feat(metrics): add naive TLS serving for metrics

Signed-off-by: Xe Iaso <me@xeiaso.net>
feat(config): add metrics TLS configuration
2026-05-06 23:32:43 +00:00 · 2026-04-22 10:38:46 -04:00 · 2026-04-22 10:36:32 -04:00 · 2026-04-21 16:56:23 -04:00 · 2026-04-21 15:36:11 -04:00
9 changed files with 136 additions and 6 deletions
@@ -4,5 +4,5 @@
 #  - Claude-SearchBot: No published IP allowlist
 - name: "ai-crawlers-search"
  user_agent_regex: >-
-    OAI-SearchBot|Claude-SearchBot|PerplexityBot
+    OAI-SearchBot|Claude-SearchBot|PerplexityBot|meta-webindexer
  action: DENY
@@ -1,24 +1,32 @@
 package config

 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
+	"os"
 	"strconv"
 )

 var (
 	ErrInvalidMetricsConfig     = errors.New("config: invalid metrics configuration")
+	ErrInvalidMetricsTLSConfig  = errors.New("config: invalid metrics TLS configuration")
 	ErrNoMetricsBind            = errors.New("config.Metrics: must define bind")
 	ErrNoMetricsNetwork         = errors.New("config.Metrics: must define network")
 	ErrNoMetricsSocketMode      = errors.New("config.Metrics: must define socket mode when using unix sockets")
 	ErrInvalidMetricsSocketMode = errors.New("config.Metrics: invalid unix socket mode")
 	ErrInvalidMetricsNetwork    = errors.New("config.Metrics: invalid metrics network")
+	ErrNoMetricsTLSCertificate  = errors.New("config.Metrics.TLS: must define certificate file")
+	ErrNoMetricsTLSKey          = errors.New("config.Metrics.TLS: must define key file")
+	ErrInvalidMetricsTLSKeypair = errors.New("config.Metrics.TLS: keypair is invalid")
+	ErrCantReadFile             = errors.New("config: can't read required file")
 )

 type Metrics struct {
-	Bind       string `json:"bind" yaml:"bind"`
-	Network    string `json:"network" yaml:"network"`
-	SocketMode string `json:"socketMode" yaml:"socketMode"`
+	Bind       string      `json:"bind" yaml:"bind"`
+	Network    string      `json:"network" yaml:"network"`
+	SocketMode string      `json:"socketMode" yaml:"socketMode"`
+	TLS        *MetricsTLS `json:"tls" yaml:"tls"`
 }

 func (m *Metrics) Valid() error {
@@ -46,9 +54,65 @@ func (m *Metrics) Valid() error {
 		errs = append(errs, ErrInvalidMetricsNetwork)
 	}

+	if m.TLS != nil {
+		if err := m.TLS.Valid(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	if len(errs) != 0 {
 		return errors.Join(ErrInvalidMetricsConfig, errors.Join(errs...))
 	}

