about summary refs log tree commit diff stats
path: root/internal/server
diff options
context:
space:
mode:
Diffstat (limited to 'internal/server')
-rw-r--r--internal/server/dev.go109
-rw-r--r--internal/server/logging.go42
-rw-r--r--internal/server/mime.go19
-rw-r--r--internal/server/server.go270
-rw-r--r--internal/server/tcp.go14
-rw-r--r--internal/server/tls.go191
6 files changed, 645 insertions, 0 deletions
diff --git a/internal/server/dev.go b/internal/server/dev.go
new file mode 100644
index 0000000..6fcc93e
--- /dev/null
+++ b/internal/server/dev.go
@@ -0,0 +1,109 @@
+package server
+
+import (
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"slices"
+	"time"
+
+	"go.alanpearce.eu/x/log"
+
+	"github.com/fsnotify/fsnotify"
+	"gitlab.com/tozd/go/errors"
+)
+
+type FileWatcher struct {
+	*fsnotify.Watcher
+}
+
+var (
+	l       *log.Logger
+	ignores = []string{
+		"*.templ",
+		"*.go",
+	}
+	checkSettleInterval = 200 * time.Millisecond
+)
+
+func matches(name string) func(string) bool {
+	return func(pattern string) bool {
+		matched, err := path.Match(pattern, name)
+		if err != nil {
+			l.Warn("error checking watcher ignores", "error", err)
+		}
+
+		return matched
+	}
+}
+
+func ignored(pathname string) bool {
+	return slices.ContainsFunc(ignores, matches(path.Base(pathname)))
+}
+
+func NewFileWatcher(log *log.Logger) (*FileWatcher, error) {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, errors.WithMessage(err, "could not create watcher")
+	}
+	l = log
+
+	return &FileWatcher{watcher}, nil
+}
+
+func (watcher FileWatcher) AddRecursive(from string) error {
+	l.Debug("walking directory tree", "root", from)
+	err := filepath.WalkDir(from, func(path string, entry fs.DirEntry, err error) error {
+		if err != nil {
+			return errors.WithMessagef(err, "could not walk directory %s", path)
+		}
+		if entry.IsDir() {
+			l.Debug("adding directory to watcher", "path", path)
+			if err = watcher.Add(path); err != nil {
+				return errors.WithMessagef(err, "could not add directory %s to watcher", path)
+			}
+		}
+
+		return nil
+	})
+
+	return errors.WithMessage(err, "error walking directory tree")
+}
+
+func (watcher FileWatcher) Start(callback func(string)) {
+	var timer *time.Timer
+	for {
+		select {
+		case event := <-watcher.Events:
+			if !ignored(event.Name) {
+				l.Debug("watcher event", "name", event.Name, "op", event.Op.String())
+				if event.Has(fsnotify.Create) || event.Has(fsnotify.Rename) {
+					f, err := os.Stat(event.Name)
+					if err != nil {
+						l.Error(
+							fmt.Sprintf("error handling %s event: %v", event.Op.String(), err),
+						)
+					} else if f.IsDir() {
+						err = watcher.Add(event.Name)
+						if err != nil {
+							l.Error(fmt.Sprintf("error adding new folder to watcher: %v", err))
+						}
+					}
+				}
+				if event.Has(fsnotify.Rename) || event.Has(fsnotify.Write) ||
+					event.Has(fsnotify.Create) || event.Has(fsnotify.Chmod) {
+					if timer == nil {
+						timer = time.AfterFunc(checkSettleInterval, func() {
+							callback(event.Name)
+						})
+					}
+					timer.Reset(checkSettleInterval)
+				}
+			}
+		case err := <-watcher.Errors:
+			l.Error("error in watcher", "error", err)
+		}
+	}
+}
diff --git a/internal/server/logging.go b/internal/server/logging.go
new file mode 100644
index 0000000..f744931
--- /dev/null
+++ b/internal/server/logging.go
@@ -0,0 +1,42 @@
+package server
+
+import (
+	"net/http"
+
+	"go.alanpearce.eu/x/log"
+)
+
+type LoggingResponseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (lrw *LoggingResponseWriter) WriteHeader(code int) {
