// Run the application, start http and scp server.
func Run(appConfig Config) {
config = appConfig
// Connect to DB
db, err := lib.Connect()
if err != nil {
fmt.Printf("Failed to connect to db")
return
}
// Logging
log := logrus.New()
log.Level = logrus.DebugLevel
log.Out = os.Stdout
log.Formatter = &logrus.TextFormatter{}
// Websockets
ws := ws.NewServer()
// Shared dependencies between all controller
deps := dependencies.Dependencies{
Fs: afero.NewOsFs(),
Logger: log,
DB: db,
WS: ws,
}
ws.Dependencies = &deps
go ws.Start()
// // Start SCP
// scp := scp.Server{}
// scp.DB = deps.DB
// scp.Logger = deps.Logger
// scp.CertPath = "certs/scp.rsa"
// scp.BindAddr = config.SCPBindAddr
// go scp.ListenAndServe()
if config.Secure {
c := autocert.DirCache("certs")
m := autocert.Manager{
Cache: c,
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("x.zqz.ca"),
}
s := &http.Server{
Addr: config.HTTPBindAddr,
TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
}
deps.Info("Listening for HTTP1.1 Connections", "addr", ":3001")
deps.Info("Listening for HTTP2 Connections", "addr", config.HTTPBindAddr)
go http.ListenAndServe(":3001", secureRedirect())
s.ListenAndServeTLS("", "")
} else {
deps.Info("Listening for HTTP1.1 Connections", "addr", config.HTTPBindAddr)
http.ListenAndServe(config.HTTPBindAddr, Routes(deps))
}
}
// LETSENCRYPTPROD returns a new Automatic TLS Listener using letsencrypt.org service
// receives two parameters, the first is the domain of the server
// and the second is optionally, the cache directory, if you skip it then the cache directory is "./certcache"
// if you want to disable cache directory then simple give it a value of empty string ""
//
// does NOT supports localhost domains for testing, use LETSENCRYPT instead.
//
// this is the recommended function to use when you're ready for production state
func LETSENCRYPTPROD(addr string, cacheDirOptional ...string) (net.Listener, error) {
if portIdx := strings.IndexByte(addr, ':'); portIdx == -1 {
addr += ":443"
}
ln, err := TCP4(addr)
if err != nil {
return nil, err
}
cacheDir := "./certcache"
if len(cacheDirOptional) > 0 {
cacheDir = cacheDirOptional[0]
}
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
} // HostPolicy is missing, if user wants it, then she/he should manually
// configure the autocertmanager and use the `iris.Serve` to pass that listener
if cacheDir == "" {
// then the user passed empty by own will, then I guess she/he doesnt' want any cache directory
} else {
m.Cache = autocert.DirCache(cacheDir)
}
tlsConfig := &tls.Config{GetCertificate: m.GetCertificate}
tlsLn := tls.NewListener(ln, tlsConfig)
return tlsLn, nil
}
func serveHTTPS(httpServer *http.Server) error {
log.Printf("Starting TLS server on %s", *httpsAddr)
httpsServer := new(http.Server)
*httpsServer = *httpServer
httpsServer.Addr = *httpsAddr
cacheDir := autocert.DirCache("letsencrypt.cache")
var domain string
if !inProd {
if *tlsCertFile != "" && *tlsKeyFile != "" {
return httpsServer.ListenAndServeTLS(*tlsCertFile, *tlsKeyFile)
}
// Otherwise use Let's Encrypt, i.e. same use case as in prod
if strings.HasPrefix(*httpsAddr, ":") {
