Adding TLS to node exporter - cleaner version (#1277)

Add support for https connections.

Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com>
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Ben RIdley <benridley29@gmail.com>

20 files changed, 876 insertions, 0 deletions

diff --git a/https/README.md b/https/README.md
new file mode 100644
index 0000000..b8c7ac4
--- /dev/null
+++ b/https/README.md
@@ -0,0 +1,24 @@
+# HTTPS Package for Prometheus
+
+The `https` directory contains a Go package and a sample configuration file for running `node_exporter` with HTTPS instead of HTTP.
+When running a server with TLS use the flag `--web.config`
+
+e.g. `./node_exporter --web.config="web-config.yml"`
+If the config is kept within the https directory.
+
+The config file should be written in YAML format, and is reloaded on each connection to check for new certificates and/or authentication policy.
+
+##Sample Config:
+```
+tlsConfig :
+  # Certificate and key files for server to use to authenticate to client
+  tlsCertPath : <filename>
+  tlsKeyPath : <filename>
+
+  # Server policy for client authentication. Maps to ClientAuth Policies
+  # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
+  [ clientAuth : <string> | default = "NoClientCert" ]
+
+  # CA certificate for client certificate authentication to the server
+  [ clientCAs : <filename> ]
+```
diff --git a/https/testdata/server.crt b/https/testdata/server.crt
new file mode 100644
index 0000000..2ead969
--- /dev/null
+++ b/https/testdata/server.crt
@@ -0,0 +1,96 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Prometheus, OU=Prometheus Certificate Authority, CN=Prometheus TLS CA
+        Validity
+            Not Before: Apr  5 08:06:57 2019 GMT
+            Not After : Mar 26 08:06:57 2059 GMT
+        Subject: C=US, O=Prometheus, CN=prometheus.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bd:6c:b6:7f:d1:2f:be:e4:41:eb:5d:ff:50:78:
+                    03:2b:76:03:da:01:48:20:13:90:66:c9:ce:6e:06:
+                    e5:fa:2d:0d:c0:b0:46:28:44:10:a0:61:79:87:a2:
+                    98:4c:29:fa:f9:bb:0f:44:c7:90:5c:5c:55:60:cd:
+                    45:da:b8:e4:dd:28:72:c8:8b:a1:3e:4b:00:09:82:
+                    b0:2c:dc:d6:17:c9:02:f4:cd:26:c7:11:28:f3:77:
+                    b5:97:c2:76:c2:e0:07:d7:34:5b:e0:ed:1a:59:a5:
+                    b4:b7:16:09:3d:35:bd:d9:03:07:9d:7c:3b:f0:63:
+                    bd:5e:02:99:cf:32:e1:ac:4c:7a:3e:4c:b2:8e:98:
+                    68:07:4f:59:dc:0d:bf:cc:83:04:5c:d8:90:f0:73:
+                    da:2b:08:17:c4:36:a7:d8:94:3d:b6:c0:af:29:0a:
+                    d3:19:5f:eb:7d:cc:4d:05:56:11:0a:ee:b1:f3:d7:
+                    c9:5a:3c:8c:57:16:91:51:14:f8:20:4e:0f:29:9e:
+                    04:21:e6:f1:e4:e8:44:af:d7:25:92:08:64:fc:2c:
+                    1c:2e:4f:71:53:91:53:1d:e5:f9:7b:52:0f:21:da:
+                    5c:dd:19:68:96:ca:70:6a:f1:c4:0d:07:af:f8:65:
+                    13:92:e9:ef:65:b3:89:86:fd:c0:74:5c:a4:6b:49:
+                    62:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                00:61:01:AD:25:44:8A:EF:E1:2C:EC:83:5A:3A:3B:EA:A0:BD:E1:45
+            X509v3 Authority Key Identifier: 
+                keyid:4D:02:BF:71:95:6A:AA:58:C5:9C:B8:83:67:5E:64:16:99:E1:2A:9E
+
+            Authority Information Access: 
+                CA Issuers - URI:http://example.com/ca/tls-ca.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://example.com/ca/tls-ca.crl
+
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1, IP Address:127.0.0.0, DNS:localhost
+    Signature Algorithm: sha1WithRSAEncryption
+         77:97:e4:ef:db:10:8e:62:50:96:4a:6e:f5:a4:f9:1f:19:3b:
+         c8:a4:dd:b3:f6:11:41:1a:fb:e3:f8:dd:0e:64:e5:2b:00:b9:
+         e6:25:9f:2e:e1:d2:9a:cd:b6:f2:41:4d:27:dd:2c:9a:af:97:
+         79:e8:cf:61:fb:cf:be:25:c6:e1:19:a0:c8:90:44:a0:76:8a:
+         45:d4:37:22:e5:d4:80:b4:b3:0f:a8:33:08:24:ad:21:0b:b7:
+         98:46:93:90:8a:ae:77:0c:cb:b8:59:d3:3b:9b:fb:16:5a:22:
+         ca:c2:97:9d:78:1b:fc:23:fc:a0:42:54:40:de:88:4b:07:2b:
+         19:4e:0e:79:bf:c9:9f:01:a6:46:c5:55:fa:9f:c0:0d:8a:a6:
+         e1:47:16:a6:0e:be:23:c9:e9:58:d6:31:71:8c:80:9c:16:64:
+         f0:14:08:22:a1:23:7c:98:b9:62:d1:4a:ce:e3:5c:59:fb:41:
+         87:a5:3b:36:dd:3d:45:48:b0:b0:77:6f:de:58:2a:27:4d:56:
+         20:54:08:20:c8:6d:79:b5:b9:e6:3a:03:24:0f:6d:67:39:20:
+         78:10:2f:47:85:83:c1:4d:17:33:79:84:75:27:fa:47:67:59:
+         56:cc:33:7b:a5:77:aa:59:9a:98:30:10:1a:78:43:34:8f:ed:
+         c2:a1:a3:ea
+-----BEGIN CERTIFICATE-----
+MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJVUzET
+MBEGA1UECgwKUHJvbWV0aGV1czEpMCcGA1UECwwgUHJvbWV0aGV1cyBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkxGjAYBgNVBAMMEVByb21ldGhldXMgVExTIENBMCAXDTE5
+MDQwNTA4MDY1N1oYDzIwNTkwMzI2MDgwNjU3WjBDMQswCQYDVQQGEwJVUzETMBEG
+A1UECgwKUHJvbWV0aGV1czEfMB0GA1UEAwwWcHJvbWV0aGV1cy5leGFtcGxlLmNv
+bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1stn/RL77kQetd/1B4
+Ayt2A9oBSCATkGbJzm4G5fotDcCwRihEEKBheYeimEwp+vm7D0THkFxcVWDNRdq4
+5N0ocsiLoT5LAAmCsCzc1hfJAvTNJscRKPN3tZfCdsLgB9c0W+DtGlmltLcWCT01
+vdkDB518O/BjvV4Cmc8y4axMej5Mso6YaAdPWdwNv8yDBFzYkPBz2isIF8Q2p9iU
+PbbArykK0xlf633MTQVWEQrusfPXyVo8jFcWkVEU+CBODymeBCHm8eToRK/XJZII
+ZPwsHC5PcVORUx3l+XtSDyHaXN0ZaJbKcGrxxA0Hr/hlE5Lp72WziYb9wHRcpGtJ
+YsUCAwEAAaOCAREwggENMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMB0GA1Ud
+JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUAGEBrSVEiu/hLOyD
+Wjo76qC94UUwHwYDVR0jBBgwFoAUTQK/cZVqqljFnLiDZ15kFpnhKp4wPAYIKwYB
+BQUHAQEEMDAuMCwGCCsGAQUFBzAChiBodHRwOi8vZXhhbXBsZS5jb20vY2EvdGxz
+LWNhLmNlcjAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vZXhhbXBsZS5jb20vY2Ev
+dGxzLWNhLmNybDAgBgNVHREEGTAXhwR/AAABhwR/AAAAgglsb2NhbGhvc3QwDQYJ
+KoZIhvcNAQEFBQADggEBAHeX5O/bEI5iUJZKbvWk+R8ZO8ik3bP2EUEa++P43Q5k
+5SsAueYlny7h0prNtvJBTSfdLJqvl3noz2H7z74lxuEZoMiQRKB2ikXUNyLl1IC0
+sw+oMwgkrSELt5hGk5CKrncMy7hZ0zub+xZaIsrCl514G/wj/KBCVEDeiEsHKxlO
+Dnm/yZ8BpkbFVfqfwA2KpuFHFqYOviPJ6VjWMXGMgJwWZPAUCCKhI3yYuWLRSs7j
+XFn7QYelOzbdPUVIsLB3b95YKidNViBUCCDIbXm1ueY6AyQPbWc5IHgQL0eFg8FN
+FzN5hHUn+kdnWVbMM3uld6pZmpgwEBp4QzSP7cKho+o=
+-----END CERTIFICATE-----
diff --git a/https/testdata/server.key b/https/testdata/server.key
new file mode 100644
index 0000000..e1226c0
--- /dev/null
+++ b/https/testdata/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9bLZ/0S++5EHr
+Xf9QeAMrdgPaAUggE5Bmyc5uBuX6LQ3AsEYoRBCgYXmHophMKfr5uw9Ex5BcXFVg
+zUXauOTdKHLIi6E+SwAJgrAs3NYXyQL0zSbHESjzd7WXwnbC4AfXNFvg7RpZpbS3
+Fgk9Nb3ZAwedfDvwY71eApnPMuGsTHo+TLKOmGgHT1ncDb/MgwRc2JDwc9orCBfE
+NqfYlD22wK8pCtMZX+t9zE0FVhEK7rHz18laPIxXFpFRFPggTg8pngQh5vHk6ESv
+1yWSCGT8LBwuT3FTkVMd5fl7Ug8h2lzdGWiWynBq8cQNB6/4ZROS6e9ls4mG/cB0
+XKRrSWLFAgMBAAECggEAezQ0V1o11dEc1vuiTjJgzWnLA4aF5OcUquZjb8jo2Blp
+soR0fUgYEFiV9RRaPl+nr7ptKe0rBgfAOGALKUHNCdN/JNU8oQmjEoyADg3s6jeB
+xruQlzWgDwszf2uqVwHj16Nkhx1wYBKZQeQBSmCkBHwl/daKHcahqn3CkLOleKx+
+Qlc3BzWNaGte6qpJMs0It3by1FuxRwVz5VkL8uhzj0WIOYMA84t0gTnFH9gfRO3F
+licotxg/Nl5M36wWcfL8Jq++72AtaKcD1jUEwuQpogrVeqflmeHwn/TlL++Hv6Xe
+Lq0jt3OCUKUV40eq9c5uEgTmyrVHMDkfFdXzutdMAQKBgQDsSMXk7P4SX6u6uTjV
+In9eWw6ZyJ2aL6VB9co/NMsj49GrrFT8VX9d+JPe9P/n6tuGcFbymNep22njRksR
+0ItpW1NFRR/R3g0kYe1EhkRpNm6fhY9oIuR9xhcNnPNYkqAKT3T/dxrzbwsNhomi
+X8aht/eCz4ZsK/KdOGTkPozxgQKBgQDNOvrclT1Wl4bxONp9pEV5XpRSD/qigfIp
+i5wxy7ihX/QY9RToIWJDnzMVLnEYe64RB2WB8/4WwNPOQcuaxXbFUFct/2NdhTnS
+ToJPgPe819zW9t1FLTf1fHtsRBpGFtbhdlUDOiOtJiMXYiwlRh2uyWFhjOo8TNUE
+qMwai0vLRQKBgQCDH4t6lC4W4jK5x2oLlT5bjWqX2uXjF8e8x/q5gsGspBPKEjOD
+aKrq6jSdSRbui73RaGxH6pvb7iBf+LVWKIYFLKIUUdzrqS9f3lw+Z8h1HrjbG9JO
+dvaX+aL3cf71S0E3F4sU7fLt3tSiZ+PfUQk424+mbyXox6a2qwIKS9AJgQKBgHCu
+dHROYJo9ojKpo5Ueb6K+4jLYYSV+sYZMCBtzHlFETNKzJaJ6SeiU7Ugw8pmdtqnU
+5M/gNl8pymFR0MeOqbKWdPdlZJpBfsjQoE2kouEFqFRCwKStui7IBUAheEeJXLv3
+659U+aek69l35oMkp0GDgjs8UpN/H+pp/36Hgrr9AoGAftWU405rpStHEdRVrazP
+FibQesT9HOdJgmm1gNIhj+PnFs7lKER9p0Wdl79QnIqjwyhjCXL94TFerzTKLY2c
+IRj5dcRHiiT0iK8wq8bzGNYCqV73oQXaUFMiutNAArXwzwuvPFPWNBQsjLzeDLeC
+mcOsCcPAk8cLYtVfZo2sP3g=
+-----END PRIVATE KEY-----
diff --git a/https/testdata/tls-ca-chain.pem b/https/testdata/tls-ca-chain.pem
new file mode 100644
index 0000000..722264d
--- /dev/null
+++ b/https/testdata/tls-ca-chain.pem
@@ -0,0 +1,173 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Prometheus, OU=Prometheus Certificate Authority, CN=Prometheus Root CA