+	lrw.statusCode = code
+	// avoids warning: superfluous response.WriteHeader call
+	if lrw.statusCode != http.StatusOK {
+		lrw.ResponseWriter.WriteHeader(code)
+	}
+}
+
+func NewLoggingResponseWriter(w http.ResponseWriter) *LoggingResponseWriter {
+	return &LoggingResponseWriter{w, http.StatusOK}
+}
+
+func wrapHandlerWithLogging(wrappedHandler http.Handler, log *log.Logger) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		lw := NewLoggingResponseWriter(w)
+		wrappedHandler.ServeHTTP(lw, r)
+		if r.URL.Path == "/health" {
+			return
+		}
+		log.Info(
+			"http request",
+			"method", r.Method,
+			"status", lw.statusCode,
+			"host", r.Host,
+			"path", r.URL.Path,
+			"location", lw.Header().Get("Location"),
+		)
+	})
+}
diff --git a/internal/server/mime.go b/internal/server/mime.go
new file mode 100644
index 0000000..cb1b1cf
--- /dev/null
+++ b/internal/server/mime.go
@@ -0,0 +1,19 @@
+package server
+
+import (
+	"mime"
+
+	"go.alanpearce.eu/x/log"
+)
+
+var newMIMEs = map[string]string{
+	".xsl": "text/xsl",
+}
+
+func fixupMIMETypes(log *log.Logger) {
+	for ext, newType := range newMIMEs {
+		if err := mime.AddExtensionType(ext, newType); err != nil {
+			log.Error("could not update mime type", "ext", ext, "mime", newType)
+		}
+	}
+}
diff --git a/internal/server/server.go b/internal/server/server.go
new file mode 100644
index 0000000..269ed9e
--- /dev/null
+++ b/internal/server/server.go
@@ -0,0 +1,270 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"slices"
+	"strconv"
+	"strings"
+	"time"
+
+	"go.alanpearce.eu/website/internal/builder"
+	cfg "go.alanpearce.eu/website/internal/config"
+	"go.alanpearce.eu/website/internal/vcs"
+	"go.alanpearce.eu/website/internal/website"
+	"go.alanpearce.eu/x/log"
+
+	"github.com/ardanlabs/conf/v3"
+	"github.com/osdevisnot/sorvor/pkg/livereload"
+	"gitlab.com/tozd/go/errors"
+)
+
+var (
+	CommitSHA    = "local"
+	ShortSHA     = "local"
+	serverHeader = fmt.Sprintf("website (%s)", ShortSHA)
+)
+
+type Config struct {
+	Root          string `conf:"default:public"`
+	Redirect      bool   `conf:"default:true"`
+	ListenAddress string `conf:"default:localhost"`
+	Port          int    `conf:"default:8080,short:p"`
+	TLSPort       int    `conf:"default:8443"`
+	TLS           bool   `conf:"default:false"`
+
+	Development bool   `conf:"default:false,flag:dev"`
+	ACMECA      string `conf:"env:ACME_CA"`
+	ACMECACert  string `conf:"env:ACME_CA_CERT"`
+	Domains     string
+}
+
+type Server struct {
+	*http.Server
+	runtimeConfig *Config
+	config        *cfg.Config
+	log           *log.Logger
+}
+
+func applyDevModeOverrides(config *cfg.Config, runtimeConfig *Config) {
+	config.CSP.ScriptSrc = slices.Insert(config.CSP.ScriptSrc, 0, "'unsafe-inline'")
+	config.CSP.ConnectSrc = slices.Insert(config.CSP.ConnectSrc, 0, "'self'")
+	if runtimeConfig.Domains != "" {
+		config.Domains = strings.Split(runtimeConfig.Domains, ",")
+	} else {
+		config.Domains = []string{runtimeConfig.ListenAddress}
+	}
+	scheme := "http"
+	port := runtimeConfig.Port
+	if runtimeConfig.TLS {
+		scheme = "https"
+		port = runtimeConfig.TLSPort
+	}
+	config.BaseURL = cfg.URL{
+		URL: &url.URL{
+			Scheme: scheme,
+			Host:   net.JoinHostPort(config.Domains[0], strconv.Itoa(port)),
+		},
+	}
+}
+
+func updateCSPHashes(config *cfg.Config, r *builder.Result) {
+	for i, h := range r.Hashes {
+		config.CSP.StyleSrc[i] = fmt.Sprintf("'%s'", h)
+	}
+}
+
+func serverHeaderHandler(wrappedHandler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Server", serverHeader)