 	return nil
 }
+
+type MetricsTLS struct {
+	Certificate string `json:"certificate" yaml:"certificate"`
+	Key         string `json:"key" yaml:"key"`
+}
+
+func (mt *MetricsTLS) Valid() error {
+	var errs []error
+
+	if mt.Certificate == "" {
+		errs = append(errs, ErrNoMetricsTLSCertificate)
+	}
+
+	if err := canReadFile(mt.Certificate); err != nil {
+		errs = append(errs, fmt.Errorf("%w %s: %w", ErrCantReadFile, mt.Certificate, err))
+	}
+
+	if mt.Key == "" {
+		errs = append(errs, ErrNoMetricsTLSKey)
+	}
+
+	if err := canReadFile(mt.Key); err != nil {
+		errs = append(errs, fmt.Errorf("%w %s: %w", ErrCantReadFile, mt.Key, err))
+	}
+
+	if _, err := tls.LoadX509KeyPair(mt.Certificate, mt.Key); err != nil {
+		errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidMetricsTLSKeypair, err))
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(ErrInvalidMetricsTLSConfig, errors.Join(errs...))
+	}
+
+	return nil
+}
+
+func canReadFile(fname string) error {
+	fin, err := os.Open(fname)
+	if err != nil {
+		return err
+	}
+	defer fin.Close()
+
+	data := make([]byte, 64)
+	if _, err := fin.Read(data); err != nil {
+		return fmt.Errorf("can't read %s: %w", fname, err)
+	}
+
+	return nil
+}
@@ -75,6 +75,50 @@ func TestMetricsValid(t *testing.T) {
 			},
 			err: ErrInvalidMetricsNetwork,
 		},
+		{
+			name: "invalid TLS config",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp",
+				TLS:     &MetricsTLS{},
+			},
+			err: ErrInvalidMetricsTLSConfig,
+		},
+		{
+			name: "selfsigned TLS cert",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp",
+				TLS: &MetricsTLS{
+					Certificate: "./testdata/tls/selfsigned.crt",
+					Key:         "./testdata/tls/selfsigned.key",
+				},
+			},
+		},
+		{
+			name: "wrong path to selfsigned TLS cert",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp",
+				TLS: &MetricsTLS{
+					Certificate: "./testdata/tls2/selfsigned.crt",
+					Key:         "./testdata/tls2/selfsigned.key",
+				},
+			},
+			err: ErrCantReadFile,
+		},
+		{
+			name: "unparseable TLS cert",
+			input: &Metrics{
+				Bind:    ":9090",
+				Network: "tcp",
+				TLS: &MetricsTLS{
+					Certificate: "./testdata/tls/invalid.crt",
+					Key:         "./testdata/tls/invalid.key",
+				},
+			},
+			err: ErrInvalidMetricsTLSKeypair,
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnzCCAVGgAwIBAgIUK39B3Ft+kU5o81IuISs79O4u1ncwBQYDK2VwMEUxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjYwNDIyMTQyNjE4WhcNMjYwNTIyMTQyNjE4
+WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
+SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAfgpAUpp8MIOOdQpH
+fxaw3R7mFKQRMR6Kmxzk1Xn/2VujUzBRMB0GA1UdDgQWBBSmkBmzo0RiZ2iocMR8
+uIIpz9cZyTAfBgNVHSMEGDAWgBSmkBmzo0RiZ2iocMR8uIIpz9cZyTAPBgNVHRMB
+Af8EBTADAQH/MAUGAytlcANBAG37XXZrVUUzGyy3T9qsPIzvJQAGpGhdjJ7bt9O6
+sBhzrliTONPrudYuyUggWsHgFb0JlN2xs4/2HhKU+PY7AAQ=
+-----END CERTIFICATE-----
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIL0HxjjfVlg6zQPB9/zTLq0IBzfp8gEoifEYzQZYIj+T
+-----END PRIVATE KEY-----
@@ -73,8 +73,15 @@ func (s *Server) Run(ctx context.Context, done func()) error {
 		}
 	}()

-	if err := srv.Serve(ln); !errors.Is(err, http.ErrServerClosed) {
-		return fmt.Errorf("can't serve metrics server: %w", err)
+	switch s.Config.TLS != nil {
+	case true:
+		if err := srv.ServeTLS(ln, s.Config.TLS.Certificate, s.Config.TLS.Key); !errors.Is(err, http.ErrServerClosed) {
+			return fmt.Errorf("can't serve TLS metrics server: %w", err)
+		}
+	case false:
+		if err := srv.Serve(ln); !errors.Is(err, http.ErrServerClosed) {
+			return fmt.Errorf("can't serve metrics server: %w", err)
+		}
 	}

 	return nil
@@ -54,6 +54,7 @@ User-agent: meta-externalagent
 User-agent: Meta-ExternalAgent
 User-agent: meta-externalfetcher
 User-agent: Meta-ExternalFetcher
+User-agent: meta-webindexer
 User-agent: MistralAI-User
 User-agent: MistralAI-User/1.0
 User-agent: MyCentralAIScraperBot
Author	SHA1	Message	Date
Xe Iaso	888c477933	feat(metrics): add naive TLS serving for metrics Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-22 10:38:46 -04:00
Xe Iaso	cda06f8c71	feat(config): add metrics TLS configuration Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-22 10:36:32 -04:00
Benjamin Bouvier	f21706eb12	feat(data): add Meta's web indexer used for AI purposes (#1573 ) This indexer is documented in https://developers.facebook.com/docs/sharing/webmasters/web-crawlers. I saw it parsing the entirety of my Forgejo instance, so I suggest to widely block it. Signed-off-by: Benjamin Bouvier <benjamin@bouvier.cc>	2026-04-21 16:56:23 -04:00
Xe Iaso	d5ccf9c670	feat: move metrics server config to the policy file (#1572 ) * feat(config): add metrics bind config to policy file with flag hack Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(internal): move SetupListener from main Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(main): use internal.SetupListener Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(config): add metrics socket mode Signed-off-by: Xe Iaso <me@xeiaso.net> * feat: move metrics server to a dedicated package Signed-off-by: Xe Iaso <me@xeiaso.net> * doc: add metrics server configuration docs Signed-off-by: Xe Iaso <me@xeiaso.net> * doc(default-config): add vague references to metrics server Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-04-21 15:36:11 -04:00