diff options
Diffstat (limited to 'internal/server')
| -rw-r--r-- | internal/server/dev.go | 24 | ||||
| -rw-r--r-- | internal/server/logging.go | 11 | ||||
| -rw-r--r-- | internal/server/mime.go | 9 | ||||
| -rw-r--r-- | internal/server/server.go | 140 | ||||
| -rw-r--r-- | internal/server/tcp.go | 19 | ||||
| -rw-r--r-- | internal/server/tls.go | 148 |
6 files changed, 231 insertions, 120 deletions
diff --git a/internal/server/dev.go b/internal/server/dev.go index aac869d..6fcc93e 100644 --- a/internal/server/dev.go +++ b/internal/server/dev.go @@ -3,16 +3,16 @@ package server import ( "fmt" "io/fs" - "log/slog" "os" "path" "path/filepath" "slices" "time" - "website/internal/log" + + "go.alanpearce.eu/x/log" "github.com/fsnotify/fsnotify" - "github.com/pkg/errors" + "gitlab.com/tozd/go/errors" ) type FileWatcher struct { @@ -20,6 +20,7 @@ type FileWatcher struct { } var ( + l *log.Logger ignores = []string{ "*.templ", "*.go", @@ -31,7 +32,7 @@ func matches(name string) func(string) bool { return func(pattern string) bool { matched, err := path.Match(pattern, name) if err != nil { - log.Warn("error checking watcher ignores", "error", err) + l.Warn("error checking watcher ignores", "error", err) } return matched @@ -42,23 +43,24 @@ func ignored(pathname string) bool { return slices.ContainsFunc(ignores, matches(path.Base(pathname))) } -func NewFileWatcher() (*FileWatcher, error) { +func NewFileWatcher(log *log.Logger) (*FileWatcher, error) { watcher, err := fsnotify.NewWatcher() if err != nil { return nil, errors.WithMessage(err, "could not create watcher") } + l = log return &FileWatcher{watcher}, nil } func (watcher FileWatcher) AddRecursive(from string) error { - log.Debug("walking directory tree", "root", from) + l.Debug("walking directory tree", "root", from) err := filepath.WalkDir(from, func(path string, entry fs.DirEntry, err error) error { if err != nil { return errors.WithMessagef(err, "could not walk directory %s", path) } if entry.IsDir() { - log.Debug("adding directory to watcher", "path", path) + l.Debug("adding directory to watcher", "path", path) if err = watcher.Add(path); err != nil { return errors.WithMessagef(err, "could not add directory %s to watcher", path) } @@ -76,17 +78,17 @@ func (watcher FileWatcher) Start(callback func(string)) { select { case event := <-watcher.Events: if !ignored(event.Name) { - log.Debug("watcher event", "name", event.Name, "op", event.Op.String()) + l.Debug("watcher event", "name", event.Name, "op", event.Op.String()) if event.Has(fsnotify.Create) || event.Has(fsnotify.Rename) { f, err := os.Stat(event.Name) if err != nil { - slog.Error( + l.Error( fmt.Sprintf("error handling %s event: %v", event.Op.String(), err), ) } else if f.IsDir() { err = watcher.Add(event.Name) if err != nil { - slog.Error(fmt.Sprintf("error adding new folder to watcher: %v", err)) + l.Error(fmt.Sprintf("error adding new folder to watcher: %v", err)) } } } @@ -101,7 +103,7 @@ func (watcher FileWatcher) Start(callback func(string)) { } } case err := <-watcher.Errors: - slog.Error(fmt.Sprintf("error in watcher: %v", err)) + l.Error("error in watcher", "error", err) } } } diff --git a/internal/server/logging.go b/internal/server/logging.go index 5d607bb..f744931 100644 --- a/internal/server/logging.go +++ b/internal/server/logging.go @@ -2,7 +2,8 @@ package server import ( "net/http" - "website/internal/log" + + "go.alanpearce.eu/x/log" ) type LoggingResponseWriter struct { @@ -22,20 +23,18 @@ func NewLoggingResponseWriter(w http.ResponseWriter) *LoggingResponseWriter { return &LoggingResponseWriter{w, http.StatusOK} } -func