Add ability to pull in acme certificates
This commit is contained in:
parent
fbb7bf8ade
commit
3b69e3f9bb
127
main.go
127
main.go
@ -1,6 +1,7 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"encoding/csv"
|
||||
"flag"
|
||||
"fmt"
|
||||
@ -11,16 +12,22 @@ import (
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/acme"
|
||||
"golang.org/x/crypto/acme/autocert"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/net/webdav"
|
||||
"suah.dev/protect"
|
||||
)
|
||||
|
||||
var (
|
||||
acmeDomain string
|
||||
test bool
|
||||
acmeListen string
|
||||
cacheDir string
|
||||
davDir string
|
||||
davPath string
|
||||
listen string
|
||||
passPath string
|
||||
davPath string
|
||||
staticDir string
|
||||
users map[string]string
|
||||
)
|
||||
@ -32,17 +39,26 @@ func init() {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
// TODO: come up with better names for things.
|
||||
// TODO: should these go in a config file?
|
||||
flag.StringVar(&acmeDomain, "domain", "", "Domain to to use for ACME requests.")
|
||||
flag.StringVar(&acmeListen, "alisten", ":80", "Listen for acme requests on")
|
||||
flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
|
||||
flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
|
||||
flag.StringVar(&listen, "http", ":8080", "Listen on")
|
||||
flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
|
||||
flag.StringVar(&davPath, "davpath", "/dav/", "Directory containing files to serve over WebDAV.")
|
||||
flag.StringVar(&staticDir, "static", dir, "Directory to serve static resources from. Served at '/'.")
|
||||
flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
|
||||
flag.Parse()
|
||||
|
||||
// These are OpenBSD specific protections used to prevent un-necesary file access.
|
||||
protect.Unveil(staticDir, "r")
|
||||
protect.Unveil(passPath, "r")
|
||||
protect.Unveil(davDir, "rwc")
|
||||
protect.Unveil(cacheDir, "rwc")
|
||||
protect.Unveil("/etc/ssl/cert.pem", "r")
|
||||
protect.Unveil("/etc/resolv.conf", "r")
|
||||
err = protect.UnveilBlock()
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
@ -80,14 +96,9 @@ func validate(user string, pass string) bool {
|
||||
return err == nil
|
||||
}
|
||||
|
||||
func main() {
|
||||
wdav := &webdav.Handler{
|
||||
Prefix: davPath,
|
||||
LockSystem: webdav.NewMemLS(),
|
||||
FileSystem: webdav.Dir(davDir),
|
||||
Logger: func(r *http.Request, err error) {
|
||||
func httpLog(r *http.Request) {
|
||||
n := time.Now()
|
||||
fmt.Printf("%s [%s] \"%s %s %s\" %03d\n",
|
||||
fmt.Printf("%s (%s) [%s] \"%s %s\" %03d\n",
|
||||
r.RemoteAddr,
|
||||
n.Format(time.RFC822Z),
|
||||
r.Method,
|
||||
@ -95,12 +106,33 @@ func main() {
|
||||
r.Proto,
|
||||
r.ContentLength,
|
||||
)
|
||||
}
|
||||
|
||||
func logger(f http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
httpLog(r)
|
||||
f(w, r)
|
||||
}
|
||||
}
|
||||
|
||||
func main() {
|
||||
wdav := &webdav.Handler{
|
||||
Prefix: davPath,
|
||||
LockSystem: webdav.NewMemLS(),
|
||||
FileSystem: webdav.Dir(davDir),
|
||||
Logger: func(r *http.Request, err error) {
|
||||
httpLog(r)
|
||||
},
|
||||
}
|
||||
|
||||
fileServer := http.FileServer(http.Dir(staticDir))
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.Handle("/", http.FileServer(http.Dir(staticDir)))
|
||||
mux.HandleFunc(davPath, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
|
||||
httpLog(r)
|
||||
fileServer.ServeHTTP(w, r)
|
||||
}))
|
||||
mux.HandleFunc(davPath, func(w http.ResponseWriter, r *http.Request) {
|
||||
user, pass, ok := r.BasicAuth()
|
||||
if !(ok && validate(user, pass)) {
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
|
||||
@ -108,15 +140,82 @@ func main() {
|
||||
return
|
||||
}
|
||||
wdav.ServeHTTP(w, r)
|
||||
}))
|
||||
})
|
||||
|
||||
s := http.Server{
|
||||
Handler: mux,
|
||||
}
|
||||
|
||||
if acmeDomain != "" {
|
||||
tlsConfig := acmeHandler(acmeDomain, acmeListen, cacheDir)
|
||||
tlsLis, err := tls.Listen("tcp", listen, tlsConfig)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
log.Printf("Listening for HTTPS on '%s'", listen)
|
||||
log.Panic(s.Serve(tlsLis))
|
||||
} else {
|
||||
lis, err := net.Listen("tcp", listen)
|
||||
if err != nil {
|
||||
log.Panic(err)
|
||||
}
|
||||
|
||||
s := http.Server{Handler: mux}
|
||||
|
||||
log.Printf("Listening on '%s'", listen)
|
||||
log.Printf("Listening for HTTP on '%s'", listen)
|
||||
log.Panic(s.Serve(lis))
|
||||
}
|
||||
}
|
||||
|
||||
func acmeHandler(domain, listen, cache string) *tls.Config {
|
||||
log.Printf("storing certifiates for %q in %q\n", domain, cache)
|
||||
|
||||
m := &autocert.Manager{
|
||||
Prompt: autocert.AcceptTOS,
|
||||
Cache: autocert.DirCache(cache),
|
||||
HostPolicy: autocert.HostWhitelist(domain),
|
||||
}
|
||||
|
||||
if test {
|
||||
m.Client = &acme.Client{
|
||||
DirectoryURL: "https://acme-staging-v02.api.letsencrypt.org/directory",
|
||||
}
|
||||
}
|
||||
|
||||
// TLS parameters graciously taken from https://github.com/jrick/domain
|
||||
tc := m.TLSConfig()
|
||||
tc.ServerName = domain
|
||||
tc.NextProtos = []string{"http/1.1", acme.ALPNProto}
|
||||
tc.MinVersion = tls.VersionTLS12
|
||||
tc.CurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256}
|
||||
tc.PreferServerCipherSuites = true
|
||||
tc.CipherSuites = []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
}
|
||||
|
||||
lis, err := net.Listen("tcp", listen)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
log.Printf("ACME client listening on %s", lis.Addr())
|
||||
|
||||
mHandler := m.HTTPHandler(nil)
|
||||
|
||||
s := &http.Server{
|
||||
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
httpLog(r)
|
||||
mHandler.ServeHTTP(w, r)
|
||||
}),
|
||||
}
|
||||
|
||||
go func() {
|
||||
log.Panic(s.Serve(lis))
|
||||
}()
|
||||
|
||||
return tc
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user