internal/server/tls.go (view raw)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | package server
import (
"context"
"crypto/x509"
"net"
"net/http"
"strconv"
"website/internal/listenfd"
"website/internal/log"
"github.com/ardanlabs/conf/v3"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/certmagic"
certmagic_redis "github.com/pberkel/caddy-storage-redis"
"github.com/pkg/errors"
)
type redisConfig struct {
Address string `conf:"required"`
Username string `conf:"default:default"`
Password string `conf:"required"`
EncryptionKey string `conf:"required"`
KeyPrefix string `conf:"default:certmagic"`
}
func (s *Server) serveTLS() (err error) {
var issuer *certmagic.ACMEIssuer
cfg := certmagic.NewDefault()
cfg.DefaultServerName = s.config.Domains[0]
issuer = &certmagic.DefaultACME
certmagic.DefaultACME.Agreed = true
certmagic.DefaultACME.Email = s.config.Email
ln, err := listenfd.GetListener(
1,
net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
)
if err != nil {
return errors.Wrap(err, "could not bind plain socket")
}
go func(ln net.Listener) {
redirecter := http.NewServeMux()
redirecter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
if certmagic.LooksLikeHTTPChallenge(r) {
issuer.HandleHTTPChallenge(w, r)
} else {
s.redirectHandler(w, r)
}
})
err := http.Serve(ln, redirecter)
if err != nil && !errors.Is(err, http.ErrServerClosed) {
log.Error("error in http handler", "error", err)
}
}(ln)
if s.runtimeConfig.Development {
ca := s.runtimeConfig.ACMECA
if ca == "" {
return errors.New("can't enable tls in development without an ACME_CA")
}
cp, err := x509.SystemCertPool()
if err != nil {
log.Warn("could not get system certificate pool", "error", err)
cp = x509.NewCertPool()
}
if cacert := s.runtimeConfig.ACMECACert; cacert != "" {
cp.AppendCertsFromPEM([]byte(cacert))
}
// caddy's ACME server (step-ca) doesn't specify an OCSP server
cfg.OCSP.DisableStapling = true
listenAddress := s.runtimeConfig.ListenAddress
if listenAddress[0] == '[' {
listenAddress = listenAddress[1 : len(listenAddress)-1]
}
issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
CA: s.runtimeConfig.ACMECA,
TrustedRoots: cp,
DisableTLSALPNChallenge: true,
ListenHost: listenAddress,
AltHTTPPort: s.runtimeConfig.Port,
AltTLSALPNPort: s.runtimeConfig.TLSPort,
})
cfg.Issuers[0] = issuer
} else {
rc := &redisConfig{}
_, err = conf.Parse("REDIS", rc)
if err != nil {
return errors.Wrap(err, "could not parse redis config")
}
rs := certmagic_redis.New()
rs.Address = []string{rc.Address}
rs.Username = rc.Username
rs.Password = rc.Password
rs.EncryptionKey = rc.EncryptionKey
rs.KeyPrefix = rc.KeyPrefix
cfg.Storage = rs
err = rs.Provision(caddy.Context{
Context: context.Background(),
})
if err != nil {
return errors.Wrap(err, "could not provision redis storage")
}
}
log.Debug(
"starting certmagic",
"http_port",
s.runtimeConfig.Port,
"https_port",
s.runtimeConfig.TLSPort,
)
err = cfg.ManageSync(context.TODO(), s.config.Domains)
if err != nil {
return errors.Wrap(err, "could not enable TLS")
}
tlsConfig := cfg.TLSConfig()
tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
sln, err := listenfd.GetListenerTLS(
0,
net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.TLSPort)),
tlsConfig,
)
if err != nil {
return errors.Wrap(err, "could not bind tls socket")
}
return s.Serve(sln)
}
|