mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2024-11-18 10:29:43 +00:00
remove os.Getenv() usage
This commit is contained in:
parent
35e08d2252
commit
5b81a8b8bc
3 changed files with 70 additions and 31 deletions
34
cmd/flags.go
34
cmd/flags.go
|
@ -45,6 +45,7 @@ var ServeFlags = []cli.Flag{
|
||||||
Value: "https://docs.codeberg.org/pages/raw-content/",
|
Value: "https://docs.codeberg.org/pages/raw-content/",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
// Server
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "host",
|
Name: "host",
|
||||||
Usage: "specifies host of listening address",
|
Usage: "specifies host of listening address",
|
||||||
|
@ -57,8 +58,13 @@ var ServeFlags = []cli.Flag{
|
||||||
EnvVars: []string{"PORT"},
|
EnvVars: []string{"PORT"},
|
||||||
Value: "443",
|
Value: "443",
|
||||||
},
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "enable-http-server",
|
||||||
|
// TODO: desc
|
||||||
|
EnvVars: []string{"ENABLE_HTTP_SERVER"},
|
||||||
|
},
|
||||||
|
|
||||||
// ACME_API
|
// ACME
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Name: "acme-api",
|
Name: "acme-api",
|
||||||
EnvVars: []string{"ACME_API"},
|
EnvVars: []string{"ACME_API"},
|
||||||
|
@ -69,4 +75,30 @@ var ServeFlags = []cli.Flag{
|
||||||
EnvVars: []string{"ACME_EMAIL"},
|
EnvVars: []string{"ACME_EMAIL"},
|
||||||
Value: "noreply@example.email",
|
Value: "noreply@example.email",
|
||||||
},
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "acme-use-rate-limits",
|
||||||
|
// TODO: Usage
|
||||||
|
EnvVars: []string{"ACME_USE_RATE_LIMITS"},
|
||||||
|
Value: true,
|
||||||
|
},
|
||||||
|
&cli.BoolFlag{
|
||||||
|
Name: "acme-accept-terms",
|
||||||
|
// TODO: Usage
|
||||||
|
EnvVars: []string{"ACME_ACCEPT_TERMS"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "acme-eab-kid",
|
||||||
|
// TODO: Usage
|
||||||
|
EnvVars: []string{"ACME_EAB_KID"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "acme-eab-hmac",
|
||||||
|
// TODO: Usage
|
||||||
|
EnvVars: []string{"ACME_EAB_HMAC"},
|
||||||
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "dns-provider",
|
||||||
|
// TODO: Usage
|
||||||
|
EnvVars: []string{"DNS_PROVIDER"},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
19
cmd/main.go
19
cmd/main.go
|
@ -3,10 +3,10 @@ package cmd
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -37,8 +37,19 @@ func Serve(ctx *cli.Context) error {
|
||||||
mainDomainSuffix := []byte(ctx.String("main-domain-suffix"))
|
mainDomainSuffix := []byte(ctx.String("main-domain-suffix"))
|
||||||
rawInfoPage := ctx.String("raw-info-page")
|
rawInfoPage := ctx.String("raw-info-page")
|
||||||
listeningAddress := fmt.Sprintf("%s:%s", ctx.String("host"), ctx.String("port"))
|
listeningAddress := fmt.Sprintf("%s:%s", ctx.String("host"), ctx.String("port"))
|
||||||
|
enableHTTPServer := ctx.Bool("enable-http-server")
|
||||||
|
|
||||||
acmeAPI := ctx.String("acme-api")
|
acmeAPI := ctx.String("acme-api")
|
||||||
acmeMail := ctx.String("acme-email")
|
acmeMail := ctx.String("acme-email")
|
||||||
|
acmeUseRateLimits := ctx.Bool("acme-use-rate-limits")
|
||||||
|
acmeAcceptTerms := ctx.Bool("acme-accept-terms")
|
||||||
|
acmeEabKID := ctx.String("acme-eab-kid")
|
||||||
|
acmeEabHmac := ctx.String("acme-eab-hmac")
|
||||||
|
dnsProvider := ctx.String("dns-provider")
|
||||||
|
if acmeAcceptTerms || (dnsProvider == "" && acmeAPI != "https://acme.mock.directory") {
|
||||||
|
return errors.New("you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory")
|
||||||
|
}
|
||||||
|
|
||||||
allowedCorsDomains := AllowedCorsDomains
|
allowedCorsDomains := AllowedCorsDomains
|
||||||
if len(rawDomain) != 0 {
|
if len(rawDomain) != 0 {
|
||||||
allowedCorsDomains = append(allowedCorsDomains, []byte(rawDomain))
|
allowedCorsDomains = append(allowedCorsDomains, []byte(rawDomain))
|
||||||
|
@ -72,10 +83,10 @@ func Serve(ctx *cli.Context) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("couldn't create listener: %s", err)
|
return fmt.Errorf("couldn't create listener: %s", err)
|
||||||
}
|
}
|
||||||
listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken))
|
listener = tls.NewListener(listener, server.TlsConfig(mainDomainSuffix, giteaRoot, giteaAPIToken, dnsProvider, acmeUseRateLimits))
|
||||||
|
|
||||||
server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail)
|
server.SetupCertificates(mainDomainSuffix, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer)
|
||||||
if os.Getenv("ENABLE_HTTP_SERVER") == "true" {
|
if enableHTTPServer {
|
||||||
go (func() {
|
go (func() {
|
||||||
challengePath := []byte("/.well-known/acme-challenge/")
|
challengePath := []byte("/.well-known/acme-challenge/")
|
||||||
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {
|
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {
|
||||||
|
|
|
@ -38,7 +38,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
|
// TlsConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
|
||||||
func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken string) *tls.Config {
|
func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken, dnsProvider string, acmeUseRateLimits bool) *tls.Config {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
// check DNS name & get certificate from Let's Encrypt
|
// check DNS name & get certificate from Let's Encrypt
|
||||||
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
@ -94,13 +94,13 @@ func TlsConfig(mainDomainSuffix []byte, giteaRoot, giteaApiToken string) *tls.Co
|
||||||
var tlsCertificate tls.Certificate
|
var tlsCertificate tls.Certificate
|
||||||
var err error
|
var err error
|
||||||
var ok bool
|
var ok bool
|
||||||
if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix); !ok {
|
if tlsCertificate, ok = retrieveCertFromDB(sniBytes, mainDomainSuffix, dnsProvider, acmeUseRateLimits); !ok {
|
||||||
// request a new certificate
|
// request a new certificate
|
||||||
if bytes.Equal(sniBytes, mainDomainSuffix) {
|
if bytes.Equal(sniBytes, mainDomainSuffix) {
|
||||||
return nil, errors.New("won't request certificate for main domain, something really bad has happened")
|
return nil, errors.New("won't request certificate for main domain, something really bad has happened")
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, mainDomainSuffix)
|
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner, dnsProvider, mainDomainSuffix, acmeUseRateLimits)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -209,7 +209,7 @@ func (a AcmeHTTPChallengeProvider) CleanUp(domain, token, _ string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) {
|
func retrieveCertFromDB(sni, mainDomainSuffix []byte, dnsProvider string, acmeUseRateLimits bool) (tls.Certificate, bool) {
|
||||||
// parse certificate from database
|
// parse certificate from database
|
||||||
res := &certificate.Resource{}
|
res := &certificate.Resource{}
|
||||||
if !PogrebGet(KeyDatabase, sni, res) {
|
if !PogrebGet(KeyDatabase, sni, res) {
|
||||||
|
@ -240,7 +240,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) {
|
||||||
}
|
}
|
||||||
go (func() {
|
go (func() {
|
||||||
res.CSR = nil // acme client doesn't like CSR to be set
|
res.CSR = nil // acme client doesn't like CSR to be set
|
||||||
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", mainDomainSuffix)
|
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Couldn't renew certificate for %s: %s", sni, err)
|
log.Printf("Couldn't renew certificate for %s: %s", sni, err)
|
||||||
}
|
}
|
||||||
|
@ -253,9 +253,9 @@ func retrieveCertFromDB(sni, mainDomainSuffix []byte) (tls.Certificate, bool) {
|
||||||
|
|
||||||
var obtainLocks = sync.Map{}
|
var obtainLocks = sync.Map{}
|
||||||
|
|
||||||
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user string, mainDomainSuffix []byte) (tls.Certificate, error) {
|
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user, dnsProvider string, mainDomainSuffix []byte, acmeUseRateLimits bool) (tls.Certificate, error) {
|
||||||
name := strings.TrimPrefix(domains[0], "*")
|
name := strings.TrimPrefix(domains[0], "*")
|
||||||
if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
|
if dnsProvider == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
|
||||||
domains = domains[1:]
|
domains = domains[1:]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -266,7 +266,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
|
||||||
time.Sleep(100 * time.Millisecond)
|
time.Sleep(100 * time.Millisecond)
|
||||||
_, working = obtainLocks.Load(name)
|
_, working = obtainLocks.Load(name)
|
||||||
}
|
}
|
||||||
cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix)
|
cert, ok := retrieveCertFromDB([]byte(name), mainDomainSuffix, dnsProvider, acmeUseRateLimits)
|
||||||
if !ok {
|
if !ok {
|
||||||
return tls.Certificate{}, errors.New("certificate failed in synchronous request")
|
return tls.Certificate{}, errors.New("certificate failed in synchronous request")
|
||||||
}
|
}
|
||||||
|
@ -282,7 +282,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
|
||||||
var res *certificate.Resource
|
var res *certificate.Resource
|
||||||
var err error
|
var err error
|
||||||
if renew != nil && renew.CertURL != "" {
|
if renew != nil && renew.CertURL != "" {
|
||||||
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" {
|
if acmeUseRateLimits {
|
||||||
acmeClientRequestLimit.Take()
|
acmeClientRequestLimit.Take()
|
||||||
}
|
}
|
||||||
log.Printf("Renewing certificate for %v", domains)
|
log.Printf("Renewing certificate for %v", domains)
|
||||||
|
@ -299,7 +299,7 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" {
|
if acmeUseRateLimits {
|
||||||
acmeClientOrderLimit.Take()
|
acmeClientOrderLimit.Take()
|
||||||
acmeClientRequestLimit.Take()
|
acmeClientRequestLimit.Take()
|
||||||
}
|
}
|
||||||
|
@ -399,13 +399,9 @@ func mockCert(domain, msg, mainDomainSuffix string) tls.Certificate {
|
||||||
return tlsCertificate
|
return tlsCertificate
|
||||||
}
|
}
|
||||||
|
|
||||||
func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool) {
|
||||||
if KeyDatabaseErr != nil {
|
if KeyDatabaseErr != nil {
|
||||||
panic(KeyDatabaseErr)
|
panic(KeyDatabaseErr) // TODO: move it into own init and not panic on a unrelated topic!!!!