+        Validity
+            Not Before: Apr  5 08:00:37 2019 GMT
+            Not After : Mar 26 08:00:37 2059 GMT
+        Subject: C=US, O=Prometheus, OU=Prometheus Certificate Authority, CN=Prometheus TLS CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:aa:d2:34:6b:ed:f1:f4:01:08:e5:00:9f:75:c8:
+                    ba:fc:4b:72:c6:04:93:af:f1:f6:b5:ce:01:0d:c6:
+                    bd:d3:16:98:9d:e5:51:56:12:58:16:ee:18:6e:f0:
+                    68:a9:42:16:65:cf:e3:31:f5:90:79:9d:13:32:87:
+                    3b:1f:65:fd:84:88:a4:56:3d:26:54:69:05:27:5a:
+                    ea:89:02:e7:31:9b:7d:7f:76:93:54:70:bc:17:92:
+                    06:9f:9f:90:4a:8a:cf:82:a7:7b:7c:71:c4:fa:34:
+                    56:00:32:1a:85:c5:f8:e4:4a:63:43:37:9d:60:84:
+                    4d:78:6e:87:12:c4:2b:1f:93:a5:fe:cc:5e:f1:df:
+                    c1:97:ff:b7:3e:20:38:1d:71:15:11:ec:6c:7a:cc:
+                    0e:87:52:31:b1:b9:74:c3:07:1c:42:4b:1e:c1:17:
+                    bc:e4:13:b7:b0:20:2e:c4:07:93:bd:a8:11:f9:da:
+                    a7:d0:df:4a:48:be:9b:6d:65:c3:ae:58:56:c0:9f:
+                    17:c5:d8:32:b1:04:22:fb:5b:18:f6:20:10:50:ec:
+                    2d:10:4f:cc:48:8f:f2:75:dd:33:a4:0e:f5:55:da:
+                    2c:89:a1:3a:52:bb:11:11:0b:97:27:17:73:35:da:
+                    10:71:b3:9f:a8:42:91:e6:3a:66:00:f9:e5:11:8f:
+                    5b:57
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Subject Key Identifier: 
+                4D:02:BF:71:95:6A:AA:58:C5:9C:B8:83:67:5E:64:16:99:E1:2A:9E
+            X509v3 Authority Key Identifier: 
+                keyid:3C:1E:A8:C6:4C:05:4D:20:EC:88:DB:29:D4:7B:F9:12:5D:CE:EA:1A
+
+            Authority Information Access: 
+                CA Issuers - URI:https://example.com/ca/root-ca.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:https://example.com/ca/root-ca.crl
+
+    Signature Algorithm: sha1WithRSAEncryption
+         63:fc:ba:30:a5:05:d6:76:14:f1:77:38:b1:41:6f:81:d9:b4:
+         02:fd:bc:e5:f6:d9:e6:73:e0:71:cf:4c:fb:13:b5:6b:bd:b9:
+         c6:f6:28:18:36:e1:8c:d9:93:b3:78:4a:3d:39:1b:f4:fb:69:
+         75:24:ae:e1:a0:2f:94:05:bf:10:3c:3e:d2:2b:a8:f3:31:25:
+         2e:ed:13:ad:60:5d:22:9a:26:15:20:86:98:73:4c:f6:4b:48:
+         b8:1f:67:ba:4e:c9:47:ed:85:dc:38:dc:02:0c:fb:54:d5:2e:
+         6c:b4:95:18:51:d1:ae:ea:e8:fb:b4:19:50:04:bc:31:7e:51:
+         9e:85:29:4d:c8:f7:26:d6:d6:8d:35:2d:9e:e2:06:16:38:e2:
+         56:80:ec:f3:a3:34:e3:28:c4:e8:10:d0:8a:a6:6f:20:9a:b9:
+         dc:b9:90:6b:ba:8a:27:2c:29:72:28:55:e7:59:a6:a7:90:ec:
+         32:e8:d0:26:4a:c1:44:dd:20:bf:dc:4d:1e:7e:cc:e5:a2:5b:
+         e8:df:3d:4b:01:aa:48:56:17:e9:29:d8:71:83:05:36:8c:11:
+         4f:77:b8:95:20:b7:c7:21:06:c2:87:97:b4:6b:d3:f7:23:ba:
+         4d:5f:15:d1:0c:4d:6e:f1:6a:9d:57:5c:02:6a:d7:31:18:ef:
+         5c:fc:f8:04
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzET
+MBEGA1UECgwKUHJvbWV0aGV1czEpMCcGA1UECwwgUHJvbWV0aGV1cyBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkxGzAZBgNVBAMMElByb21ldGhldXMgUm9vdCBDQTAgFw0x
+OTA0MDUwODAwMzdaGA8yMDU5MDMyNjA4MDAzN1owaTELMAkGA1UEBhMCVVMxEzAR
+BgNVBAoMClByb21ldGhldXMxKTAnBgNVBAsMIFByb21ldGhldXMgQ2VydGlmaWNh
+dGUgQXV0aG9yaXR5MRowGAYDVQQDDBFQcm9tZXRoZXVzIFRMUyBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrSNGvt8fQBCOUAn3XIuvxLcsYEk6/x
+9rXOAQ3GvdMWmJ3lUVYSWBbuGG7waKlCFmXP4zH1kHmdEzKHOx9l/YSIpFY9JlRp
+BSda6okC5zGbfX92k1RwvBeSBp+fkEqKz4Kne3xxxPo0VgAyGoXF+ORKY0M3nWCE
+TXhuhxLEKx+Tpf7MXvHfwZf/tz4gOB1xFRHsbHrMDodSMbG5dMMHHEJLHsEXvOQT
+t7AgLsQHk72oEfnap9DfSki+m21lw65YVsCfF8XYMrEEIvtbGPYgEFDsLRBPzEiP
+8nXdM6QO9VXaLImhOlK7ERELlycXczXaEHGzn6hCkeY6ZgD55RGPW1cCAwEAAaOB
+3DCB2TAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4E
+FgQUTQK/cZVqqljFnLiDZ15kFpnhKp4wHwYDVR0jBBgwFoAUPB6oxkwFTSDsiNsp
+1Hv5El3O6howPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzAChiJodHRwczovL2V4
+YW1wbGUuY29tL2NhL3Jvb3QtY2EuY2VyMDMGA1UdHwQsMCowKKAmoCSGImh0dHBz
+Oi8vZXhhbXBsZS5jb20vY2Evcm9vdC1jYS5jcmwwDQYJKoZIhvcNAQEFBQADggEB
+AGP8ujClBdZ2FPF3OLFBb4HZtAL9vOX22eZz4HHPTPsTtWu9ucb2KBg24YzZk7N4
+Sj05G/T7aXUkruGgL5QFvxA8PtIrqPMxJS7tE61gXSKaJhUghphzTPZLSLgfZ7pO