wrapHandlerWithLogging(wrappedHandler http.Handler) http.Handler { +func wrapHandlerWithLogging(wrappedHandler http.Handler, log *log.Logger) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - host := r.Host lw := NewLoggingResponseWriter(w) wrappedHandler.ServeHTTP(lw, r) if r.URL.Path == "/health" { return } - statusCode := lw.statusCode log.Info( "http request", "method", r.Method, - "status", statusCode, - "host", host, + "status", lw.statusCode, + "host", r.Host, "path", r.URL.Path, "location", lw.Header().Get("Location"), ) diff --git a/internal/server/mime.go b/internal/server/mime.go index 696a0ad..cb1b1cf 100644 --- a/internal/server/mime.go +++ b/internal/server/mime.go @@ -2,21 +2,18 @@ package server import ( "mime" - "website/internal/log" + + "go.alanpearce.eu/x/log" ) var newMIMEs = map[string]string{ ".xsl": "text/xsl", } -func fixupMIMETypes() { +func fixupMIMETypes(log *log.Logger) { for ext, newType := range newMIMEs { if err := mime.AddExtensionType(ext, newType); err != nil { log.Error("could not update mime type", "ext", ext, "mime", newType) } } } - -func init() { - fixupMIMETypes() -} diff --git a/internal/server/server.go b/internal/server/server.go index 3110ec0..b174c0c 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -7,21 +7,21 @@ import ( "net/http" "net/url" "os" + "path/filepath" "slices" "strconv" + "strings" "time" - "website/internal/builder" - cfg "website/internal/config" - "website/internal/log" - "website/internal/vcs" - "website/internal/website" + "go.alanpearce.eu/website/internal/builder" + cfg "go.alanpearce.eu/website/internal/config" + "go.alanpearce.eu/website/internal/vcs" + "go.alanpearce.eu/website/internal/website" + "go.alanpearce.eu/x/log" "github.com/ardanlabs/conf/v3" "github.com/osdevisnot/sorvor/pkg/livereload" - "github.com/pkg/errors" - "golang.org/x/net/http2" - "golang.org/x/net/http2/h2c" + "gitlab.com/tozd/go/errors" ) var ( @@ -31,28 +31,44 @@ var ( ) type Config struct { - Development bool `conf:"default:false,flag:dev"` - Root string `conf:"default:website"` + Root string `conf:"default:public"` Redirect bool `conf:"default:true"` ListenAddress string `conf:"default:localhost"` - Port int `conf:"default:3000,short:p"` - TLSPort int `conf:"default:443"` + Port int `conf:"default:8080,short:p"` + TLSPort int `conf:"default:8443"` TLS bool `conf:"default:false"` + + Development bool `conf:"default:false,flag:dev"` + ACMECA string `conf:"env:ACME_CA"` + ACMECACert string `conf:"env:ACME_CA_CERT"` + Domains string } type Server struct { *http.Server runtimeConfig *Config config *cfg.Config + log *log.Logger } -func applyDevModeOverrides(config *cfg.Config, listenAddress string) { +func applyDevModeOverrides(config *cfg.Config, runtimeConfig *Config) { config.CSP.ScriptSrc = slices.Insert(config.CSP.ScriptSrc, 0, "'unsafe-inline'") config.CSP.ConnectSrc = slices.Insert(config.CSP.ConnectSrc, 0, "'self'") + if runtimeConfig.Domains != "" { + config.Domains = strings.Split(runtimeConfig.Domains, ",") + } else { + config.Domains = []string{runtimeConfig.ListenAddress} + } + scheme := "http" + port := runtimeConfig.Port + if runtimeConfig.TLS { + scheme = "https" + port = runtimeConfig.TLSPort + } config.BaseURL = cfg.URL{ URL: &url.URL{ - Scheme: "http", - Host: listenAddress, + Scheme: scheme, + Host: net.JoinHostPort(config.Domains[0], strconv.Itoa(port)), }, } } @@ -66,19 +82,13 @@ func updateCSPHashes(config *cfg.Config, r *builder.Result) { func serverHeaderHandler(wrappedHandler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.ProtoMajor >= 2 && r.Header.Get("Host") != "" { - // net/http does this for HTTP/1.1, but not h2c - // TODO: check with HTTP/2.0 (i.e. with TLS) - r.Host = r.Header.Get("Host") - r.Header.Del("Host") - } w.Header().Set("Server", serverHeader) wrappedHandler.ServeHTTP(w, r) }) } -func rebuild(builderConfig builder.IOConfig, config *cfg.Config) error { - r, err := builder.BuildSite(builderConfig) +func rebuild(builderConfig *builder.IOConfig, config *cfg.Config, log *log.Logger) error { + r, err := builder.BuildSite(builderConfig, config, log.Named("builder")) if err != nil { return errors.WithMessage(err, "could not build site") } @@ -87,51 +97,60 @@ func rebuild(builderConfig builder.IOConfig, config *cfg.Config) error { return nil } -func New(runtimeConfig *Config) (*Server, error) { +func New(runtimeConfig *Config, log *log.Logger) (*Server, error) { + builderConfig := &builder.IOConfig{ + Destination: runtimeConfig.Root, + Development: runtimeConfig.Development, + } + if !runtimeConfig.Development { vcsConfig := &vcs.Config{} - _, err := conf.Parse("", vcsConfig) - if err != nil { - return nil, err - } - _, err = vcs.CloneOrUpdate(vcsConfig) + _, err := conf.Parse("VCS", vcsConfig) if err != nil { return nil, err } - err = os.Chdir(vcsConfig.LocalPath) - if err != nil { - return nil, err + if vcsConfig.LocalPath != "" { + _, err = vcs.CloneOrUpdate(vcsConfig, log.Named("vcs")) + if err != nil { + return nil, err + } + err = os.Chdir(runtimeConfig.Root) + if err != nil { + return nil, err + } + + builderConfig.Source = vcsConfig.LocalPath + + publicDir := filepath.Join(runtimeConfig.Root, "public") + builderConfig.Destination = publicDir + runtimeConfig.Root = publicDir + } else { + log.Warn("in production mode without VCS configuration") } - runtimeConfig.Root = "website" } - config, err := cfg.GetConfig() + config, err := cfg.GetConfig(builderConfig.Source, log.Named("config")) if err != nil { return nil, errors.WithMessage(err, "error parsing configuration file") } if runtimeConfig.Development { - applyDevModeOverrides(config, runtimeConfig.ListenAddress) + applyDevModeOverrides(config, runtimeConfig) } - listenAddress := net.JoinHostPort(runtimeConfig.ListenAddress, strconv.Itoa(runtimeConfig.Port)) top := http.NewServeMux() - builderConfig := builder.IOConfig{ - Source: "content", - Destination: runtimeConfig.Root, - Development: runtimeConfig.Development, - } - - err = rebuild(builderConfig, config) + err = rebuild(builderConfig, config, log) if err != nil { return nil, err } + fixupMIMETypes(log) + if runtimeConfig.Development { liveReload := livereload.New() top.Handle("/_/reload", liveReload) liveReload.Start() - fw, err := NewFileWatcher() + fw, err := NewFileWatcher(log.Named("watcher")) if err != nil { return nil, errors.WithMessage(err, "could not create file watcher") } @@ -151,7 +170,7 @@ func New(runtimeConfig *Config) (*Server, error) { } go fw.Start(func(filename string) { log.Info("rebuilding site", "changed_file", filename) - err := rebuild(builderConfig, config) + err := rebuild(builderConfig, config, log) if err != nil { log.Error("error rebuilding site", "error", err) } @@ -159,7 +178,7 @@ func New(runtimeConfig *Config) (*Server, error) { } loggingMux := http.NewServeMux() - mux, err := website.NewMux(config, runtimeConfig.Root) + mux, err := website.NewMux(config, runtimeConfig.Root, log.Named("website")) if err != nil { return nil, errors.Wrap(err, "could not create website mux") } @@ -167,8 +186,9 @@ func New(runtimeConfig *Config) (*Server, error) { if runtimeConfig.Redirect { loggingMux.Handle(config.BaseURL.Hostname()+"/", mux) loggingMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - newURL := config.BaseURL.JoinPath(r.URL.String()) - http.Redirect(w, r, newURL.String(), 301) + path, _ := website.CanonicalisePath(r.URL.Path) + newURL := config.BaseURL.JoinPath(path) + http.Redirect(w, r, newURL.String(), http.StatusMovedPermanently) }) } else { loggingMux.Handle("/", mux) @@ -176,7 +196,7 @@ func New(runtimeConfig *Config) (*Server, error) { top.Handle("/", serverHeaderHandler( - wrapHandlerWithLogging(loggingMux), + wrapHandlerWithLogging(loggingMux, log), ), ) @@ -186,15 +206,13 @@ func New(runtimeConfig *Config) (*Server, error) { return &Server{ Server: &http.Server{ - Addr: listenAddress, - ReadHeaderTimeout: 1 * time.Minute, - Handler: http.MaxBytesHandler(h2c.NewHandler( - top, - &http2.Server{ - IdleTimeout: 15 * time.Minute, - }, - ), 0), + ReadHeaderTimeout: 10 * time.Second, + ReadTimeout: 1 * time.Minute, + WriteTimeout: 2 * time.Minute, + IdleTimeout: 10 * time.Minute, + Handler: top, }, + log: log, config: config, runtimeConfig: runtimeConfig, }, nil @@ -217,19 +235,19 @@ func (s *Server) Start() error { } func (s *Server) Stop() chan struct{} { - log.Debug("stop called") + s.log.Debug("stop called") idleConnsClosed := make(chan struct{}) go func() { - log.Debug("shutting down server") + s.log.Debug("shutting down server") ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() err := s.Server.Shutdown(ctx) - log.Debug("server shut down") + s.log.Debug("server shut down") if err != nil { // Error from closing listeners, or context timeout: - log.Warn("HTTP server Shutdown", "error", err) + s.log.Warn("HTTP server Shutdown", "error", err) } close(idleConnsClosed) }() diff --git a/internal/server/tcp.go b/internal/server/tcp.go index 4dc3314..1627854 100644 --- a/internal/server/tcp.go +++ b/internal/server/tcp.go @@ -1,26 +1,13 @@ package server import ( - "net" - - "website/internal/listenfd" - "website/internal/log" - - "github.com/pkg/errors" + "go.alanpearce.eu/x/listenfd" ) func (s *Server) serveTCP() error { - l, err := listenfd.GetListener(0) + l, err := listenfd.GetListener(0, s.Addr, s.log.Named("tcp.listenfd")) if err != nil { - log.Warn("could not create listener from listenfd", "error", err) - } - - log.Debug("listener from listenfd?", "passed", l != nil) - if l == nil { - l, err = net.Listen("tcp", s.Addr) - if err != nil { - return errors.Wrap(err, "could not create listener") - } + return err } return s.Serve(l) diff --git a/internal/server/tls.go b/internal/server/tls.go index 370134c..9481b6a 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -2,12 +2,18 @@ package server import ( "context" + "crypto/x509" + "net" + "net/http" + "strconv" + + "go.alanpearce.eu/x/listenfd" "github.com/ardanlabs/conf/v3" "github.com/caddyserver/caddy/v2" "github.com/caddyserver/certmagic" certmagic_redis "github.com/pberkel/caddy-storage-redis" - "github.com/pkg/errors" + "gitlab.com/tozd/go/errors" ) type redisConfig struct { @@ -19,32 +25,134 @@ type redisConfig struct { } func (s *Server) serveTLS() (err error) { - rc := &redisConfig{} - _, err = conf.Parse("REDIS", rc) + log := s.log.Named("tls") + + // setting cfg.Logger is too late somehow + certmagic.Default.Logger = log.GetLogger().Named("certmagic") + cfg := certmagic.NewDefault() + cfg.DefaultServerName = s.config.Domains[0] + + issuer := &certmagic.DefaultACME + certmagic.DefaultACME.Agreed = true + certmagic.DefaultACME.Email = s.config.Email + certmagic.DefaultACME.Logger = certmagic.Default.Logger + + if s.runtimeConfig.Development { + ca := s.runtimeConfig.ACMECA + if ca == "" { + return errors.New("can't enable