+		wrappedHandler.ServeHTTP(w, r)
+	})
+}
+
+func rebuild(builderConfig *builder.IOConfig, config *cfg.Config, log *log.Logger) error {
+	r, err := builder.BuildSite(builderConfig, config, log.Named("builder"))
+	if err != nil {
+		return errors.WithMessage(err, "could not build site")
+	}
+	updateCSPHashes(config, r)
+
+	return nil
+}
+
+func New(runtimeConfig *Config, log *log.Logger) (*Server, error) {
+	builderConfig := &builder.IOConfig{
+		Destination: runtimeConfig.Root,
+		Development: runtimeConfig.Development,
+	}
+
+	if !runtimeConfig.Development {
+		vcsConfig := &vcs.Config{}
+		_, err := conf.Parse("VCS", vcsConfig)
+		if err != nil {
+			return nil, err
+		}
+		if vcsConfig.LocalPath != "" {
+			_, err = vcs.CloneOrUpdate(vcsConfig, log.Named("vcs"))
+			if err != nil {
+				return nil, err
+			}
+			err = os.Chdir(runtimeConfig.Root)
+			if err != nil {
+				return nil, err
+			}
+
+			builderConfig.Source = vcsConfig.LocalPath
+
+			publicDir := filepath.Join(runtimeConfig.Root, "public")
+			builderConfig.Destination = publicDir
+			runtimeConfig.Root = publicDir
+		} else {
+			log.Warn("in production mode without VCS configuration")
+		}
+	}
+
+	config, err := cfg.GetConfig(builderConfig.Source, log.Named("config"))
+	if err != nil {
+		return nil, errors.WithMessage(err, "error parsing configuration file")
+	}
+	if runtimeConfig.Development {
+		applyDevModeOverrides(config, runtimeConfig)
+	}
+
+	top := http.NewServeMux()
+
+	err = rebuild(builderConfig, config, log)
+	if err != nil {
+		return nil, err
+	}
+
+	fixupMIMETypes(log)
+
+	if runtimeConfig.Development {
+		liveReload := livereload.New()
+		top.Handle("/_/reload", liveReload)
+		liveReload.Start()
+		fw, err := NewFileWatcher(log.Named("watcher"))
+		if err != nil {
+			return nil, errors.WithMessage(err, "could not create file watcher")
+		}
+		for _, dir := range []string{"content", "static", "templates", "internal/builder"} {
+			err := fw.AddRecursive(dir)
+			if err != nil {
+				return nil, errors.WithMessagef(
+					err,
+					"could not add directory %s to file watcher",
+					dir,
+				)
+			}
+		}
+		err = fw.Add(".")
+		if err != nil {
+			return nil, errors.WithMessage(err, "could not add directory to file watcher")
+		}
+		go fw.Start(func(filename string) {
+			log.Info("rebuilding site", "changed_file", filename)
+			err := rebuild(builderConfig, config, log)
+			if err != nil {
+				log.Error("error rebuilding site", "error", err)
+			}
+		})
+	}
+
+	loggingMux := http.NewServeMux()
+	mux, err := website.NewMux(config, runtimeConfig.Root, log.Named("website"))
+	if err != nil {
+		return nil, errors.Wrap(err, "could not create website mux")
+	}
+
+	if runtimeConfig.Redirect {
+		re := regexp.MustCompile(
+			"^(.*)\\." + strings.ReplaceAll(config.WildcardDomain, ".", `\.`) + "$",
+		)
+		replace := "${1}." + config.Domains[0]
+		loggingMux.Handle(config.BaseURL.Hostname()+"/", mux)
+		loggingMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			if slices.Contains(config.Domains, r.Host) {
+				path, _ := website.CanonicalisePath(r.URL.Path)
+				newURL := config.BaseURL.JoinPath(path)
+				http.Redirect(w, r, newURL.String(), http.StatusMovedPermanently)
+			} else {
+				url := config.BaseURL
+				url.Host = re.ReplaceAllString(r.Host, replace)
+				http.Redirect(w, r, url.String(), http.StatusTemporaryRedirect)
+			}
+		})
+	} else {
+		loggingMux.Handle("/", mux)
+	}
+
+	if runtimeConfig.Development {
+		top.Handle("/",
+			serverHeaderHandler(
+				wrapHandlerWithLogging(loggingMux, log),
+			),