+yUfthdw43AIM+1TVLmy0lRhR0a7q6Pu0GVAEvDF+UZ6FKU3I9ybW1o01LZ7iBhY4
+4laA7POjNOMoxOgQ0IqmbyCaudy5kGu6iicsKXIoVedZpqeQ7DLo0CZKwUTdIL/c
+TR5+zOWiW+jfPUsBqkhWF+kp2HGDBTaMEU93uJUgt8chBsKHl7Rr0/cjuk1fFdEM
+TW7xap1XXAJq1zEY71z8+AQ=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=Prometheus, OU=Prometheus Certificate Authority, CN=Prometheus Root CA
+        Validity
+            Not Before: Apr  5 07:55:00 2019 GMT
+            Not After : Mar 26 07:55:00 2059 GMT
+        Subject: C=US, O=Prometheus, OU=Prometheus Certificate Authority, CN=Prometheus Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bf:b9:e2:ab:5f:61:22:e1:4e:cd:ee:da:b0:26:
+                    2e:bb:b0:7e:1c:ce:10:be:16:29:35:0c:0c:1d:93:
+                    01:29:2a:f6:f9:c2:6e:5c:10:44:ca:f8:dc:ad:7a:
+                    06:64:0f:8a:18:ad:b2:a2:94:49:c9:ba:8c:45:94:
+                    7c:d9:e0:11:45:d8:16:79:a2:20:9f:8c:63:60:72:
+                    2a:5b:f9:66:80:ac:85:67:01:5a:eb:91:c1:d2:88:
+                    87:9e:4c:18:c9:f2:f0:7a:18:c0:e6:ab:2c:78:de:
+                    5f:b2:22:4e:94:9c:f5:cd:e6:e2:33:30:e9:20:10:
+                    a6:a1:75:eb:59:ab:45:a9:f7:3e:54:40:ae:05:25:
+                    be:74:c5:3a:fd:af:73:16:60:45:7c:4a:e0:0e:0d:
+                    a1:15:7f:9a:1f:c2:a7:04:ad:ef:b3:e4:f6:00:2c:
+                    4e:0b:04:90:49:ee:d3:db:a6:12:c4:91:0b:32:4f:
+                    11:84:c7:c4:8a:ef:51:66:7a:b0:20:2f:cb:95:8d:
+                    96:57:60:66:5e:f9:4f:5a:94:9c:71:ad:eb:ca:70:
+                    3e:62:06:c2:3a:29:f8:9e:86:af:da:07:78:f8:31:
+                    af:42:48:49:9e:4a:df:1b:27:1f:44:35:81:6d:fa:
+                    7a:c5:6a:0a:35:23:c7:c4:d5:fe:c9:9e:61:c9:30:
+                    cd:1f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                3C:1E:A8:C6:4C:05:4D:20:EC:88:DB:29:D4:7B:F9:12:5D:CE:EA:1A
+            X509v3 Authority Key Identifier: 
+                keyid:3C:1E:A8:C6:4C:05:4D:20:EC:88:DB:29:D4:7B:F9:12:5D:CE:EA:1A
+
+    Signature Algorithm: sha1WithRSAEncryption
+         56:2f:79:e5:12:91:f5:19:a7:d1:32:28:fd:e3:9d:8f:e1:3c:
+         bb:a3:a5:f2:55:8a:03:ad:2c:1d:18:82:e1:7f:19:75:d9:47:
+         5b:e7:7c:e4:a5:e0:eb:dc:7e:24:a3:7d:99:1a:cf:39:ba:a5:
+         b4:b8:45:68:83:cf:70:ad:56:f2:34:73:65:fc:6c:b0:53:9a:
+         79:04:f7:3e:7e:4b:22:1b:e7:76:23:20:bc:9c:05:a2:5d:01:
+         d2:f0:09:49:17:b2:61:74:1a:5b:f4:e0:fd:ce:11:ba:13:4a:
+         e6:07:11:7d:30:e2:11:87:ee:33:1a:68:de:67:f4:ac:b5:58:
+         1a:ac:cf:7a:2d:fd:c3:44:5b:4b:cd:6c:ff:f6:49:b4:55:4a:
+         09:a0:92:2d:57:3b:69:85:54:3e:e9:ec:ef:b2:a5:7a:29:75:
+         2b:f8:eb:4b:d4:cf:68:ee:3e:c8:63:7e:12:eb:e4:2f:63:a3:
+         a7:c8:0f:e9:39:ff:5c:29:65:7f:25:f0:42:bf:07:ba:06:b8:
+         5e:d6:56:ba:f8:67:56:1b:42:aa:b3:04:d8:6e:88:10:a5:70:
+         b5:81:04:a4:90:a3:f0:83:4d:0c:6b:12:5d:a4:4c:83:5a:ff:
+         a8:7a:86:61:ff:0f:4c:e5:0f:17:d1:64:3c:bd:d9:22:7e:b7:
+         fa:9b:83:ba
+-----BEGIN CERTIFICATE-----
+MIIDtDCCApygAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMQswCQYDVQQGEwJVUzET
+MBEGA1UECgwKUHJvbWV0aGV1czEpMCcGA1UECwwgUHJvbWV0aGV1cyBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkxGzAZBgNVBAMMElByb21ldGhldXMgUm9vdCBDQTAgFw0x
+OTA0MDUwNzU1MDBaGA8yMDU5MDMyNjA3NTUwMFowajELMAkGA1UEBhMCVVMxEzAR
+BgNVBAoMClByb21ldGhldXMxKTAnBgNVBAsMIFByb21ldGhldXMgQ2VydGlmaWNh
+dGUgQXV0aG9yaXR5MRswGQYDVQQDDBJQcm9tZXRoZXVzIFJvb3QgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ueKrX2Ei4U7N7tqwJi67sH4czhC+
+Fik1DAwdkwEpKvb5wm5cEETK+NytegZkD4oYrbKilEnJuoxFlHzZ4BFF2BZ5oiCf
+jGNgcipb+WaArIVnAVrrkcHSiIeeTBjJ8vB6GMDmqyx43l+yIk6UnPXN5uIzMOkg
+EKahdetZq0Wp9z5UQK4FJb50xTr9r3MWYEV8SuAODaEVf5ofwqcEre+z5PYALE4L
+BJBJ7tPbphLEkQsyTxGEx8SK71FmerAgL8uVjZZXYGZe+U9alJxxrevKcD5iBsI6
+Kfiehq/aB3j4Ma9CSEmeSt8bJx9ENYFt+nrFago1I8fE1f7JnmHJMM0fAgMBAAGj
+YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ8
+HqjGTAVNIOyI2ynUe/kSXc7qGjAfBgNVHSMEGDAWgBQ8HqjGTAVNIOyI2ynUe/kS
+Xc7qGjANBgkqhkiG9w0BAQUFAAOCAQEAVi955RKR9Rmn0TIo/eOdj+E8u6Ol8lWK
+A60sHRiC4X8ZddlHW+d85KXg69x+JKN9mRrPObqltLhFaIPPcK1W8jRzZfxssFOa
