pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2024-11-18 10:29:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix timeout for HTTP-01, bug in HTTP challenge response & only count domains towards user limit after acquiring locks

Browse source
This commit is contained in:
Moritz Marquardt 2021-11-20 21:39:40 +01:00
parent f22cd6c4e0
commit eae4513b96
No known key found for this signature in database
GPG key ID: D5788327BEE388B6
2 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
certificates.go
View file

@ -95,12 +95,7 @@ var tlsConfig = &tls.Config{
return nil, errors.New("won't request certificate for main domain, something really bad has happened") return nil, errors.New("won't request certificate for main domain, something really bad has happened")
} }
err = CheckUserLimit(targetOwner) tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil, targetOwner)
if err != nil {
return nil, err
}
tlsCertificate, err = obtainCert(acmeClient, []string{sni}, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -241,7 +236,7 @@ func retrieveCertFromDB(sni []byte) (tls.Certificate, bool) {
// renew certificates 7 days before they expire // renew certificates 7 days before they expire
if !tlsCertificate.Leaf.NotAfter.After(time.Now().Add(-7 * 24 * time.Hour)) { if !tlsCertificate.Leaf.NotAfter.After(time.Now().Add(-7 * 24 * time.Hour)) {
go (func() { go (func() {
tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res) tlsCertificate, err = obtainCert(acmeClient, []string{string(sni)}, res, "")
if err != nil { if err != nil {
log.Printf("Couldn't renew certificate for %s: %s", sni, err) log.Printf("Couldn't renew certificate for %s: %s", sni, err)
} }
@ -253,7 +248,7 @@ func retrieveCertFromDB(sni []byte) (tls.Certificate, bool) {
} }
var obtainLocks = sync.Map{} var obtainLocks = sync.Map{}
func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource) (tls.Certificate, error) { func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Resource, user string) (tls.Certificate, error) {
name := strings.TrimPrefix(domains[0], "*") name := strings.TrimPrefix(domains[0], "*")
if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' { if os.Getenv("DNS_PROVIDER") == "" && len(domains[0]) > 0 && domains[0][0] == '*' {
domains = domains[1:] domains = domains[1:]
@ -284,6 +279,12 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
log.Printf("Renewing certificate for %v", domains) log.Printf("Renewing certificate for %v", domains)
res, err = acmeClient.Certificate.Renew(*renew, true, false, "") res, err = acmeClient.Certificate.Renew(*renew, true, false, "")
} else { } else {
if user != "" {
if err := CheckUserLimit(user); err != nil {
return tls.Certificate{}, err
}
}
if os.Getenv("ACME_USE_RATE_LIMITS") != "false" { if os.Getenv("ACME_USE_RATE_LIMITS") != "false" {
acmeClientOrderLimit.Take() acmeClientOrderLimit.Take()
acmeClientRequestLimit.Take() acmeClientRequestLimit.Take()
@ -422,7 +423,7 @@ func setupCertificates() {
// key database is not working // key database is not working
panic(err) panic(err)
} else if resBytes == nil { } else if resBytes == nil {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, nil) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, nil, "")
if err != nil { if err != nil {
log.Fatalf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err) log.Fatalf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
} }
@ -495,7 +496,7 @@ func setupCertificates() {
// renew main certificate 30 days before it expires // renew main certificate 30 days before it expires
if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) { if !tlsCertificates[0].NotAfter.After(time.Now().Add(-30 * 24 * time.Hour)) {
go (func() { go (func() {
_, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, res) _, err = obtainCert(mainDomainAcmeClient, []string{"*" + string(MainDomainSuffix), string(MainDomainSuffix[1:])}, res, "")
if err != nil { if err != nil {
log.Printf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err) log.Printf("Couldn't renew certificate for *%s: %s", MainDomainSuffix, err)
} }

4
main.go
View file

@ -91,7 +91,7 @@ func main() {
MaxRequestBodySize: 0, MaxRequestBodySize: 0,
NoDefaultServerHeader: true, NoDefaultServerHeader: true,
NoDefaultDate: true, NoDefaultDate: true,
ReadTimeout: 10 * time.Second, ReadTimeout: 30 * time.Second, // needs to be this high for ACME certificates with ZeroSSL & HTTP-01 challenge
Concurrency: 1024 * 32, // TODO: adjust bottlenecks for best performance with Gitea! Concurrency: 1024 * 32, // TODO: adjust bottlenecks for best performance with Gitea!
MaxConnsPerIP: 100, MaxConnsPerIP: 100,
} }
@ -110,7 +110,7 @@ func main() {
err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) { err := fasthttp.ListenAndServe("[::]:80", func(ctx *fasthttp.RequestCtx) {
if bytes.HasPrefix(ctx.Path(), challengePath) { if bytes.HasPrefix(ctx.Path(), challengePath) {
challenge, ok := challengeCache.Get(string(TrimHostPort(ctx.Host())) + "/" + string(bytes.TrimPrefix(ctx.Path(), challengePath))) challenge, ok := challengeCache.Get(string(TrimHostPort(ctx.Host())) + "/" + string(bytes.TrimPrefix(ctx.Path(), challengePath)))
if !ok { if !ok || challenge == nil {
ctx.SetStatusCode(http.StatusNotFound) ctx.SetStatusCode(http.StatusNotFound)
ctx.SetBodyString("no challenge for this token") ctx.SetBodyString("no challenge for this token")
} }