about summary refs log tree commit diff stats
path: root/internal/server/tls.go
diff options
context:
space:
mode:
authorAlan Pearce2024-06-26 23:10:51 +0200
committerAlan Pearce2024-06-26 23:10:51 +0200
commitd5b95136d5f162645a6bfaa76833cbf5520f7e45 (patch)
tree41ceb9a1011418a77d6f9472e0fafe84c3eb27ff /internal/server/tls.go
parent98e63f34bd0ffa9087f7e2640d60d6d1c30ecc13 (diff)
downloadwebsite-d5b95136d5f162645a6bfaa76833cbf5520f7e45.tar.lz
website-d5b95136d5f162645a6bfaa76833cbf5520f7e45.tar.zst
website-d5b95136d5f162645a6bfaa76833cbf5520f7e45.zip
enable TLS for local development (using caddy as acme server)
Diffstat (limited to 'internal/server/tls.go')
-rw-r--r--internal/server/tls.go66
1 files changed, 48 insertions, 18 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go
index 370134c..84dae74 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -2,6 +2,8 @@ package server
 
 import (
 	"context"
+	"crypto/x509"
+	"website/internal/log"
 
 	"github.com/ardanlabs/conf/v3"
 	"github.com/caddyserver/caddy/v2"
@@ -19,25 +21,45 @@ type redisConfig struct {
 }
 
 func (s *Server) serveTLS() (err error) {
-	rc := &redisConfig{}
-	_, err = conf.Parse("REDIS", rc)
-	if err != nil {
-		return errors.Wrap(err, "could not parse redis config")
-	}
+	if s.runtimeConfig.Development {
+		ca := s.runtimeConfig.ACMECACert
+		if ca == "" {
+			return errors.New("Need ACME_CA_CERT to enable TLS in development")
+		}
+
+		cp := x509.NewCertPool()
+		cp.AppendCertsFromPEM([]byte(ca))
+
+		cfg := certmagic.NewDefault()
+		issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+			CA:                      "https://localhost/acme/local/directory",
+			TrustedRoots:            cp,
+			DisableTLSALPNChallenge: true,
+			AltHTTPPort:             s.runtimeConfig.Port,
+		})
 
-	rs := certmagic_redis.New()
-	rs.Address = []string{rc.Address}
-	rs.Username = rc.Username
-	rs.Password = rc.Password
-	rs.EncryptionKey = rc.EncryptionKey
-	rs.KeyPrefix = rc.KeyPrefix
-
-	certmagic.Default.Storage = rs
-	err = rs.Provision(caddy.Context{
-		Context: context.Background(),
-	})
-	if err != nil {
-		return errors.Wrap(err, "could not provision redis storage")
+		certmagic.DefaultACME = *issuer
+	} else {
+		rc := &redisConfig{}
+		_, err = conf.Parse("REDIS", rc)
+		if err != nil {
+			return errors.Wrap(err, "could not parse redis config")
+		}
+
+		rs := certmagic_redis.New()
+		rs.Address = []string{rc.Address}
+		rs.Username = rc.Username
+		rs.Password = rc.Password
+		rs.EncryptionKey = rc.EncryptionKey
+		rs.KeyPrefix = rc.KeyPrefix
+
+		certmagic.Default.Storage = rs
+		err = rs.Provision(caddy.Context{
+			Context: context.Background(),
+		})
+		if err != nil {
+			return errors.Wrap(err, "could not provision redis storage")
+		}
 	}
 
 	certmagic.DefaultACME.Agreed = true
@@ -46,5 +68,13 @@ func (s *Server) serveTLS() (err error) {
 	certmagic.HTTPPort = s.runtimeConfig.Port
 	certmagic.HTTPSPort = s.runtimeConfig.TLSPort
 
+	log.Debug(
+		"starting certmagic",
+		"http_port",
+		certmagic.HTTPPort,
+		"https_port",
+		certmagic.HTTPSPort,
+	)
+
 	return certmagic.HTTPS(s.config.Domains, s.Server.Handler)
 }