+		)
+	} else {
+		top.Handle("/", serverHeaderHandler(loggingMux))
+	}
+
+	top.HandleFunc("/health", func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	return &Server{
+		Server: &http.Server{
+			ReadHeaderTimeout: 10 * time.Second,
+			ReadTimeout:       1 * time.Minute,
+			WriteTimeout:      2 * time.Minute,
+			IdleTimeout:       10 * time.Minute,
+			Handler:           top,
+		},
+		log:           log,
+		config:        config,
+		runtimeConfig: runtimeConfig,
+	}, nil
+}
+
+func (s *Server) serve(tls bool) error {
+	if tls {
+		return s.serveTLS()
+	}
+
+	return s.serveTCP()
+}
+
+func (s *Server) Start() error {
+	if err := s.serve(s.runtimeConfig.TLS); err != http.ErrServerClosed {
+		return errors.Wrap(err, "error creating/closing server")
+	}
+
+	return nil
+}
+
+func (s *Server) Stop() chan struct{} {
+	s.log.Debug("stop called")
+
+	idleConnsClosed := make(chan struct{})
+
+	go func() {
+		s.log.Debug("shutting down server")
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		err := s.Server.Shutdown(ctx)
+		s.log.Debug("server shut down")
+		if err != nil {
+			// Error from closing listeners, or context timeout:
+			s.log.Warn("HTTP server Shutdown", "error", err)
+		}
+		close(idleConnsClosed)
+	}()
+
+	return idleConnsClosed
+}
diff --git a/internal/server/tcp.go b/internal/server/tcp.go
new file mode 100644
index 0000000..1627854
--- /dev/null
+++ b/internal/server/tcp.go
@@ -0,0 +1,14 @@
+package server
+
+import (
+	"go.alanpearce.eu/x/listenfd"
+)
+
+func (s *Server) serveTCP() error {
+	l, err := listenfd.GetListener(0, s.Addr, s.log.Named("tcp.listenfd"))
+	if err != nil {
+		return err
+	}
+
+	return s.Serve(l)
+}
diff --git a/internal/server/tls.go b/internal/server/tls.go
new file mode 100644
index 0000000..9f22a5e
--- /dev/null
+++ b/internal/server/tls.go
@@ -0,0 +1,191 @@
+package server
+
+import (
+	"context"
+	"crypto/x509"
+	"net"
+	"net/http"
+	"slices"
+	"strconv"
+
+	"go.alanpearce.eu/x/listenfd"
+
+	"github.com/ardanlabs/conf/v3"
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/certmagic"
+	"github.com/libdns/acmedns"
+	certmagic_redis "github.com/pberkel/caddy-storage-redis"
+	"gitlab.com/tozd/go/errors"
+)
+
+type redisConfig struct {
+	Address       string `conf:"required"`
+	Username      string `conf:"default:default"`
+	Password      string `conf:"required"`
+	EncryptionKey string `conf:"required"`
+	KeyPrefix     string `conf:"default:certmagic"`
+}
+
+type acmeConfig struct {
+	Username  string `conf:"required"`
+	Password  string `conf:"required"`
+	Subdomain string `conf:"required"`
+	ServerURL string `conf:"env:SERVER_URL,default:https://acme.alanpearce.eu"`
+}
+
+func (s *Server) serveTLS() (err error) {
+	log := s.log.Named("tls")
+
+	wildcardDomain := "*." + s.config.WildcardDomain
+	certificateDomains := slices.Clone(s.config.Domains)
+
+	// setting cfg.Logger is too late somehow
+	certmagic.Default.Logger = log.GetLogger().Named("certmagic")
+	cfg := certmagic.NewDefault()
+	cfg.DefaultServerName = s.config.Domains[0]
+
+	var issuer *certmagic.ACMEIssuer
+
+	if s.runtimeConfig.Development {
+		ca := s.runtimeConfig.ACMECA
+		if ca == "" {
+			return errors.New("can't enable tls in development without an ACME_CA")
+		}
+
+		cp, err := x509.SystemCertPool()
+		if err != nil {
+			log.Warn("could not get system certificate pool", "error", err)
+			cp = x509.NewCertPool()
+		}
+
+		if cacert := s.runtimeConfig.ACMECACert; cacert != "" {
+			cp.AppendCertsFromPEM([]byte(cacert))
+		}
+
+		// caddy's ACME server (step-ca) doesn't specify an OCSP server