+eQT3Pn5LIhvndiMgvJwFol0B0vAJSReyYXQaW/Tg/c4RuhNK5gcRfTDiEYfuMxpo
+3mf0rLVYGqzPei39w0RbS81s//ZJtFVKCaCSLVc7aYVUPuns77Kleil1K/jrS9TP
+aO4+yGN+EuvkL2Ojp8gP6Tn/XCllfyXwQr8Huga4XtZWuvhnVhtCqrME2G6IEKVw
+tYEEpJCj8INNDGsSXaRMg1r/qHqGYf8PTOUPF9FkPL3ZIn63+puDug==
+-----END CERTIFICATE-----
diff --git a/https/testdata/tls_config_auth_clientCAs_invalid.bad.yml b/https/testdata/tls_config_auth_clientCAs_invalid.bad.yml
new file mode 100644
index 0000000..c34cc4f
--- /dev/null
+++ b/https/testdata/tls_config_auth_clientCAs_invalid.bad.yml
@@ -0,0 +1,4 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : "testdata/server.key"
+  clientCAs : "somefile"
\ No newline at end of file
diff --git a/https/testdata/tls_config_auth_clientCAs_missing.bad.yml b/https/testdata/tls_config_auth_clientCAs_missing.bad.yml
new file mode 100644
index 0000000..fc92932
--- /dev/null
+++ b/https/testdata/tls_config_auth_clientCAs_missing.bad.yml
@@ -0,0 +1,4 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : "testdata/server.key"
+  clientAuth : "RequireAndVerifyClientCert"
\ No newline at end of file
diff --git a/https/testdata/tls_config_empty.yml b/https/testdata/tls_config_empty.yml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/https/testdata/tls_config_empty.yml
diff --git a/https/testdata/tls_config_junk.yml b/https/testdata/tls_config_junk.yml
new file mode 100644
index 0000000..568a7c4
--- /dev/null
+++ b/https/testdata/tls_config_junk.yml
@@ -0,0 +1,20 @@
+hWkNKCp3fvIx3jKnsaBI
+TuEjdwNS8A2vYdFbiKqr
+ay3RiOtykgt4m6m3KOol
+ZreGpJRGmpDSVV9cioiF
+r7kDOHhHU2frvv0nLcY2
+uQMQM4XgqFkCG6gFAIJZ
+g99tTkrZhN9b6pkJ6J2y
+rzdt729HrA2RblDGYfjs
+MW7GxrBdlCnliYJGPhfr
+g9kaXxMXcDwsw0C0rv0u
+637ZmfRGElb6VBVOtgqn
+RG0MRezjLYCJQBMUdRDE
+RzO4VicAzj7asVZAT3oo
+nPw267UONk7h7KBYRgch
+Alj38foWqjV3heXXdahm
+TrMzMgl6JIQ1x4OZB5i4
+qlrXFJoeV6Pr77nuiEh9
+3yE5vMnnKHm2nImEfzMG
+bI01UDObHRSaoJLC0vTD
+G9tlcKU883NkQ6nsxJ8Y
diff --git a/https/testdata/tls_config_noAuth.bad.yml b/https/testdata/tls_config_noAuth.bad.yml
new file mode 100644
index 0000000..f0dd228
--- /dev/null
+++ b/https/testdata/tls_config_noAuth.bad.yml
@@ -0,0 +1,4 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : "testdata/server.key"
+  clientCAs : "testdata/tls-ca-chain.pem" 
diff --git a/https/testdata/tls_config_noAuth.good.blocking.yml b/https/testdata/tls_config_noAuth.good.blocking.yml
new file mode 100644
index 0000000..f567693
--- /dev/null
+++ b/https/testdata/tls_config_noAuth.good.blocking.yml
@@ -0,0 +1,5 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : "testdata/server.key"
+  clientAuth : "RequireAndVerifyClientCert"
+  clientCAs: "testdata/tls-ca-chain.pem"
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth.good.yml b/https/testdata/tls_config_noAuth.good.yml
new file mode 100644
index 0000000..76e46cf
--- /dev/null
+++ b/https/testdata/tls_config_noAuth.good.yml
@@ -0,0 +1,5 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : "testdata/server.key"
+  clientAuth : "VerifyClientCertIfGiven"
+  clientCAs : "testdata/tls-ca-chain.pem"
diff --git a/https/testdata/tls_config_noAuth_certPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_empty.bad.yml
new file mode 100644
index 0000000..39c7abd
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_certPath_empty.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : ""
+  tlsKeyPath : "testdata/server.key"
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth_certPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_certPath_invalid.bad.yml
new file mode 100644
index 0000000..5bdbd1a
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_certPath_invalid.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : "somefile"
+  tlsKeyPath : "testdata/server.key"
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
new file mode 100644
index 0000000..938e5d6
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : ""
+  tlsKeyPath : ""
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml
new file mode 100644
index 0000000..b93ffd6
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : "somefile"
+  tlsKeyPath : "somefile"
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_keyPath_empty.bad.yml
new file mode 100644
