cmd/godoc: optional ACME autocert support

If built with the "autocert" build tag, use
golang.org/x/crypto/autocert and for automatic TLS certs.

This will be used for https://beta.golang.org/ running on GCE.

Change-Id: Id0e385796a25d663708ea9bb65c45cb1471dd526
Reviewed-on: https://go-review.googlesource.com/33751
Reviewed-by: Chris Broadfoot <cbro@golang.org>

cmd/godoc/autocert.go

@@ -0,0 +1,77 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build autocert
+
+// This file adds automatic TLS certificate support (using
+// golang.org/x/crypto/acme/autocert), conditional on the use of the
+// autocert build tag. It sets the serveAutoCertHook func variable
+// non-nil. It is used by main.go.
+//
+// TODO: make this the default? We're in the Go 1.8 freeze now, so
+// this is too invasive to be default, but we want it for
+// https://beta.golang.org/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"net"
+	"net/http"
+	"time"
+
+	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/http2"
+)
+
+var (
+	autoCertDirFlag  = flag.String("autocert_cache_dir", "/var/cache/autocert", "Directory to cache TLS certs")
+	autoCertHostFlag = flag.String("autocert_hostname", "", "optional hostname to require in autocert SNI requests")
+)
+
+func init() {
+	serveAutoCertHook = serveAutoCert
+}
+
+func serveAutoCert(h http.Handler) error {
+	m := autocert.Manager{
+		Cache:  autocert.DirCache(*autoCertDirFlag),
+		Prompt: autocert.AcceptTOS,
+	}
+	if *autoCertHostFlag != "" {
+		m.HostPolicy = autocert.HostWhitelist(*autoCertHostFlag)
+	}
+	srv := &http.Server{
+		Handler: h,
+		TLSConfig: &tls.Config{
+			GetCertificate: m.GetCertificate,
+		},
+		IdleTimeout: 60 * time.Second,
+	}
+	http2.ConfigureServer(srv, &http2.Server{})
+	ln, err := net.Listen("tcp", ":443")
+	if err != nil {
+		return err
+	}
+	return srv.Serve(tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, srv.TLSConfig))
+}
+
+// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
+// connections. It's used by ListenAndServe and ListenAndServeTLS so
+// dead TCP connections (e.g. closing laptop mid-download) eventually
+// go away.
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return
+	}
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(3 * time.Minute)
+	return tc, nil
+}

cmd/godoc/main.go

@@ -310,6 +310,14 @@ func main() {
 			go analysis.Run(pointerAnalysis, &corpus.Analysis)
 		}
 
+		if serveAutoCertHook != nil {
+			go func() {
+				if err := serveAutoCertHook(handler); err != nil {
+					log.Fatalf("ListenAndServe TLS: %v", err)
+				}
+			}()
+		}
+
 		// Start http server.
 		if err := http.ListenAndServe(*httpAddr, handler); err != nil {
 			log.Fatalf("ListenAndServe %s: %v", *httpAddr, err)
@@ -327,3 +335,7 @@ func main() {
 		log.Print(err)
 	}
 }
+
+// serveAutoCertHook if non-nil specifies a function to listen on port 443.
+// See autocert.go.
+var serveAutoCertHook func(http.Handler) error