From 0f86c627e2ba8f04cf5e285430eeac47139e0730 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 30 Nov 2016 23:15:23 +0000 Subject: [PATCH] cmd/godoc: optional ACME autocert support If built with the "autocert" build tag, use golang.org/x/crypto/autocert and for automatic TLS certs. This will be used for https://beta.golang.org/ running on GCE. Change-Id: Id0e385796a25d663708ea9bb65c45cb1471dd526 Reviewed-on: https://go-review.googlesource.com/33751 Reviewed-by: Chris Broadfoot --- cmd/godoc/autocert.go | 77 +++++++++++++++++++++++++++++++++++++++++++ cmd/godoc/main.go | 12 +++++++ 2 files changed, 89 insertions(+) create mode 100644 cmd/godoc/autocert.go diff --git a/cmd/godoc/autocert.go b/cmd/godoc/autocert.go new file mode 100644 index 0000000000..9fc3a8fc5c --- /dev/null +++ b/cmd/godoc/autocert.go @@ -0,0 +1,77 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build autocert + +// This file adds automatic TLS certificate support (using +// golang.org/x/crypto/acme/autocert), conditional on the use of the +// autocert build tag. It sets the serveAutoCertHook func variable +// non-nil. It is used by main.go. +// +// TODO: make this the default? We're in the Go 1.8 freeze now, so +// this is too invasive to be default, but we want it for +// https://beta.golang.org/ + +package main + +import ( + "crypto/tls" + "flag" + "net" + "net/http" + "time" + + "golang.org/x/crypto/acme/autocert" + "golang.org/x/net/http2" +) + +var ( + autoCertDirFlag = flag.String("autocert_cache_dir", "/var/cache/autocert", "Directory to cache TLS certs") + autoCertHostFlag = flag.String("autocert_hostname", "", "optional hostname to require in autocert SNI requests") +) + +func init() { + serveAutoCertHook = serveAutoCert +} + +func serveAutoCert(h http.Handler) error { + m := autocert.Manager{ + Cache: autocert.DirCache(*autoCertDirFlag), + Prompt: autocert.AcceptTOS, + } + if *autoCertHostFlag != "" { + m.HostPolicy = autocert.HostWhitelist(*autoCertHostFlag) + } + srv := &http.Server{ + Handler: h, + TLSConfig: &tls.Config{ + GetCertificate: m.GetCertificate, + }, + IdleTimeout: 60 * time.Second, + } + http2.ConfigureServer(srv, &http2.Server{}) + ln, err := net.Listen("tcp", ":443") + if err != nil { + return err + } + return srv.Serve(tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, srv.TLSConfig)) +} + +// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted +// connections. It's used by ListenAndServe and ListenAndServeTLS so +// dead TCP connections (e.g. closing laptop mid-download) eventually +// go away. +type tcpKeepAliveListener struct { + *net.TCPListener +} + +func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) { + tc, err := ln.AcceptTCP() + if err != nil { + return + } + tc.SetKeepAlive(true) + tc.SetKeepAlivePeriod(3 * time.Minute) + return tc, nil +} diff --git a/cmd/godoc/main.go b/cmd/godoc/main.go index 3496013c15..6414194a53 100644 --- a/cmd/godoc/main.go +++ b/cmd/godoc/main.go @@ -310,6 +310,14 @@ func main() { go analysis.Run(pointerAnalysis, &corpus.Analysis) } + if serveAutoCertHook != nil { + go func() { + if err := serveAutoCertHook(handler); err != nil { + log.Fatalf("ListenAndServe TLS: %v", err) + } + }() + } + // Start http server. if err := http.ListenAndServe(*httpAddr, handler); err != nil { log.Fatalf("ListenAndServe %s: %v", *httpAddr, err) @@ -327,3 +335,7 @@ func main() { log.Print(err) } } + +// serveAutoCertHook if non-nil specifies a function to listen on port 443. +// See autocert.go. +var serveAutoCertHook func(http.Handler) error