return errors.New("for Let's Encrypt, -https needs to start with a host name")
}
host, _, err := net.SplitHostPort(*httpsAddr)
if err != nil {
return err
}
domain = host
} else {
domain = "camlistore.org"
cacheDir = autocert.DirCache(prodLECacheDir)
}
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(domain),
Cache: cacheDir,
}
if *adminEmail != "" {
m.Email = *adminEmail
}
httpsServer.TLSConfig = &tls.Config{
GetCertificate: m.GetCertificate,
}
log.Printf("Listening for HTTPS on %v", *httpsAddr)
ln, err := net.Listen("tcp", *httpsAddr)
if err != nil {
return err
}
return httpsServer.Serve(tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, httpsServer.TLSConfig))
}
func main() {
flag.Parse()
log.Printf("Starting (prod=%t)", *prod)
client := &acme.Client{}
if !*prod {
client = &acme.Client{
DirectoryURL: "https://acme-staging.api.letsencrypt.org/directory",
}
}
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("www.homedroids.io"),
Cache: autocert.DirCache("certs"),
Client: client,
}
s := &http.Server{
Addr: *httpsAddr,
TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
}
log.Fatal(s.ListenAndServeTLS("", ""))
}
func serveProdTLS() error {
const cacheDir = "/var/cache/autocert"
if err := os.MkdirAll(cacheDir, 0700); err != nil {
return err
}
m := autocert.Manager{
Cache: autocert.DirCache(cacheDir),
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("http2.golang.org"),
}
srv := &http.Server{
TLSConfig: &tls.Config{
GetCertificate: m.GetCertificate,
},
}
http2.ConfigureServer(srv, &http2.Server{})
ln, err := net.Listen("tcp", ":443")
if err != nil {
return err
}
return srv.Serve(tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, srv.TLSConfig))
}
func main() {
log.SetLevel(log.DebugLevel)
log.SetFlags(0)
// выводим информацию о версии сборки
log.WithFields(log.Fields{
"version": version,
"date": date,
"build": build,
"name": appName,
}).Info("starting service")
// разбираем параметры запуска приложения
config := flag.String("config", appName+".json", "configuration `filename`")
address := flag.String("address", host, "server address and `port`")
flag.Parse()
// загружаем конфигурацию сервиса
log.WithField("file", *config).Info("loading service config")
service, err := LoadConfig(*config)
if err != nil {
log.WithError(err).Error("loading config error")
os.Exit(1)
}
// выводим список поддерживаемых MX-серверов
mxnames := service.Auth.Names()
if len(mxnames) == 0 {
log.Error("no MX servers configured")
os.Exit(1)
}
log.WithField("names", strings.Join(mxnames, ", ")).
Info("supported MX servers")
// выводим информацию о кеше авторизации
log.WithField("lifeTime", mxlogin.CacheLifetime).
Info("authorization cache")
// удаляем устаревшие файлы раз в сутки
cleanInterval := time.Hour * 24
// выводим информацию о хранилище файлов
log.WithFields(log.Fields{
"path": service.FileStore.Store.Path(),
"lifeTime": service.FileStore.Lifetime,
"cleanInterval": cleanInterval,
}).Info("file store")
// запускаем процесс автоматического удаления старых файлов
go func() {
for {
time.Sleep(cleanInterval)
err = service.FileStore.Clean()
if err != nil {
log.WithField("service", "filestore").
WithError(err).Debug("file store clean error")
}
}
}()
// инициализируем мультиплексор HTTP-запросов
mux := &rest.ServeMux{
Headers: map[string]string{
"Server": "MXStore/2.0",
"X-API-Version": "1.1",
"X-Service-Version": version,
},
Logger: log.WithField("service", "http"),
Encoder: Encoder,
}
// обработчики файлов хранилища и аватарок
mux.Handles(rest.Paths{
"/mx/:mx-name/store": {
// переходим на основное имя MX сервера, если используется синоним
// возвращает пустой ответ, если имя сервера и так основное
"GET": nil,
// сохраняем в хранилище новый файл
"POST": service.FileStore.Save,
},
// отдаем файл по запросу
"/mx/:mx-name/store/*filename": {
"GET": service.FileStore.Get,
},
"/mx/:mx-name/avatar": {
// переходим на основное имя MX сервера, если используется синоним
// возвращаем список идентификаторов пользователей и аватарок
"GET": service.Avatars.List,
// сохраняем в хранилище новый файл
"POST": service.Avatars.Save,
},
// отдаем файл с аватаркой по запросу
"/mx/:mx-name/avatar/*filename": {
"GET": service.Avatars.Get,
},
},
// для всех запросов требуется авторизация
service.Auth.Authorize,
)
// добавляем обработчик отдачи документации
mux.Handle("GET", "/",
rest.Redirect("https://www.connector73.com/en#softphone"))
// запускаем сервис с ответом об информации о ссылке
mux.Handle("GET", "/urlinfo/*url", URLInfo)
// генератор аватарок
mux.Handle("GET", "/avatar/:id", AvatarGenerator)
// инициализируем HTTP-сервер
server := &http.Server{
Addr: *address,
Handler: mux,
ReadTimeout: time.Second * 60,
WriteTimeout: time.Second * 120,
}
// для защищенного соединения проделываем дополнительные настройки
host, port, err := net.SplitHostPort(*address)
if err != nil {
log.WithError(err).Error("bad server address")
os.Exit(2)
}
if port == "https" || port == "443" {
if host != "localhost" && host != "127.0.0.1" {
manager := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(host),
Email: "*****@*****.**",
Cache: autocert.DirCache("letsEncript.cache"),
}
server.TLSConfig = &tls.Config{
GetCertificate: manager.GetCertificate,
}
} else {
// исключительно для отладки
cert, err := tls.X509KeyPair(LocalhostCert, LocalhostKey)
if err != nil {
panic(fmt.Sprintf("local certificates error: %v", err))
}
server.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
}
}
// запускаем автоматический переход для HTTP на HTTPS
go func() {
log.Info("starting http to https redirect server")
err := http.ListenAndServe(":http", http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r,
"https://"+r.Host+r.URL.String(),
http.StatusMovedPermanently)
}))
if err != nil {
log.WithError(err).Warning("http redirect server error")
}
}()
// запускаем основной сервер
go func() {
log.WithFields(log.Fields{
"address": server.Addr,
"host": host,
}).Info("starting https server")
err = server.ListenAndServeTLS("", "")
// // корректно закрываем сервисы по окончании работы
// service.Close()
log.WithError(err).Warning("https server stoped")
os.Exit(3)
}()
} else {
// не защищенный HTTP сервер
go func() {
log.WithField("address", *address).Info("starting service")
err = server.ListenAndServe()
// service.Close()
log.WithError(err).Warning("http server stoped")
os.Exit(3)
}()
}
// инициализируем поддержку системных сигналов и ждем, когда он случится
monitorSignals(os.Interrupt, os.Kill)
// service.Close()
log.Info("service stoped")
}
// If cert/key files are specified, and found, use them.
// If cert/key files are specified, not found, and the default values, generate
// them (self-signed CA used as a cert), and use them.
// If cert/key files are not specified, use Let's Encrypt.
func setupTLS(ws *webserver.Server, config *serverinit.Config, hostname string) {
cert, key := config.OptionalString("httpsCert", ""), config.OptionalString("httpsKey", "")
if !config.OptionalBool("https", true) {
return
}
if (cert != "") != (key != "") {
exitf("httpsCert and httpsKey must both be either present or absent")
}
defCert := osutil.DefaultTLSCert()
defKey := osutil.DefaultTLSKey()
const hint = "You must add this certificate's fingerprint to your client's trusted certs list to use it. Like so:\n\"trustedCerts\": [\"%s\"],"
if cert == defCert && key == defKey {
_, err1 := wkfs.Stat(cert)
_, err2 := wkfs.Stat(key)
if err1 != nil || err2 != nil {
if os.IsNotExist(err1) || os.IsNotExist(err2) {
sig, err := httputil.GenSelfTLSFiles(hostname, defCert, defKey)
if err != nil {
exitf("Could not generate self-signed TLS cert: %q", err)
}
log.Printf(hint, sig)
} else {
exitf("Could not stat cert or key: %q, %q", err1, err2)
}
}
}
if cert == "" && key == "" {
// Use Let's Encrypt if no files are specified, and we have a usable hostname.
