Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
580b50ea
Commit
580b50ea
authored
Nov 17, 2015
by
Matthew Holt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
letsencrypt: Support for http-01, awkwardly straddling that and SimpleHTTP for now
parent
659df696
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
65 additions
and
46 deletions
+65
-46
caddy/letsencrypt/handler.go
caddy/letsencrypt/handler.go
+42
-31
caddy/letsencrypt/letsencrypt.go
caddy/letsencrypt/letsencrypt.go
+22
-12
caddy/letsencrypt/maintain.go
caddy/letsencrypt/maintain.go
+1
-3
No files found.
caddy/letsencrypt/handler.go
View file @
580b50ea
...
...
@@ -2,62 +2,73 @@ package letsencrypt
import
(
"crypto/tls"
"net"
"net/http"
"net/http/httputil"
"net/url"
"s
ync
"
"s
trings
"
"sync/atomic"
"github.com/mholt/caddy/middleware"
)
// Handler is a Caddy middleware that can proxy ACME requests
// to the real ACME endpoint. This is necessary to renew certificates
// while the server is running. Obviously, a site served on port
// 443 (HTTPS) binds to that port, so another listener created by
// our acme client can't bind successfully and solve the challenge.
// Thus, we chain this handler in so that it can, when activated,
// proxy ACME requests to an ACME client listening on an alternate
// port.
const
challengeBasePath
=
"/.well-known/acme-challenge"
// Handler is a Caddy middleware that can proxy ACME challenge
// requests to the real ACME client endpoint. This is necessary
// to renew certificates while the server is running.
type
Handler
struct
{
sync
.
Mutex
// protects the ChallengePath property
Next
middleware
.
Handler
ChallengeActive
int32
// use sync/atomic for speed to set/get this flag
ChallengePath
string
// the exact request path to match before proxying
ChallengeActive
int32
// TODO: use sync/atomic to set/get this flag safely and efficiently
}
// ServeHTTP is basically a no-op unless an ACME challenge is active on this host
// and the request path matches the expected path exactly.
func
(
h
*
Handler
)
ServeHTTP
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
(
int
,
error
)
{
// Only if challenge is active
if
atomic
.
LoadInt32
(
&
h
.
ChallengeActive
)
==
1
{
h
.
Lock
()
path
:=
h
.
ChallengePath
h
.
Unlock
()
// TODO: this won't work until the global challenge hook in the acme package is ready
//if atomic.LoadInt32(&h.ChallengeActive) == 1 {
// Proxy challenge requests to ACME client
if
strings
.
HasPrefix
(
r
.
URL
.
Path
,
challengeBasePath
)
{
scheme
:=
"http"
if
r
.
TLS
!=
nil
{
scheme
=
"https"
}
hostname
,
_
,
err
:=
net
.
SplitHostPort
(
r
.
URL
.
Host
)
if
err
!=
nil
{
hostname
=
r
.
URL
.
Host
}
// Request path must be correct; if so, proxy to ACME client
if
r
.
URL
.
Path
==
path
{
upstream
,
err
:=
url
.
Parse
(
"https://"
+
r
.
Host
+
":"
+
alternatePort
)
if
err
!=
nil
{
return
http
.
StatusInternalServerError
,
err
}
proxy
:=
httputil
.
NewSingleHostReverseProxy
(
upstream
)
proxy
.
Transport
=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
true
},
// client uses self-signed cert
}
proxy
.
ServeHTTP
(
w
,
r
)
return
0
,
nil
upstream
,
err
:=
url
.
Parse
(
scheme
+
"://"
+
hostname
+
":"
+
alternatePort
)
if
err
!=
nil
{
return
http
.
StatusInternalServerError
,
err
}
proxy
:=
httputil
.
NewSingleHostReverseProxy
(
upstream
)
proxy
.
Transport
=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
true
},
// client uses self-signed cert
}
proxy
.
ServeHTTP
(
w
,
r
)
return
0
,
nil
}
//}
return
h
.
Next
.
ServeHTTP
(
w
,
r
)
}
// TODO: SimpleHTTP deprecation imminent!! meaning these
// challenge handlers will go away and be replaced with
// something else.
// ChallengeOn enables h to proxy ACME requests.
func
(
h
*
Handler
)
ChallengeOn
(
challengePath
string
)
{
h
.
Lock
()
h
.
ChallengePath
=
challengePath
h
.
Unlock
()
//
h.Lock()
//
h.ChallengePath = challengePath
//
h.Unlock()
atomic
.
StoreInt32
(
&
h
.
ChallengeActive
,
1
)
}
...
...
caddy/letsencrypt/letsencrypt.go
View file @
580b50ea
...
...
@@ -344,24 +344,34 @@ func autoConfigure(allConfigs []server.Config, cfgIndex int) []server.Config {
cfg
.
Port
=
"https"
}
// Chain in ACME middleware proxy if we use up the SSL port
if
cfg
.
Port
==
"https"
||
cfg
.
Port
==
"443"
{
handler
:=
new
(
Handler
)
mid
:=
func
(
next
middleware
.
Handler
)
middleware
.
Handler
{
handler
.
Next
=
next
return
handler
}
cfg
.
Middleware
[
"/"
]
=
append
(
cfg
.
Middleware
[
"/"
],
mid
)
acmeHandlers
[
cfg
.
Host
]
=
handler
}
// Set up http->https redirect as long as there isn't already a http counterpart
// in the configs and this isn't, for some reason, already on port 80
// in the configs and this isn't, for some reason, already on port 80.
// Also, the port 80 variant of this config is necessary for proxying challenge requests.
if
!
otherHostHasScheme
(
allConfigs
,
cfgIndex
,
"http"
)
&&
cfg
.
Port
!=
"80"
&&
cfg
.
Port
!=
"http"
{
// (would not be http port with current program flow, but just in case)
allConfigs
=
append
(
allConfigs
,
redirPlaintextHost
(
*
cfg
))
}
// To support renewals, we need handlers at ports 80 and 443,
// depending on the challenge type that is used to complete renewal.
// Every proxy for this host can share the handler.
handler
:=
new
(
Handler
)
mid
:=
func
(
next
middleware
.
Handler
)
middleware
.
Handler
{
handler
.
Next
=
next
return
handler
}
acmeHandlers
[
cfg
.
Host
]
=
handler
// Handler needs to go in 80 and 443
for
i
,
c
:=
range
allConfigs
{
if
c
.
Address
()
==
cfg
.
Host
+
":80"
||
c
.
Address
()
==
cfg
.
Host
+
":443"
||
c
.
Address
()
==
cfg
.
Host
+
":http"
||
c
.
Address
()
==
cfg
.
Host
+
":https"
{
allConfigs
[
i
]
.
Middleware
[
"/"
]
=
append
(
allConfigs
[
i
]
.
Middleware
[
"/"
],
mid
)
}
}
return
allConfigs
}
...
...
caddy/letsencrypt/maintain.go
View file @
580b50ea
...
...
@@ -144,9 +144,7 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
acme
.
OnSimpleHTTPStart
=
acmeHandlers
[
cfg
.
Host
]
.
ChallengeOn
acme
.
OnSimpleHTTPEnd
=
acmeHandlers
[
cfg
.
Host
]
.
ChallengeOff
// Renew certificate.
// TODO: revokeOld should be an option in the caddyfile
// TODO: bundle should be an option in the caddyfile as well :)
// Renew certificate
Renew
:
newCertMeta
,
err
:=
client
.
RenewCertificate
(
certMeta
,
true
,
true
)
if
err
!=
nil
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment