Beispiel #1
0
// EnableTLS configures each config to use TLS according to default settings.
// It will only change configs that are marked as managed, and assumes that
// certificates and keys are already on disk.
func EnableTLS(configs []server.Config) {
	for i := 0; i < len(configs); i++ {
		if !configs[i].TLS.Managed {
			continue
		}
		configs[i].TLS.Enabled = true
		configs[i].TLS.Certificate = storage.SiteCertFile(configs[i].Host)
		configs[i].TLS.Key = storage.SiteKeyFile(configs[i].Host)
		setup.SetDefaultTLSParams(&configs[i])
	}
}
Beispiel #2
0
// autoConfigure enables TLS on allConfigs[cfgIndex] and appends, if necessary,
// a new config to allConfigs that redirects plaintext HTTP to its new HTTPS
// counterpart. It expects the certificate and key to already be in storage. It
// returns the new list of allConfigs, since it may append a new config. This
// function assumes that allConfigs[cfgIndex] is already set up for HTTPS.
func autoConfigure(allConfigs []server.Config, cfgIndex int) []server.Config {
	cfg := &allConfigs[cfgIndex]

	bundleBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
	// TODO: Handle these errors better
	if err == nil {
		ocsp, status, err := acme.GetOCSPForCert(bundleBytes)
		ocspStatus[&bundleBytes] = status
		if err == nil && status == acme.OCSPGood {
			cfg.TLS.OCSPStaple = ocsp
		}
	}
	cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host)
	cfg.TLS.Key = storage.SiteKeyFile(cfg.Host)
	cfg.TLS.Enabled = true
	// Ensure all defaults are set for the TLS config
	setup.SetDefaultTLSParams(cfg)

	if cfg.Port == "" {
		cfg.Port = "https"
	}

	// Set up http->https redirect as long as there isn't already a http counterpart
	// in the configs and this isn't, for some reason, already on port 80.
	// Also, the port 80 variant of this config is necessary for proxying challenge requests.
	if !otherHostHasScheme(allConfigs, cfgIndex, "http") &&
		cfg.Port != "80" && cfg.Port != "http" { // (would not be http port with current program flow, but just in case)
		allConfigs = append(allConfigs, redirPlaintextHost(*cfg))
	}

	// To support renewals, we need handlers at ports 80 and 443,
	// depending on the challenge type that is used to complete renewal.
	for i, c := range allConfigs {
		if c.Address() == cfg.Host+":80" ||
			c.Address() == cfg.Host+":443" ||
			c.Address() == cfg.Host+":http" ||
			c.Address() == cfg.Host+":https" {

			// Each virtualhost must have their own handlers, or the chaining gets messed up when middlewares are compiled!
			handler := new(Handler)
			mid := func(next middleware.Handler) middleware.Handler {
				handler.Next = next
				return handler
			}
			// TODO: Currently, acmeHandlers are not referenced, but we need to add a way to toggle
			// their proxy functionality -- or maybe not. Gotta figure this out for sure.
			acmeHandlers[c.Address()] = handler

			allConfigs[i].Middleware["/"] = append(allConfigs[i].Middleware["/"], mid)
		}
	}

	return allConfigs
}
Beispiel #3
0
// autoConfigure enables TLS on allConfigs[cfgIndex] and appends, if necessary,
// a new config to allConfigs that redirects plaintext HTTP to its new HTTPS
// counterpart. It expects the certificate and key to already be in storage. It
// returns the new list of allConfigs, since it may append a new config. This
// function assumes that allConfigs[cfgIndex] is already set up for HTTPS.
func autoConfigure(allConfigs []server.Config, cfgIndex int) []server.Config {
	cfg := &allConfigs[cfgIndex]

	bundleBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
	// TODO: Handle these errors better
	if err == nil {
		ocsp, status, err := acme.GetOCSPForCert(bundleBytes)
		ocspStatus[&bundleBytes] = status
		if err == nil && status == acme.OCSPGood {
			cfg.TLS.OCSPStaple = ocsp
		}
	}
	cfg.TLS.Certificate = storage.SiteCertFile(cfg.Host)
	cfg.TLS.Key = storage.SiteKeyFile(cfg.Host)
	cfg.TLS.Enabled = true
	// Ensure all defaults are set for the TLS config
	setup.SetDefaultTLSParams(cfg)

	if cfg.Port == "" {
		cfg.Port = "https"
	}

	// Chain in ACME middleware proxy if we use up the SSL port
	if cfg.Port == "https" || cfg.Port == "443" {
		handler := new(Handler)
		mid := func(next middleware.Handler) middleware.Handler {
			handler.Next = next
			return handler
		}
		cfg.Middleware["/"] = append(cfg.Middleware["/"], mid)
		acmeHandlers[cfg.Host] = handler
	}

	// Set up http->https redirect as long as there isn't already a http counterpart
	// in the configs and this isn't, for some reason, already on port 80
	if !otherHostHasScheme(allConfigs, cfgIndex, "http") &&
		cfg.Port != "80" && cfg.Port != "http" { // (would not be http port with current program flow, but just in case)
		allConfigs = append(allConfigs, redirPlaintextHost(*cfg))
	}

	return allConfigs
}