if netutil.IsFQDN(hostname) {
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(hostname),
Cache: autocert.DirCache(osutil.DefaultLetsEncryptCache()),
}
log.Print("TLS enabled, with Let's Encrypt")
ws.SetTLS(webserver.TLSSetup{
CertManager: m.GetCertificate,
})
return
}
// Otherwise generate new certificates
sig, err := httputil.GenSelfTLSFiles(hostname, defCert, defKey)
if err != nil {
exitf("Could not generate self signed creds: %q", err)
}
log.Printf(hint, sig)
cert = defCert
key = defKey
}
data, err := wkfs.ReadFile(cert)
if err != nil {
exitf("Failed to read pem certificate: %s", err)
}
sig, err := httputil.CertFingerprint(data)
if err != nil {
exitf("certificate error: %v", err)
}
log.Printf("TLS enabled, with SHA-256 certificate fingerprint: %v", sig)
ws.SetTLS(webserver.TLSSetup{
CertFile: cert,
KeyFile: key,
})
}
func (r *Runner) start() error {
r.authKey = os.Getenv("AUTH_KEY")
if r.authKey == "" {
return errors.New("AUTH_KEY not set")
}
r.runEnv["TEST_RUNNER_AUTH_KEY"] = r.authKey
for _, s := range []string{"S3", "GCS", "AZURE"} {
name := fmt.Sprintf("BLOBSTORE_%s_CONFIG", s)
if c := os.Getenv(name); c != "" {
r.runEnv[name] = c
} else {
return fmt.Errorf("%s not set", name)
}
}
r.githubToken = os.Getenv("GITHUB_TOKEN")
if r.githubToken == "" {
return errors.New("GITHUB_TOKEN not set")
}
am := autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(args.TLSDir),
HostPolicy: autocert.HostWhitelist(args.Domain),
}
awsAuth, err := aws.EnvCreds()
if err != nil {
return err
}
r.s3 = s3.New(awsAuth, "us-east-1", nil)
_, listenPort, err = net.SplitHostPort(args.ListenAddr)
if err != nil {
return err
}
bc := r.bc
bc.Network = r.allocateNet()
if r.rootFS, err = cluster.BuildFlynn(bc, args.RootFS, "origin/master", false, os.Stdout); err != nil {
return fmt.Errorf("could not build flynn: %s", err)
}
r.releaseNet(bc.Network)
shutdown.BeforeExit(func() { removeRootFS(r.rootFS) })
db, err := bolt.Open(args.DBPath, 0600, &bolt.Options{Timeout: 5 * time.Second})
if err != nil {
return fmt.Errorf("could not open db: %s", err)
}
r.db = db
shutdown.BeforeExit(func() { r.db.Close() })
if err := r.db.Update(func(tx *bolt.Tx) error {
_, err := tx.CreateBucketIfNotExists(dbBucket)
return err
}); err != nil {
return fmt.Errorf("could not create builds bucket: %s", err)
}
for i := 0; i < args.ConcurrentBuilds; i++ {
r.buildCh <- struct{}{}
}
if err := r.buildPending(); err != nil {
log.Printf("could not build pending builds: %s", err)
}
go r.connectIRC()
go r.watchEvents()
router := httprouter.New()
router.RedirectTrailingSlash = true
router.Handler("GET", "/", http.RedirectHandler("/builds", 302))
router.POST("/", r.handleEvent)
router.GET("/builds/:build", r.getBuildLog)
router.GET("/builds/:build/download", r.downloadBuildLog)
router.POST("/builds/:build/restart", r.restartBuild)
router.POST("/builds/:build/explain", r.explainBuild)
router.GET("/builds", r.getBuilds)
router.ServeFiles("/assets/*filepath", http.Dir(args.AssetsDir))
router.GET("/cluster/:cluster", r.clusterAPI(r.getCluster))
router.POST("/cluster/:cluster", r.clusterAPI(r.addHost))
router.POST("/cluster/:cluster/release", r.clusterAPI(r.addReleaseHosts))
router.DELETE("/cluster/:cluster/:host", r.clusterAPI(r.removeHost))
srv := &http.Server{
Addr: args.ListenAddr,
Handler: router,
TLSConfig: tlsconfig.SecureCiphers(&tls.Config{
GetCertificate: am.GetCertificate,
}),
}
log.Println("Listening on", args.ListenAddr, "...")
