package server import ( "context" "crypto/x509" "net" "net/http" "strconv" "website/internal/listenfd" "website/internal/log" "github.com/ardanlabs/conf/v3" "github.com/caddyserver/caddy/v2" "github.com/caddyserver/certmagic" certmagic_redis "github.com/pberkel/caddy-storage-redis" "github.com/pkg/errors" ) type redisConfig struct { Address string `conf:"required"` Username string `conf:"default:default"` Password string `conf:"required"` EncryptionKey string `conf:"required"` KeyPrefix string `conf:"default:certmagic"` } func (s *Server) serveTLS() (err error) { cfg := certmagic.NewDefault() cfg.DefaultServerName = s.config.Domains[0] certmagic.DefaultACME.Agreed = true certmagic.DefaultACME.Email = s.config.Email if s.runtimeConfig.Development { ca := s.runtimeConfig.ACMECA if ca == "" { return errors.New("can't enable tls in development without an ACME_CA") } cp, err := x509.SystemCertPool() if err != nil { log.Warn("could not get system certificate pool", "error", err) cp = x509.NewCertPool() } if cacert := s.runtimeConfig.ACMECACert; cacert != "" { cp.AppendCertsFromPEM([]byte(cacert)) } // caddy's ACME server (step-ca) doesn't specify an OCSP server cfg.OCSP.DisableStapling = true cfg.Issuers[0] = certmagic.NewACMEIssuer(cfg, certmagic.ACMEIssuer{ CA: s.runtimeConfig.ACMECA, TrustedRoots: cp, DisableTLSALPNChallenge: true, ListenHost: s.runtimeConfig.ListenAddress, AltHTTPPort: s.runtimeConfig.Port, AltTLSALPNPort: s.runtimeConfig.TLSPort, }) } else { rc := &redisConfig{} _, err = conf.Parse("REDIS", rc) if err != nil { return errors.Wrap(err, "could not parse redis config") } rs := certmagic_redis.New() rs.Address = []string{rc.Address} rs.Username = rc.Username rs.Password = rc.Password rs.EncryptionKey = rc.EncryptionKey rs.KeyPrefix = rc.KeyPrefix cfg.Storage = rs err = rs.Provision(caddy.Context{ Context: context.Background(), }) if err != nil { return errors.Wrap(err, "could not provision redis storage") } } log.Debug( "starting certmagic", "http_port", s.runtimeConfig.Port, "https_port", s.runtimeConfig.TLSPort, ) err = cfg.ManageSync(context.TODO(), s.config.Domains) if err != nil { return errors.Wrap(err, "could not enable TLS") } tlsConfig := cfg.TLSConfig() tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...) sln, err := listenfd.GetListenerTLS( 0, net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.TLSPort)), tlsConfig, ) if err != nil { return errors.Wrap(err, "could not bind tls socket") } ln, err := listenfd.GetListener( 1, net.JoinHostPort(s.runtimeConfig.ListenAddress, strconv.Itoa(s.runtimeConfig.Port)), ) if err != nil { return errors.Wrap(err, "could not bind plain socket") } go func(ln net.Listener) { redirecter := http.NewServeMux() redirecter.HandleFunc("/", s.redirectHandler) err := http.Serve(ln, redirecter) if err != nil && !errors.Is(err, http.ErrServerClosed) { log.Error("error in http handler", "error", err) } }(ln) return s.Serve(sln) }