tls in development without an ACME_CA") + } + + cp, err := x509.SystemCertPool() + if err != nil { + log.Warn("could not get system certificate pool", "error", err) + cp = x509.NewCertPool() + } + + if cacert := s.runtimeConfig.ACMECACert; cacert != "" { + cp.AppendCertsFromPEM([]byte(cacert)) + } + + // caddy's ACME server (step-ca) doesn't specify an OCSP server + cfg.OCSP.DisableStapling = true + + issuer = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ + CA: s.runtimeConfig.ACMECA, + TrustedRoots: cp, + DisableTLSALPNChallenge: true, + ListenHost: s.runtimeConfig.ListenAddress, + AltHTTPPort: s.runtimeConfig.Port, + AltTLSALPNPort: s.runtimeConfig.TLSPort, + }) + cfg.Issuers[0] = issuer + } else { + rc := &redisConfig{} + _, err = conf.Parse("REDIS", rc) + if err != nil { + return errors.Wrap(err, "could not parse redis config") + } + + rs := certmagic_redis.New() + rs.Address = []string{rc.Address} + rs.Username = rc.Username + rs.Password = rc.Password + rs.EncryptionKey = rc.EncryptionKey + rs.KeyPrefix = rc.KeyPrefix + + cfg.Storage = rs + err = rs.Provision(caddy.Context{ + Context: context.Background(), + }) + if err != nil { + return errors.Wrap(err, "could not provision redis storage") + } + } + + ln, err := listenfd.GetListener( + 1, + net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)), + log.Named("listenfd"), + ) if err != nil { - return errors.Wrap(err, "could not parse redis config") + return errors.Wrap(err, "could not bind plain socket") } - rs := certmagic_redis.New() - rs.Address = []string{rc.Address} - rs.Username = rc.Username - rs.Password = rc.Password - rs.EncryptionKey = rc.EncryptionKey - rs.KeyPrefix = rc.KeyPrefix + go func(ln net.Listener, srv *http.Server) { + httpMux := http.NewServeMux() + httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) { + return + } + url := r.URL + url.Scheme = "https" + port := s.config.BaseURL.Port() + if port == "" { + url.Host = r.Host + } else { + host, _, err := net.SplitHostPort(r.Host) + if err != nil { + log.Warn("error splitting host and port", "error", err) + host = r.Host + } + url.Host = net.JoinHostPort(host, s.config.BaseURL.Port()) + } + http.Redirect(w, r, url.String(), http.StatusMovedPermanently) + }) + srv.Handler = httpMux - certmagic.Default.Storage = rs - err = rs.Provision(caddy.Context{ - Context: context.Background(), + if err := srv.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) { + log.Error("error in http handler", "error", err) + } + }(ln, &http.Server{ + ReadHeaderTimeout: s.ReadHeaderTimeout, + ReadTimeout: s.ReadTimeout, + WriteTimeout: s.WriteTimeout, + IdleTimeout: s.IdleTimeout, }) + + log.Debug( + "starting certmagic", + "http_port", + s.runtimeConfig.Port, + "https_port", + s.runtimeConfig.TLSPort, + ) + err = cfg.ManageSync(context.TODO(), s.config.Domains) if err != nil { - return errors.Wrap(err, "could not provision redis storage") + return errors.Wrap(err, "could not enable TLS") } + tlsConfig := cfg.TLSConfig() + tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...) - certmagic.DefaultACME.Agreed = true - certmagic.DefaultACME.Email = s.config.Email - certmagic.Default.DefaultServerName = s.config.Domains[0] - certmagic.HTTPPort = s.runtimeConfig.Port - certmagic.HTTPSPort = s.runtimeConfig.TLSPort + sln, err := listenfd.GetListenerTLS( + 0, + net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.TLSPort)), + tlsConfig, + log.Named("listenfd"), + ) + if err != nil { + return errors.Wrap(err, "could not bind tls socket") + } - return certmagic.HTTPS(s.config.Domains, s.Server.Handler) + return s.Serve(sln) } |