if err := srv.ListenAndServeTLS("", ""); err != nil {
return fmt.Errorf("ListenAndServeTLS: %s", err)
}
return nil
}
func main() {
launchConfig.MaybeDeploy()
flag.Parse()
var kv keyValue
var httpsListenAddr string
if metadata.OnGCE() {
httpsListenAddr = ":443"
dsClient, err := datastore.NewClient(context.Background(), GCEProjectID)
if err != nil {
log.Fatalf("Error creating datastore client for records: %v", err)
}
kv = cachedStore{
dsClient: dsClient,
cache: lru.New(cacheSize),
}
} else {
httpsListenAddr = ":4430"
kv = memkv{skv: sorted.NewMemoryKeyValue()}
}
if err := kv.Set("6401800c.camlistore.net.", "159.203.246.79"); err != nil {
log.Fatalf("Error adding %v:%v record: %v", "6401800c.camlistore.net.", "159.203.246.79", err)
}
if err := kv.Set(domain, *flagServerIP); err != nil {
log.Fatalf("Error adding %v:%v record: %v", domain, *flagServerIP, err)
}
if err := kv.Set("www.camlistore.net.", *flagServerIP); err != nil {
log.Fatalf("Error adding %v:%v record: %v", "www.camlistore.net.", *flagServerIP, err)
}
ds := newDNSServer(kv)
cs := &gpgchallenge.Server{
OnSuccess: func(identity string, address string) error {
log.Printf("Adding %v.camlistore.net. as %v", identity, address)
return ds.dataSource.Set(strings.ToLower(identity+".camlistore.net."), address)
},
}
tcperr := make(chan error, 1)
udperr := make(chan error, 1)
httperr := make(chan error, 1)
log.Printf("serving DNS on %s\n", *addr)
go func() {
tcperr <- dns.ListenAndServe(*addr, "tcp", ds)
}()
go func() {
udperr <- dns.ListenAndServe(*addr, "udp", ds)
}()
if metadata.OnGCE() {
// TODO(mpl): if we want to get a cert for anything
// *.camlistore.net, it's a bit of a chicken and egg problem, since
// we need camnetdns itself to be already running and answering DNS
// queries. It's probably doable, but easier for now to just ask
// one for camnetdns.camlistore.org, since that name is not
// resolved by camnetdns.
hostname := strings.TrimSuffix(authorityNS, ".")
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(hostname),
Cache: autocert.DirCache(osutil.DefaultLetsEncryptCache()),
}
ln, err := tls.Listen("tcp", httpsListenAddr, &tls.Config{
Rand: rand.Reader,
Time: time.Now,
NextProtos: []string{http2.NextProtoTLS, "http/1.1"},
MinVersion: tls.VersionTLS12,
GetCertificate: m.GetCertificate,
})
if err != nil {
log.Fatalf("Error listening on %v: %v", httpsListenAddr, err)
}
go func() {
httperr <- http.Serve(ln, cs)
}()
}
select {
case err := <-tcperr:
log.Fatalf("DNS over TCP error: %v", err)
case err := <-udperr:
log.Fatalf("DNS error: %v", err)
case err := <-httperr:
log.Fatalf("HTTP server error: %v", err)
}
}
func (d roCertCacheDir) Get(ctx context.Context, key string) ([]byte, error) {
return autocert.DirCache(d).Get(ctx, key)
}
