path: ""
 
 py_pdfsigner:
   sign_queue_name: sign
diff --git a/dockerfiles/worker b/dockerfiles/worker
index 8f3586d7..9d0ac835 100644
--- a/dockerfiles/worker
+++ b/dockerfiles/worker
@@ -24,7 +24,7 @@ ARG SERVICE_NAME
 
 WORKDIR /
 
-RUN apt-get update && apt-get install -y curl procps iputils-ping less
+RUN apt-get update && apt-get install -y curl procps iputils-ping less coreutils file netcat-openbsd
 RUN rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /go/src/app/bin/vc_${SERVICE_NAME} /vc_service
@@ -32,7 +32,7 @@ COPY --from=builder /go/src/app/docs /docs
 
 EXPOSE 8080
 
-HEALTHCHECK --interval=20s --timeout=10s CMD curl --connect-timeout 5 http://localhost:8080/health | grep -q STATUS_OK
+HEALTHCHECK --interval=20s --timeout=10s CMD curl --insecure --connect-timeout 5 https://localhost:8080/health | grep -q STATUS_OK
 
 # vars in CMD and ENTRYPOINT are evaluated at runtime, that's why we use a static name on the binary.
 CMD [ "./vc_service" ]
\ No newline at end of file
diff --git a/internal/apigw/httpserver/tls.go b/internal/apigw/httpserver/tls.go
index 5226627b..e7291831 100644
--- a/internal/apigw/httpserver/tls.go
+++ b/internal/apigw/httpserver/tls.go
@@ -6,9 +6,11 @@ import (
 )
 
 func (s *Service) applyTLSConfig(ctx context.Context) {
+	ctx, span := s.tp.Start(ctx, "httpserver:applyTLSConfig")
+	defer span.End()
+
 	cfg := &tls.Config{
 		MinVersion:               tls.VersionTLS12,
-		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 		PreferServerCipherSuites: true,
 	}