qbit/gavin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add ability to pull in acme certificates

Browse Source
This commit is contained in:
Aaron Bieber 2020-06-09 21:44:52 -06:00
parent fbb7bf8ade
commit 3b69e3f9bb
1 changed files with 121 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
main.go
View File

@ -1,6 +1,7 @@
package main package main
import ( import (
"crypto/tls"
"encoding/csv" "encoding/csv"
"flag" "flag"
"fmt" "fmt"
@ -11,18 +12,24 @@ import (
"path/filepath" "path/filepath"
"time" "time"
"golang.org/x/crypto/acme"
"golang.org/x/crypto/acme/autocert"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"golang.org/x/net/webdav" "golang.org/x/net/webdav"
"suah.dev/protect" "suah.dev/protect"
) )
var ( var (
davDir string acmeDomain string
listen string test bool
passPath string acmeListen string
davPath string cacheDir string
staticDir string davDir string
users map[string]string davPath string
listen string
passPath string
staticDir string
users map[string]string
) )
func init() { func init() {
@ -32,17 +39,26 @@ func init() {
log.Fatalln(err) log.Fatalln(err)
} }
// TODO: come up with better names for things.
// TODO: should these go in a config file?
flag.StringVar(&acmeDomain, "domain", "", "Domain to to use for ACME requests.")
flag.StringVar(&acmeListen, "alisten", ":80", "Listen for acme requests on")
flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.") flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
flag.StringVar(&listen, "http", ":8080", "Listen on") flag.StringVar(&listen, "http", ":8080", "Listen on")
flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..") flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
flag.StringVar(&davPath, "davpath", "/dav/", "Directory containing files to serve over WebDAV.") flag.StringVar(&davPath, "davpath", "/dav/", "Directory containing files to serve over WebDAV.")
flag.StringVar(&staticDir, "static", dir, "Directory to serve static resources from. Served at '/'.") flag.StringVar(&staticDir, "static", dir, "Directory to serve static resources from. Served at '/'.")
flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
flag.Parse() flag.Parse()
// These are OpenBSD specific protections used to prevent un-necesary file access. // These are OpenBSD specific protections used to prevent un-necesary file access.
protect.Unveil(staticDir, "r") protect.Unveil(staticDir, "r")
protect.Unveil(passPath, "r") protect.Unveil(passPath, "r")
protect.Unveil(davDir, "rwc") protect.Unveil(davDir, "rwc")
protect.Unveil(cacheDir, "rwc")
protect.Unveil("/etc/ssl/cert.pem", "r")
protect.Unveil("/etc/resolv.conf", "r")
err = protect.UnveilBlock() err = protect.UnveilBlock()
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
@ -80,27 +96,43 @@ func validate(user string, pass string) bool {
return err == nil return err == nil
} }
func httpLog(r *http.Request) {
n := time.Now()
fmt.Printf("%s (%s) [%s] \"%s %s\" %03d\n",
r.RemoteAddr,
n.Format(time.RFC822Z),
r.Method,
r.URL.Path,
r.Proto,
r.ContentLength,
)
}
func logger(f http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
httpLog(r)
f(w, r)
}
}
func main() { func main() {
wdav := &webdav.Handler{ wdav := &webdav.Handler{
Prefix: davPath, Prefix: davPath,
LockSystem: webdav.NewMemLS(), LockSystem: webdav.NewMemLS(),
FileSystem: webdav.Dir(davDir), FileSystem: webdav.Dir(davDir),
Logger: func(r *http.Request, err error) { Logger: func(r *http.Request, err error) {
n := time.Now() httpLog(r)
fmt.Printf("%s [%s] \"%s %s %s\" %03d\n",
r.RemoteAddr,
n.Format(time.RFC822Z),
r.Method,
r.URL.Path,
r.Proto,
r.ContentLength,
)
}, },
} }
fileServer := http.FileServer(http.Dir(staticDir))
mux := http.NewServeMux() mux := http.NewServeMux()
mux.Handle("/", http.FileServer(http.Dir(staticDir))) mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
mux.HandleFunc(davPath, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { httpLog(r)
fileServer.ServeHTTP(w, r)
}))
mux.HandleFunc(davPath, func(w http.ResponseWriter, r *http.Request) {
user, pass, ok := r.BasicAuth() user, pass, ok := r.BasicAuth()
if !(ok && validate(user, pass)) { if !(ok && validate(user, pass)) {
w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`) w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
@ -108,15 +140,82 @@ func main() {
return return
} }
wdav.ServeHTTP(w, r) wdav.ServeHTTP(w, r)
})) })
s := http.Server{
Handler: mux,
}
if acmeDomain != "" {
tlsConfig := acmeHandler(acmeDomain, acmeListen, cacheDir)
tlsLis, err := tls.Listen("tcp", listen, tlsConfig)
if err != nil {
log.Fatal(err)
}
log.Printf("Listening for HTTPS on '%s'", listen)
log.Panic(s.Serve(tlsLis))
} else {
lis, err := net.Listen("tcp", listen)
if err != nil {
log.Panic(err)
}
log.Printf("Listening for HTTP on '%s'", listen)
log.Panic(s.Serve(lis))
}
}
func acmeHandler(domain, listen, cache string) *tls.Config {
log.Printf("storing certifiates for %q in %q\n", domain, cache)
m := &autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(cache),
HostPolicy: autocert.HostWhitelist(domain),
}
if test {
m.Client = &acme.Client{
DirectoryURL: "https://acme-staging-v02.api.letsencrypt.org/directory",
}
}
// TLS parameters graciously taken from https://github.com/jrick/domain
tc := m.TLSConfig()
tc.ServerName = domain
tc.NextProtos = []string{"http/1.1", acme.ALPNProto}
tc.MinVersion = tls.VersionTLS12
tc.CurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256}
tc.PreferServerCipherSuites = true
tc.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
lis, err := net.Listen("tcp", listen) lis, err := net.Listen("tcp", listen)
if err != nil { if err != nil {
log.Panic(err) log.Fatal(err)
} }
s := http.Server{Handler: mux} log.Printf("ACME client listening on %s", lis.Addr())
log.Printf("Listening on '%s'", listen) mHandler := m.HTTPHandler(nil)
log.Panic(s.Serve(lis))
s := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
httpLog(r)
mHandler.ServeHTTP(w, r)
}),
}
go func() {
log.Panic(s.Serve(lis))
}()
return tc
} }