index 0000000..424f92f
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_keyPath_empty.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.crt"
+  tlsKeyPath : ""
\ No newline at end of file
diff --git a/https/testdata/tls_config_noAuth_keyPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_keyPath_invalid.bad.yml
new file mode 100644
index 0000000..2625074
--- /dev/null
+++ b/https/testdata/tls_config_noAuth_keyPath_invalid.bad.yml
@@ -0,0 +1,3 @@
+tlsConfig :
+  tlsCertPath : "testdata/server.cert"
+  tlsKeyPath : "somefile"
\ No newline at end of file
diff --git a/https/tls_config.go b/https/tls_config.go
new file mode 100644
index 0000000..dd473d8
--- /dev/null
+++ b/https/tls_config.go
@@ -0,0 +1,123 @@
+// Copyright 2019 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package https allows the implementation of TLS.
+package https
+
+import (
+        "crypto/tls"
+        "crypto/x509"
+        "io/ioutil"
+        "net/http"
+
+        "github.com/pkg/errors"
+        "gopkg.in/yaml.v2"
+)
+
+type Config struct {
+        TLSConfig TLSStruct `yaml:"tlsConfig"`
+}
+
+type TLSStruct struct {
+        TLSCertPath string `yaml:"tlsCertPath"`
+        TLSKeyPath  string `yaml:"tlsKeyPath"`
+        ClientAuth  string `yaml:"clientAuth"`
+        ClientCAs   string `yaml:"clientCAs"`
+}
+
+func getTLSConfig(configPath string) (*tls.Config, error) {
+        content, err := ioutil.ReadFile(configPath)
+        if err != nil {
+                return nil, err
+        }
+        c := &Config{}
+        err = yaml.Unmarshal(content, c)
+        if err != nil {
+                return nil, err
+        }
+        return configToTLSConfig(&c.TLSConfig)
+}
+
+func configToTLSConfig(c *TLSStruct) (*tls.Config, error) {
+        cfg := &tls.Config{}
+        if len(c.TLSCertPath) == 0 {
+                return nil, errors.New("missing TLSCertPath")
+        }
+        if len(c.TLSKeyPath) == 0 {
+                return nil, errors.New("missing TLSKeyPath")
+        }
+        loadCert := func() (*tls.Certificate, error) {
+                cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
+                if err != nil {
+                        return nil, errors.Wrap(err, "failed to load X509KeyPair")
+                }
+                return &cert, nil
+        }
+        // Confirm that certificate and key paths are valid.
+        if _, err := loadCert(); err != nil {
+                return nil, err
+        }
+        cfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+                return loadCert()
+        }
+
+        if len(c.ClientCAs) > 0 {
+                clientCAPool := x509.NewCertPool()
+                clientCAFile, err := ioutil.ReadFile(c.ClientCAs)
+                if err != nil {
+                        return nil, err
+                }
+                clientCAPool.AppendCertsFromPEM(clientCAFile)
+                cfg.ClientCAs = clientCAPool
+        }
+        if len(c.ClientAuth) > 0 {
+                switch s := (c.ClientAuth); s {
+                case "NoClientCert":
+                        cfg.ClientAuth = tls.NoClientCert
+                case "RequestClientCert":
+                        cfg.ClientAuth = tls.RequestClientCert
+                case "RequireClientCert":
+                        cfg.ClientAuth = tls.RequireAnyClientCert
+                case "VerifyClientCertIfGiven":
+                        cfg.ClientAuth = tls.VerifyClientCertIfGiven
+                case "RequireAndVerifyClientCert":
+                        cfg.ClientAuth = tls.RequireAndVerifyClientCert
+                case "":
+                        cfg.ClientAuth = tls.NoClientCert
+                default:
+                        return nil, errors.New("Invalid ClientAuth: " + s)
+                }
+        }
+        if len(c.ClientCAs) > 0 && cfg.ClientAuth == tls.NoClientCert {
+                return nil, errors.New("Client CA's have been configured without a Client Auth Policy")
+        }
+        return cfg, nil
+}
+
+// Listen starts the server on the given address. If tlsConfigPath isn't empty the server connection will be started using TLS.
