diff options
Diffstat (limited to 'internal/server/tls.go')
-rw-r--r-- | internal/server/tls.go | 75 |
1 files changed, 64 insertions, 11 deletions
diff --git a/internal/server/tls.go b/internal/server/tls.go index cd2bfb8..4d52b8d 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -7,11 +7,12 @@ import ( "net/http" "strconv" - "go.alanpearce.eu/website/internal/listenfd" + "go.alanpearce.eu/x/listenfd" "github.com/ardanlabs/conf/v3" "github.com/caddyserver/caddy/v2" "github.com/caddyserver/certmagic" + "github.com/libdns/acmedns" certmagic_redis "github.com/pberkel/caddy-storage-redis" "gitlab.com/tozd/go/errors" ) @@ -24,8 +25,14 @@ type redisConfig struct { KeyPrefix string `conf:"default:certmagic"` } +type acmeConfig struct { + Username string `conf:"required"` + Password string `conf:"required"` + Subdomain string `conf:"required"` + ServerURL string `conf:"env:SERVER_URL,default:https://acme.alanpearce.eu"` +} + func (s *Server) serveTLS() (err error) { - var issuer *certmagic.ACMEIssuer log := s.log.Named("tls") // setting cfg.Logger is too late somehow @@ -33,9 +40,7 @@ func (s *Server) serveTLS() (err error) { cfg := certmagic.NewDefault() cfg.DefaultServerName = s.config.Domains[0] - issuer = &certmagic.DefaultACME - certmagic.DefaultACME.Agreed = true - certmagic.DefaultACME.Email = s.config.Email + var issuer *certmagic.ACMEIssuer if s.runtimeConfig.Development { ca := s.runtimeConfig.ACMECA @@ -63,8 +68,8 @@ func (s *Server) serveTLS() (err error) { ListenHost: s.runtimeConfig.ListenAddress, AltHTTPPort: s.runtimeConfig.Port, AltTLSALPNPort: s.runtimeConfig.TLSPort, + Logger: certmagic.Default.Logger, }) - cfg.Issuers[0] = issuer } else { rc := &redisConfig{} _, err = conf.Parse("REDIS", rc) @@ -72,6 +77,27 @@ func (s *Server) serveTLS() (err error) { return errors.Wrap(err, "could not parse redis config") } + acme := &acmedns.Provider{} + _, err = conf.Parse("ACME", acme) + if err != nil { + return errors.Wrap(err, "could not parse ACME config") + } + + issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ + CA: certmagic.LetsEncryptProductionCA, + Email: s.config.Email, + Agreed: true, + Logger: certmagic.Default.Logger, + DNS01Solver: &certmagic.DNS01Solver{ + DNSManager: certmagic.DNSManager{ + DNSProvider: acme, + Logger: certmagic.Default.Logger, + }, + }, + }) + + log.Info("acme", "username", acme.Username, "subdomain", acme.Subdomain, "server_url", acme.ServerURL) + rs := certmagic_redis.New() rs.Address = []string{rc.Address} rs.Username = rc.Username @@ -87,6 +113,7 @@ func (s *Server) serveTLS() (err error) { return errors.Wrap(err, "could not provision redis storage") } } + cfg.Issuers[0] = issuer ln, err := listenfd.GetListener( 1, @@ -97,12 +124,38 @@ func (s *Server) serveTLS() (err error) { return errors.Wrap(err, "could not bind plain socket") } - go func(ln net.Listener) { - s.redirectServer.Handler = issuer.HTTPChallengeHandler(s.redirectServer.Handler) - if err := s.redirectServer.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) { + go func(ln net.Listener, srv *http.Server) { + httpMux := http.NewServeMux() + httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) { + return + } + url := r.URL + url.Scheme = "https" + port := s.config.BaseURL.Port() + if port == "" { + url.Host = r.Host + } else { + host, _, err := net.SplitHostPort(r.Host) + if err != nil { + log.Warn("error splitting host and port", "error", err) + host = r.Host + } + url.Host = net.JoinHostPort(host, s.config.BaseURL.Port()) + } + http.Redirect(w, r, url.String(), http.StatusMovedPermanently) + }) + srv.Handler = httpMux + + if err := srv.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) { log.Error("error in http handler", "error", err) } - }(ln) + }(ln, &http.Server{ + ReadHeaderTimeout: s.ReadHeaderTimeout, + ReadTimeout: s.ReadTimeout, + WriteTimeout: s.WriteTimeout, + IdleTimeout: s.IdleTimeout, + }) log.Debug( "starting certmagic", @@ -111,7 +164,7 @@ func (s *Server) serveTLS() (err error) { "https_port", s.runtimeConfig.TLSPort, ) - err = cfg.ManageSync(context.TODO(), s.config.Domains) + err = cfg.ManageAsync(context.TODO(), s.config.Domains) if err != nil { return errors.Wrap(err, "could not enable TLS") } |