+		cfg.OCSP.DisableStapling = true
+
+		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+			CA:                      s.runtimeConfig.ACMECA,
+			TrustedRoots:            cp,
+			DisableTLSALPNChallenge: true,
+			ListenHost:              s.runtimeConfig.ListenAddress,
+			AltHTTPPort:             s.runtimeConfig.Port,
+			AltTLSALPNPort:          s.runtimeConfig.TLSPort,
+			Logger:                  certmagic.Default.Logger,
+		})
+	} else {
+		rc := &redisConfig{}
+		_, err = conf.Parse("REDIS", rc)
+		if err != nil {
+			return errors.Wrap(err, "could not parse redis config")
+		}
+
+		acme := &acmedns.Provider{}
+		_, err = conf.Parse("ACME", acme)
+		if err != nil {
+			return errors.Wrap(err, "could not parse ACME config")
+		}
+
+		issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{
+			CA:     certmagic.LetsEncryptProductionCA,
+			Email:  s.config.Email,
+			Agreed: true,
+			Logger: certmagic.Default.Logger,
+			DNS01Solver: &certmagic.DNS01Solver{
+				DNSManager: certmagic.DNSManager{
+					DNSProvider: acme,
+					Logger:      certmagic.Default.Logger,
+				},
+			},
+		})
+
+		certificateDomains = append(slices.Clone(s.config.Domains), wildcardDomain)
+
+		log.Info("acme", "username", acme.Username, "subdomain", acme.Subdomain, "server_url", acme.ServerURL)
+
+		rs := certmagic_redis.New()
+		rs.Address = []string{rc.Address}
+		rs.Username = rc.Username
+		rs.Password = rc.Password
+		rs.EncryptionKey = rc.EncryptionKey
+		rs.KeyPrefix = rc.KeyPrefix
+
+		cfg.Storage = rs
+		err = rs.Provision(caddy.Context{
+			Context: context.Background(),
+		})
+		if err != nil {
+			return errors.Wrap(err, "could not provision redis storage")
+		}
+	}
+	cfg.Issuers[0] = issuer
+
+	ln, err := listenfd.GetListener(
+		1,
+		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)),
+		log.Named("listenfd"),
+	)
+	if err != nil {
+		return errors.Wrap(err, "could not bind plain socket")
+	}
+
+	go func(ln net.Listener, srv *http.Server) {
+		httpMux := http.NewServeMux()
+		httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) {
+				return
+			}
+			url := r.URL
+			url.Scheme = "https"
+			port := s.config.BaseURL.Port()
+			if port == "" {
+				url.Host = r.Host
+			} else {
+				host, _, err := net.SplitHostPort(r.Host)
+				if err != nil {
+					log.Warn("error splitting host and port", "error", err)
+					host = r.Host
+				}
+				url.Host = net.JoinHostPort(host, s.config.BaseURL.Port())
+			}
+			http.Redirect(w, r, url.String(), http.StatusMovedPermanently)
+		})
+		srv.Handler = httpMux
+
+		if err := srv.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Error("error in http handler", "error", err)
+		}
+	}(ln, &http.Server{
+		ReadHeaderTimeout: s.ReadHeaderTimeout,
+		ReadTimeout:       s.ReadTimeout,
+		WriteTimeout:      s.WriteTimeout,
+		IdleTimeout:       s.IdleTimeout,
+	})
+
+	log.Debug(
+		"starting certmagic",
+		"http_port",
+		s.runtimeConfig.Port,
+		"https_port",
+		s.runtimeConfig.TLSPort,
+	)
+	err = cfg.ManageAsync(context.TODO(), certificateDomains)
+	if err != nil {
+		return errors.Wrap(err, "could not enable TLS")
+	}
+	tlsConfig := cfg.TLSConfig()
+	tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...)
+
+	sln, err := listenfd.GetListenerTLS(
+		0,
+		net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.TLSPort)),
+		tlsConfig,
+		log.Named("listenfd"),
+	)
+	if err != nil {
+		return errors.Wrap(err, "could not bind tls socket")
+	}
+
+	return s.Serve(sln)
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-01 02:33:48 +0000