// EnableTLS configures each config to use TLS according to default settings. // It will only change configs that are marked as managed, and assumes that // certificates and keys are already on disk. func EnableTLS(configs []server.Config) { for i := 0; i < len(configs); i++ { if !configs[i].TLS.Managed { continue } configs[i].TLS.Enabled = true configs[i].TLS.Certificate = storage.SiteCertFile(configs[i].Host) configs[i].TLS.Key = storage.SiteKeyFile(configs[i].Host) setup.SetDefaultTLSParams(&configs[i]) } }
// autoConfigure enables TLS on allConfigs[cfgIndex] and appends, if necessary, // a new config to allConfigs that redirects plaintext HTTP to its new HTTPS // counterpart. It expects the certificate and key to already be in storage. It // returns the new list of allConfigs, since it may append a new config. This // function assumes that allConfigs[cfgIndex] is already set up for HTTPS. func autoConfigure(allConfigs []server.Config, cfgIndex int) []server.Config { cfg := &allConfigs[cfgIndex] bundleBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host)) // TODO: Handle these errors better if err == nil { ocsp, status, err := acme.GetOCSPForCert(bundleBytes) ocspStatus[&bundleBytes] = status if err == nil && status == acme.OCSPGood { cfg.TLS.OCSPStaple = ocsp } } cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host) cfg.TLS.Key = storage.SiteKeyFile(cfg.Host) cfg.TLS.Enabled = true // Ensure all defaults are set for the TLS config setup.SetDefaultTLSParams(cfg) if cfg.Port == "" { cfg.Port = "https" } // Set up http->https redirect as long as there isn't already a http counterpart // in the configs and this isn't, for some reason, already on port 80. // Also, the port 80 variant of this config is necessary for proxying challenge requests. if !otherHostHasScheme(allConfigs, cfgIndex, "http") && cfg.Port != "80" && cfg.Port != "http" { // (would not be http port with current program flow, but just in case) allConfigs = append(allConfigs, redirPlaintextHost(*cfg)) } // To support renewals, we need handlers at ports 80 and 443, // depending on the challenge type that is used to complete renewal. for i, c := range allConfigs { if c.Address() == cfg.Host+":80" || c.Address() == cfg.Host+":443" || c.Address() == cfg.Host+":http" || c.Address() == cfg.Host+":https" { // Each virtualhost must have their own handlers, or the chaining gets messed up when middlewares are compiled! handler := new(Handler) mid := func(next middleware.Handler) middleware.Handler { handler.Next = next return handler } // TODO: Currently, acmeHandlers are not referenced, but we need to add a way to toggle // their proxy functionality -- or maybe not. Gotta figure this out for sure. acmeHandlers[c.Address()] = handler allConfigs[i].Middleware["/"] = append(allConfigs[i].Middleware["/"], mid) } } return allConfigs }
// autoConfigure enables TLS on allConfigs[cfgIndex] and appends, if necessary, // a new config to allConfigs that redirects plaintext HTTP to its new HTTPS // counterpart. It expects the certificate and key to already be in storage. It // returns the new list of allConfigs, since it may append a new config. This // function assumes that allConfigs[cfgIndex] is already set up for HTTPS. func autoConfigure(allConfigs []server.Config, cfgIndex int) []server.Config { cfg := &allConfigs[cfgIndex] bundleBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host)) // TODO: Handle these errors better if err == nil { ocsp, status, err := acme.GetOCSPForCert(bundleBytes) ocspStatus[&bundleBytes] = status if err == nil && status == acme.OCSPGood { cfg.TLS.OCSPStaple = ocsp } } cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host) cfg.TLS.Key = storage.SiteKeyFile(cfg.Host) cfg.TLS.Enabled = true // Ensure all defaults are set for the TLS config setup.SetDefaultTLSParams(cfg) if cfg.Port == "" { cfg.Port = "https" } // Chain in ACME middleware proxy if we use up the SSL port if cfg.Port == "https" || cfg.Port == "443" { handler := new(Handler) mid := func(next middleware.Handler) middleware.Handler { handler.Next = next return handler } cfg.Middleware["/"] = append(cfg.Middleware["/"], mid) acmeHandlers[cfg.Host] = handler } // Set up http->https redirect as long as there isn't already a http counterpart // in the configs and this isn't, for some reason, already on port 80 if !otherHostHasScheme(allConfigs, cfgIndex, "http") && cfg.Port != "80" && cfg.Port != "http" { // (would not be http port with current program flow, but just in case) allConfigs = append(allConfigs, redirPlaintextHost(*cfg)) } return allConfigs }