+func Listen(server *http.Server, tlsConfigPath string) error {
+        if (tlsConfigPath) == "" {
+                return server.ListenAndServe()
+        }
+        var err error
+        server.TLSConfig, err = getTLSConfig(tlsConfigPath)
+        if err != nil {
+                return err
+        }
+        // Set the GetConfigForClient method of the HTTPS server so that the config
+        // and certs are reloaded on new connections.
+        server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
+                return getTLSConfig(tlsConfigPath)
+        }
+        return server.ListenAndServeTLS("", "")
+}
diff --git a/https/tls_config_test.go b/https/tls_config_test.go
new file mode 100644
index 0000000..717f201
--- /dev/null
+++ b/https/tls_config_test.go
@@ -0,0 +1,362 @@
+// Copyright 2019 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package https
+
+import (
+        "crypto/tls"
+        "crypto/x509"
+        "errors"
+        "fmt"
+        "io/ioutil"
+        "net"
+        "net/http"
+        "regexp"
+        "sync"
+        "testing"
+        "time"
+)
+
+var (
+        port = getPort()
+
+        ErrorMap = map[string]*regexp.Regexp{
+                "HTTP Response to HTTPS":       regexp.MustCompile(`server gave HTTP response to HTTPS client`),
+                "No such file":                 regexp.MustCompile(`no such file`),
+                "Invalid argument":             regexp.MustCompile(`invalid argument`),
+                "YAML error":                   regexp.MustCompile(`yaml`),
+                "Invalid ClientAuth":           regexp.MustCompile(`invalid ClientAuth`),
+                "TLS handshake":                regexp.MustCompile(`tls`),
+                "HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`),
+                "Invalid CertPath":             regexp.MustCompile(`missing TLSCertPath`),
+                "Invalid KeyPath":              regexp.MustCompile(`missing TLSKeyPath`),
+                "ClientCA set without policy":  regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`),
+        }
+)
+
+func getPort() string {
+        listener, err := net.Listen("tcp", ":0")
+        if err != nil {
+                panic(err)
+        }
+        defer listener.Close()
+        p := listener.Addr().(*net.TCPAddr).Port
+        return fmt.Sprintf(":%v", p)
+}
+
+type TestInputs struct {
+        Name           string
+        Server         func() *http.Server
+        UseNilServer   bool
+        YAMLConfigPath string
+        ExpectedError  *regexp.Regexp
+        UseTLSClient   bool
+}
+
+func TestYAMLFiles(t *testing.T) {
+        testTables := []*TestInputs{
+                {
+                        Name:           `path to config yml invalid`,
+                        YAMLConfigPath: "somefile",
+                        ExpectedError:  ErrorMap["No such file"],
+                },
+                {
+                        Name:           `empty config yml`,
+                        YAMLConfigPath: "testdata/tls_config_empty.yml",
+                        ExpectedError:  ErrorMap["Invalid CertPath"],
+                },
+                {
+                        Name:           `invalid config yml (invalid structure)`,
+                        YAMLConfigPath: "testdata/tls_config_junk.yml",
+                        ExpectedError:  ErrorMap["YAML error"],
+                },
+                {
+                        Name:           `invalid config yml (cert path empty)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_certPath_empty.bad.yml",
+                        ExpectedError:  ErrorMap["Invalid CertPath"],
+                },
+                {
+                        Name:           `invalid config yml (key path empty)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_keyPath_empty.bad.yml",
+                        ExpectedError:  ErrorMap["Invalid KeyPath"],
+                },
+                {
+                        Name:           `invalid config yml (cert path and key path empty)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml",
+                        ExpectedError:  ErrorMap["Invalid CertPath"],
+                },
+                {
+                        Name:           `invalid config yml (cert path invalid)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_certPath_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["No such file"],
+                },
+                {
+                        Name:           `invalid config yml (key path invalid)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_keyPath_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["No such file"],
+                },
+                {
+                        Name:           `invalid config yml (cert path and key path invalid)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["No such file"],
+                },
+                {
+                        Name:           `invalid config yml (invalid ClientAuth)`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth.bad.yml",
+                        ExpectedError:  ErrorMap["ClientCA set without policy"],
+                },
+                {
+                        Name:           `invalid config yml (invalid ClientCAs filepath)`,
+                        YAMLConfigPath: "testdata/tls_config_auth_clientCAs_invalid.bad.yml",
+                        ExpectedError:  ErrorMap["No such file"],
+                },
+        }
+        for _, testInputs := range testTables {
+                t.Run(testInputs.Name, testInputs.Test)
+        }
+}
+
+func TestServerBehaviour(t *testing.T) {
+        testTables := []*TestInputs{
+                {
+                        Name:           `empty string YAMLConfigPath and default client`,
+                        YAMLConfigPath: "",
+                        ExpectedError:  nil,
+                },
+                {
+                        Name:           `empty string YAMLConfigPath and TLS client`,
+                        YAMLConfigPath: "",
+                        UseTLSClient:   true,
+                        ExpectedError:  ErrorMap["HTTP Response to HTTPS"],
+                },
+                {
+                        Name:           `valid tls config yml and default client`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth.good.yml",
+                        ExpectedError:  ErrorMap["HTTP Request to HTTPS server"],
+                },
+                {
+                        Name:           `valid tls config yml and tls client`,
+                        YAMLConfigPath: "testdata/tls_config_noAuth.good.yml",
+                        UseTLSClient:   true,
+                        ExpectedError:  nil,
+                },
+        }
+        for _, testInputs := range testTables {
+                t.Run(testInputs.Name, testInputs.Test)
+        }
+}
+
+func TestConfigReloading(t *testing.T) {
+        errorChannel := make(chan error, 1)
+        var once sync.Once
+        recordConnectionError := func(err error) {
+                once.Do(func() {
+                        errorChannel <- err
+                })
+        }
+        defer func() {
+                if recover() != nil {
+                        recordConnectionError(errors.New("Panic in test function"))
+                }
+        }()
+
+        goodYAMLPath := "testdata/tls_config_noAuth.good.yml"
+        badYAMLPath := "testdata/tls_config_noAuth.good.blocking.yml"
+
+        server := &http.Server{
+                Addr: port,
+                Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+                        w.Write([]byte("Hello World!"))
+                }),
+        }
+        defer func() {
+                server.Close()
+        }()
+
+        go func() {
+                defer func() {
+                        if recover() != nil {
+                                recordConnectionError(errors.New("Panic starting server"))
+                        }
+                }()
+                err := Listen(server, badYAMLPath)
+                recordConnectionError(err)
+        }()
+
+        client := getTLSClient()
+
+        TestClientConnection := func() error {
+                time.Sleep(250 * time.Millisecond)
+                r, err := client.Get("https://localhost" + port)
+                if err != nil {
+                        return (err)
+                }
+                body, err := ioutil.ReadAll(r.Body)
+                if err != nil {
+                        return (err)
+                }
+                if string(body) != "Hello World!" {
+                        return (errors.New(string(body)))
+                }
+                return (nil)
+        }
+
+        err := TestClientConnection()
+        if err == nil {
+                recordConnectionError(errors.New("Connection accepted but should have failed."))
+        } else {
+                swapFileContents(goodYAMLPath, badYAMLPath)
+                defer swapFileContents(goodYAMLPath, badYAMLPath)
+                err = TestClientConnection()
+                if err != nil {
+                        recordConnectionError(errors.New("Connection failed but should have been accepted."))
+                } else {
+
+                        recordConnectionError(nil)
+                }
+        }
+
+        err = <-errorChannel
+        if err != nil {
+                t.Errorf(" *** Failed test: %s *** Returned error: %v", "TestConfigReloading", err)
+        }
+}
+
+func (test *TestInputs) Test(t *testing.T) {
+        errorChannel := make(chan error, 1)
+        var once sync.Once
+        recordConnectionError := func(err error) {
+                once.Do(func() {
+                        errorChannel <- err
+                })
+        }
+        defer func() {
+                if recover() != nil {
+                        recordConnectionError(errors.New("Panic in test function"))
+                }
+        }()
+
+        var server *http.Server
+        if test.UseNilServer {
+                server = nil
+        } else {
+                server = &http.Server{
+                        Addr: port,
+                        Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+                                w.Write([]byte("Hello World!"))
+                        }),
+                }
+                defer func() {
+                        server.Close()
+                }()
+        }
+        go func() {
+                defer func() {
+                        if recover() != nil {
+                                recordConnectionError(errors.New("Panic starting server"))
+                        }
+                }()
+                err := Listen(server, test.YAMLConfigPath)
+                recordConnectionError(err)
+        }()
+
+        var ClientConnection func() (*http.Response, error)
+        if test.UseTLSClient {
+                ClientConnection = func() (*http.Response, error) {
+                        client := getTLSClient()
+                        return client.Get("https://localhost" + port)
+                }
+        } else {
+                ClientConnection = func() (*http.Response, error) {
+                        client := http.DefaultClient
+                        return client.Get("http://localhost" + port)
+                }
+        }
+        go func() {
+                time.Sleep(250 * time.Millisecond)
+                r, err := ClientConnection()
+                if err != nil {
+                        recordConnectionError(err)
+                        return
+                }
+                body, err := ioutil.ReadAll(r.Body)
+                if err != nil {
+                        recordConnectionError(err)
+                        return
+                }
+                if string(body) != "Hello World!" {
+                        recordConnectionError(errors.New(string(body)))
+                        return
+                }
+                recordConnectionError(nil)
+        }()
+        err := <-errorChannel
+        if test.isCorrectError(err) == false {
+                if test.ExpectedError == nil {
+                        t.Logf("Expected no error, got error: %v", err)
+                } else {
+                        t.Logf("Expected error matching regular expression: %v", test.ExpectedError)
+                        t.Logf("Got: %v", err)
+                }
+                t.Fail()
+        }
+}
+
+func (test *TestInputs) isCorrectError(returnedError error) bool {
+        switch {
+        case returnedError == nil && test.ExpectedError == nil:
+        case returnedError != nil && test.ExpectedError != nil && test.ExpectedError.MatchString(returnedError.Error()):
+        default:
+                return false
+        }
+        return true
+}
+
+func getTLSClient() *http.Client {
+        cert, err := ioutil.ReadFile("testdata/tls-ca-chain.pem")
+        if err != nil {
+                panic("Unable to start TLS client. Check cert path")
+        }
+        client := &http.Client{
+                Transport: &http.Transport{
+                        TLSClientConfig: &tls.Config{
+                                RootCAs: func() *x509.CertPool {
+                                        caCertPool := x509.NewCertPool()
+                                        caCertPool.AppendCertsFromPEM(cert)
+                                        return caCertPool
+                                }(),
+                        },
+                },
+        }
+        return client
+}
+
+func swapFileContents(file1, file2 string) error {
+        content1, err := ioutil.ReadFile(file1)
+        if err != nil {
+                return err
+        }
+        content2, err := ioutil.ReadFile(file2)
+        if err != nil {
+                return err
+        }
+        err = ioutil.WriteFile(file1, content2, 0644)
+        if err != nil {
+                return err
+        }
+        err = ioutil.WriteFile(file2, content1, 0644)
+        if err != nil {
+                return err
+        }
+        return nil
+}
diff --git a/https/web-config.yml b/https/web-config.yml
new file mode 100644
index 0000000..0f439da
--- /dev/null
+++ b/https/web-config.yml
@@ -0,0 +1,10 @@
+tlsConfig :
+  # Certificate and key files for server to use to authenticate to client
+  tlsCertPath : <filename>
+  tlsKeyPath : <filename>
+
+  # Server policy for client authentication. Maps to ClientAuth Policies
+  [ clientAuth : <string> ]
+
+  # CA certificate for client certificate authentication to the server
+  [ clientCAs : <filename> ]