diff options
| author | Alan Pearce | 2024-06-26 23:10:51 +0200 |
|---|---|---|
| committer | Alan Pearce | 2024-06-26 23:10:51 +0200 |
| commit | d5b95136d5f162645a6bfaa76833cbf5520f7e45 (patch) | |
| tree | 41ceb9a1011418a77d6f9472e0fafe84c3eb27ff /internal/server/tls.go | |
| parent | 98e63f34bd0ffa9087f7e2640d60d6d1c30ecc13 (diff) | |
| download | website-d5b95136d5f162645a6bfaa76833cbf5520f7e45.tar.lz website-d5b95136d5f162645a6bfaa76833cbf5520f7e45.tar.zst website-d5b95136d5f162645a6bfaa76833cbf5520f7e45.zip | |
enable TLS for local development (using caddy as acme server)
Diffstat (limited to 'internal/server/tls.go')
| -rw-r--r-- | internal/server/tls.go | 66 |
1 files changed, 48 insertions, 18 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go index 370134c..84dae74 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -2,6 +2,8 @@ package server import ( "context" + "crypto/x509" + "website/internal/log" "github.com/ardanlabs/conf/v3" "github.com/caddyserver/caddy/v2" @@ -19,25 +21,45 @@ type redisConfig struct { } func (s *Server) serveTLS() (err error) { - rc := &redisConfig{} - _, err = conf.Parse("REDIS", rc) - if err != nil { - return errors.Wrap(err, "could not parse redis config") - } + if s.runtimeConfig.Development { + ca := s.runtimeConfig.ACMECACert + if ca == "" { + return errors.New("Need ACME_CA_CERT to enable TLS in development") + } + + cp := x509.NewCertPool() + cp.AppendCertsFromPEM([]byte(ca)) + + cfg := certmagic.NewDefault() + issuer := certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ + CA: "https://localhost/acme/local/directory", + TrustedRoots: cp, + DisableTLSALPNChallenge: true, + AltHTTPPort: s.runtimeConfig.Port, + }) - rs := certmagic_redis.New() - rs.Address = []string{rc.Address} - rs.Username = rc.Username - rs.Password = rc.Password - rs.EncryptionKey = rc.EncryptionKey - rs.KeyPrefix = rc.KeyPrefix - - certmagic.Default.Storage = rs - err = rs.Provision(caddy.Context{ - Context: context.Background(), - }) - if err != nil { - return errors.Wrap(err, "could not provision redis storage") + certmagic.DefaultACME = *issuer + } else { + rc := &redisConfig{} + _, err = conf.Parse("REDIS", rc) + if err != nil { + return errors.Wrap(err, "could not parse redis config") + } + + rs := certmagic_redis.New() + rs.Address = []string{rc.Address} + rs.Username = rc.Username + rs.Password = rc.Password + rs.EncryptionKey = rc.EncryptionKey + rs.KeyPrefix = rc.KeyPrefix + + certmagic.Default.Storage = rs + err = rs.Provision(caddy.Context{ + Context: context.Background(), + }) + if err != nil { + return errors.Wrap(err, "could not provision redis storage") + } } certmagic.DefaultACME.Agreed = true @@ -46,5 +68,13 @@ func (s *Server) serveTLS() (err error) { certmagic.HTTPPort = s.runtimeConfig.Port certmagic.HTTPSPort = s.runtimeConfig.TLSPort + log.Debug( + "starting certmagic", + "http_port", + certmagic.HTTPPort, + "https_port", + certmagic.HTTPSPort, + ) + return certmagic.HTTPS(s.config.Domains, s.Server.Handler) } |