pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-04-24 22:06:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

limit generating non-wildcard cert to user and org that exists

Browse source
This commit is contained in:
Jean-Marie 'Histausse' Mineau 2024-02-17 02:27:14 +01:00
parent 83b1c4f9e4
commit 62bff5d1b7
No known key found for this signature in database
GPG key ID: B66AEEDA9B645AD2
4 changed files with 49 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
server/certificates/certificates.go
View file

@ -34,6 +34,7 @@ func TLSConfig(mainDomainSuffix string,
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
certDB database.CertDB,
noDNS01 bool,
rawDomain string,
) *tls.Config {
return &tls.Config{
// check DNS name & get certificate from Let's Encrypt
@ -68,8 +69,17 @@ func TLSConfig(mainDomainSuffix string,
if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
if noDNS01 {
//TODO check if the domain is served to avoid DOSing ourseflve
mayObtainCert = true
// Limit the domains allowed to request a certificate to pages-server domains
// and domains for an existing user of org
if !strings.EqualFold(domain, mainDomainSuffix[1:]) && !strings.EqualFold(domain, rawDomain) {
targetOwner := strings.TrimSuffix(domain, mainDomainSuffix)
owner_exist, err := giteaClient.GiteaCheckIfOwnerExists(targetOwner)
mayObtainCert = owner_exist
if err != nil {
log.Error().Err(err).Msgf("Failed to check '%s' existance on the forge: %s", targetOwner, err)
mayObtainCert = false
}
}
} else {
// deliver default certificate for the main domain (*.codeberg.page)
domain = mainDomainSuffix