|
||||||
}
|
|
||||||
|
|
||||||
if os.Getenv("ACME_ACCEPT_TERMS") != "true" || (os.Getenv("DNS_PROVIDER") == "" && os.Getenv("ACME_API") != "https://acme.mock.directory") {
|
|
||||||
panic(errors.New("you must set ACME_ACCEPT_TERMS and DNS_PROVIDER, unless ACME_API is set to https://acme.mock.directory"))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// getting main cert before ACME account so that we can panic here on database failure without hitting rate limits
|
// getting main cert before ACME account so that we can panic here on database failure without hitting rate limits
|
||||||
|
@ -449,8 +445,8 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
|
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
|
||||||
} else {
|
} else {
|
||||||
// accept terms & log in to EAB
|
// accept terms & log in to EAB
|
||||||
if os.Getenv("ACME_EAB_KID") == "" || os.Getenv("ACME_EAB_HMAC") == "" {
|
if acmeEabKID == "" || acmeEabHmac == "" {
|
||||||
reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true"})
|
reg, err := tempClient.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: acmeAcceptTerms})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
|
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
|
||||||
} else {
|
} else {
|
||||||
|
@ -458,9 +454,9 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
|
reg, err := tempClient.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
|
||||||
TermsOfServiceAgreed: os.Getenv("ACME_ACCEPT_TERMS") == "true",
|
TermsOfServiceAgreed: acmeAcceptTerms,
|
||||||
Kid: os.Getenv("ACME_EAB_KID"),
|
Kid: acmeEabKID,
|
||||||
HmacEncoded: os.Getenv("ACME_EAB_HMAC"),
|
HmacEncoded: acmeEabHmac,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
|
log.Printf("[ERROR] Can't register ACME account, continuing with mock certs only: %s", err)
|
||||||
|
@ -494,7 +490,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
|
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
|
||||||
}
|
}
|
||||||
if os.Getenv("ENABLE_HTTP_SERVER") == "true" {
|
if enableHTTPServer {
|
||||||
err = acmeClient.Challenge.SetHTTP01Provider(AcmeHTTPChallengeProvider{})
|
err = acmeClient.Challenge.SetHTTP01Provider(AcmeHTTPChallengeProvider{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't create HTTP-01 provider: %s", err)
|
log.Printf("[ERROR] Can't create HTTP-01 provider: %s", err)
|
||||||
|
@ -506,14 +502,14 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
|
log.Printf("[ERROR] Can't create ACME client, continuing with mock certs only: %s", err)
|
||||||
} else {
|
} else {
|
||||||
if os.Getenv("DNS_PROVIDER") == "" {
|
if dnsProvider == "" {
|
||||||
// using mock server, don't use wildcard certs
|
// using mock server, don't use wildcard certs
|
||||||
err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{})
|
err := mainDomainAcmeClient.Challenge.SetTLSALPN01Provider(AcmeTLSChallengeProvider{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
|
log.Printf("[ERROR] Can't create TLS-ALPN-01 provider: %s", err)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
provider, err := dns.NewDNSChallengeProviderByName(os.Getenv("DNS_PROVIDER"))
|
provider, err := dns.NewDNSChallengeProviderByName(dnsProvider)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Can't create DNS Challenge provider: %s", err)
|
log.Printf("[ERROR] Can't create DNS Challenge provider: %s", err)
|
||||||
}
|
}
|
||||||
|
@ -525,7 +521,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if mainCertBytes == nil {
|
if mainCertBytes == nil {
|
||||||
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", mainDomainSuffix)
|
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, nil, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err)
|
log.Printf("[ERROR] Couldn't renew main domain certificate, continuing with mock certs only: %s", err)
|
||||||
}
|
}
|
||||||
|
@ -590,7 +586,7 @@ func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail string) {
|
||||||
// renew main certificate 30 days before it expires
|
// renew main certificate 30 days before it expires
|
||||||
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
|
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
|
||||||
go (func() {
|
go (func() {
|
||||||
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", mainDomainSuffix)
|
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(mainDomainSuffix), string(mainDomainSuffix[1:])}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err)
|
log.Printf("[ERROR] Couldn't renew certificate for main domain: %s", err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue