Add ability to pull in acme certificates

2020-06-09 21:44:52 -06:00 · 2020-06-09 21:44:52 -06:00 · 3b69e3f9bb
commit 3b69e3f9bb
parent fbb7bf8ade
1 changed files with 121 additions and 22 deletions
--- a/main.go
+++ b/main.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/tls"
 	"encoding/csv"
 	"flag"
 	"fmt"
@ -11,18 +12,24 @@ import (
 	"path/filepath"
 	"time"

+	"golang.org/x/crypto/acme"
+	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/net/webdav"
 	"suah.dev/protect"
 )

 var (
-	davDir    string
-	listen    string
-	passPath  string
-	davPath   string
-	staticDir string
-	users     map[string]string
+	acmeDomain string
+	test       bool
+	acmeListen string
+	cacheDir   string
+	davDir     string
+	davPath    string
+	listen     string
+	passPath   string
+	staticDir  string
+	users      map[string]string
 )

 func init() {
@ -32,17 +39,26 @@ func init() {
 		log.Fatalln(err)
 	}

+	// TODO: come up with better names for things.
+	// TODO: should these go in a config file?
+	flag.StringVar(&acmeDomain, "domain", "", "Domain to to use for ACME requests.")
+	flag.StringVar(&acmeListen, "alisten", ":80", "Listen for acme requests on")
+	flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
 	flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
 	flag.StringVar(&listen, "http", ":8080", "Listen on")
 	flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
 	flag.StringVar(&davPath, "davpath", "/dav/", "Directory containing files to serve over WebDAV.")
 	flag.StringVar(&staticDir, "static", dir, "Directory to serve static resources from. Served at '/'.")
+	flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
 	flag.Parse()

 	// These are OpenBSD specific protections used to prevent un-necesary file access.
 	protect.Unveil(staticDir, "r")
 	protect.Unveil(passPath, "r")
 	protect.Unveil(davDir, "rwc")
+	protect.Unveil(cacheDir, "rwc")
+	protect.Unveil("/etc/ssl/cert.pem", "r")
+	protect.Unveil("/etc/resolv.conf", "r")
 	err = protect.UnveilBlock()
 	if err != nil {
 		log.Fatal(err)
@ -80,27 +96,43 @@ func validate(user string, pass string) bool {
 	return err == nil
 }

+func httpLog(r *http.Request) {
+	n := time.Now()
+	fmt.Printf("%s (%s) [%s] \"%s %s\" %03d\n",
+		r.RemoteAddr,
+		n.Format(time.RFC822Z),
+		r.Method,
+		r.URL.Path,
+		r.Proto,
+		r.ContentLength,
+	)
+}
+
+func logger(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		httpLog(r)
+		f(w, r)
+	}
+}
+
 func main() {
 	wdav := &webdav.Handler{
 		Prefix:     davPath,
 		LockSystem: webdav.NewMemLS(),
 		FileSystem: webdav.Dir(davDir),
 		Logger: func(r *http.Request, err error) {
-			n := time.Now()
-			fmt.Printf("%s [%s] \"%s %s %s\" %03d\n",
-				r.RemoteAddr,
-				n.Format(time.RFC822Z),
-				r.Method,
-				r.URL.Path,
-				r.Proto,
-				r.ContentLength,
-			)
+			httpLog(r)
 		},
 	}

+	fileServer := http.FileServer(http.Dir(staticDir))
+
 	mux := http.NewServeMux()
-	mux.Handle("/", http.FileServer(http.Dir(staticDir)))
-	mux.HandleFunc(davPath, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
+		httpLog(r)
+		fileServer.ServeHTTP(w, r)
+	}))
+	mux.HandleFunc(davPath, func(w http.ResponseWriter, r *http.Request) {
 		user, pass, ok := r.BasicAuth()
 		if !(ok && validate(user, pass)) {
 			w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
@ -108,15 +140,82 @@ func main() {
 			return
 		}
 		wdav.ServeHTTP(w, r)
-	}))
+	})
+
+	s := http.Server{
+		Handler: mux,
+	}
+
+	if acmeDomain != "" {
+		tlsConfig := acmeHandler(acmeDomain, acmeListen, cacheDir)
+		tlsLis, err := tls.Listen("tcp", listen, tlsConfig)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		log.Printf("Listening for HTTPS on '%s'", listen)
+		log.Panic(s.Serve(tlsLis))
+	} else {
+		lis, err := net.Listen("tcp", listen)
+		if err != nil {
+			log.Panic(err)
+		}
+
+		log.Printf("Listening for HTTP on '%s'", listen)
+		log.Panic(s.Serve(lis))
+	}
+}
+
+func acmeHandler(domain, listen, cache string) *tls.Config {
+	log.Printf("storing certifiates for %q in %q\n", domain, cache)
+
+	m := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		Cache:      autocert.DirCache(cache),
+		HostPolicy: autocert.HostWhitelist(domain),
+	}
+
+	if test {
+		m.Client = &acme.Client{
+			DirectoryURL: "https://acme-staging-v02.api.letsencrypt.org/directory",
+		}
+	}
+
+	// TLS parameters graciously taken from https://github.com/jrick/domain
+	tc := m.TLSConfig()
+	tc.ServerName = domain
+	tc.NextProtos = []string{"http/1.1", acme.ALPNProto}
+	tc.MinVersion = tls.VersionTLS12
+	tc.CurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256}
+	tc.PreferServerCipherSuites = true
+	tc.CipherSuites = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}

 	lis, err := net.Listen("tcp", listen)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}

-	s := http.Server{Handler: mux}
+	log.Printf("ACME client listening on %s", lis.Addr())

-	log.Printf("Listening on '%s'", listen)
-	log.Panic(s.Serve(lis))
+	mHandler := m.HTTPHandler(nil)
+
+	s := &http.Server{
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpLog(r)
+			mHandler.ServeHTTP(w, r)
+		}),
+	}
+
+	go func() {
+		log.Panic(s.Serve(lis))
+	}()
+
+	return tc
 }