package caddytls

import (
	"crypto/tls"
	"log"
	"net/http"
	"net/http/httputil"
	"net/url"
	"strings"
)

const challengeBasePath = "/.well-known/acme-challenge"

// HTTPChallengeHandler proxies challenge requests to ACME client if the
// request path starts with challengeBasePath. It returns true if it
// handled the request and no more needs to be done; it returns false
// if this call was a no-op and the request still needs handling.
func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, altPort string) bool {
	if !strings.HasPrefix(r.URL.Path, challengeBasePath) {
		return false
	}

	scheme := "http"
	if r.TLS != nil {
		scheme = "https"
	}

	upstream, err := url.Parse(scheme + "://localhost:" + altPort)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		log.Printf("[ERROR] ACME proxy handler: %v", err)
		return true
	}

	proxy := httputil.NewSingleHostReverseProxy(upstream)
	proxy.Transport = &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // solver uses self-signed certs
	}
	proxy.ServeHTTP(w, r)

	return true
}