2023-02-11 02:29:08 +00:00
|
|
|
package certificates
|
|
|
|
|
|
|
|
|
|
import (
|
2023-02-14 02:23:28 +00:00
|
|
|
"fmt"
|
2023-02-13 20:14:45 +00:00
|
|
|
"net/http"
|
2023-02-14 02:23:28 +00:00
|
|
|
"net/url"
|
2023-02-13 20:14:45 +00:00
|
|
|
"strings"
|
2023-02-11 02:29:08 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/go-acme/lego/v4/challenge"
|
2023-02-14 02:23:28 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
2023-02-11 02:29:08 +00:00
|
|
|
|
|
|
|
|
"codeberg.org/codeberg/pages/server/cache"
|
2023-02-13 20:14:45 +00:00
|
|
|
"codeberg.org/codeberg/pages/server/context"
|
2023-02-11 02:29:08 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type AcmeTLSChallengeProvider struct {
|
2024-02-15 16:08:29 +00:00
|
|
|
challengeCache cache.ICache
|
2023-02-11 02:29:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// make sure AcmeTLSChallengeProvider match Provider interface
|
|
|
|
|
var _ challenge.Provider = AcmeTLSChallengeProvider{}
|
|
|
|
|
|
|
|
|
|
func (a AcmeTLSChallengeProvider) Present(domain, _, keyAuth string) error {
|
|
|
|
|
return a.challengeCache.Set(domain, keyAuth, 1*time.Hour)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a AcmeTLSChallengeProvider) CleanUp(domain, _, _ string) error {
|
|
|
|
|
a.challengeCache.Remove(domain)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type AcmeHTTPChallengeProvider struct {
|
2024-02-15 16:08:29 +00:00
|
|
|
challengeCache cache.ICache
|
2023-02-11 02:29:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// make sure AcmeHTTPChallengeProvider match Provider interface
|
|
|
|
|
var _ challenge.Provider = AcmeHTTPChallengeProvider{}
|
|
|
|
|
|
|
|
|
|
func (a AcmeHTTPChallengeProvider) Present(domain, token, keyAuth string) error {
|
|
|
|
|
return a.challengeCache.Set(domain+"/"+token, keyAuth, 1*time.Hour)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
|
|
|
|
|
a.challengeCache.Remove(domain + "/" + token)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2023-02-13 20:14:45 +00:00
|
|
|
|
2024-02-15 16:08:29 +00:00
|
|
|
func SetupHTTPACMEChallengeServer(challengeCache cache.ICache, sslPort uint) http.HandlerFunc {
|
2023-02-14 02:23:28 +00:00
|
|
|
// handle custom-ssl-ports to be added on https redirects
|
|
|
|
|
portPart := ""
|
|
|
|
|
if sslPort != 443 {
|
|
|
|
|
portPart = fmt.Sprintf(":%d", sslPort)
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-13 20:14:45 +00:00
|
|
|
return func(w http.ResponseWriter, req *http.Request) {
|
|
|
|
|
ctx := context.New(w, req)
|
2023-02-14 02:23:28 +00:00
|
|
|
domain := ctx.TrimHostPort()
|
|
|
|
|
|
|
|
|
|
// it's an acme request
|
2023-02-13 20:14:45 +00:00
|
|
|
if strings.HasPrefix(ctx.Path(), challengePath) {
|
2023-02-14 02:23:28 +00:00
|
|
|
challenge, ok := challengeCache.Get(domain + "/" + strings.TrimPrefix(ctx.Path(), challengePath))
|
2023-02-13 20:14:45 +00:00
|
|
|
if !ok || challenge == nil {
|
2023-02-14 02:23:28 +00:00
|
|
|
log.Info().Msgf("HTTP-ACME challenge for '%s' failed: token not found", domain)
|
2023-02-13 20:14:45 +00:00
|
|
|
ctx.String("no challenge for this token", http.StatusNotFound)
|
|
|
|
|
}
|
2023-02-14 02:23:28 +00:00
|
|
|
log.Info().Msgf("HTTP-ACME challenge for '%s' succeeded", domain)
|
2023-02-13 20:14:45 +00:00
|
|
|
ctx.String(challenge.(string))
|
2023-02-14 02:23:28 +00:00
|
|
|
return
|
2023-02-13 20:14:45 +00:00
|
|
|
}
|
2023-02-14 02:23:28 +00:00
|
|
|
|
|
|
|
|
// it's a normal http request that needs to be redirected
|
|
|
|
|
u, err := url.Parse(fmt.Sprintf("https://%s%s%s", domain, portPart, ctx.Path()))
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Error().Err(err).Msg("could not craft http to https redirect")
|
|
|
|
|
ctx.String("", http.StatusInternalServerError)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newURL := u.String()
|
|
|
|
|
log.Debug().Msgf("redirect http to https: %s", newURL)
|
|
|
|
|
ctx.Redirect(newURL, http.StatusMovedPermanently)
|
2023-02-13 20:14:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
