mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-11-24 18:56:11 +01:00
d2ea21d0d8
* use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
70 lines
2.3 KiB
Go
70 lines
2.3 KiB
Go
// Copyright 2020 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"github.com/caddyserver/certmagic"
|
|
context2 "github.com/gorilla/context"
|
|
)
|
|
|
|
func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {
|
|
|
|
// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
|
|
// Due to docker port mapping this can't be checked programatically
|
|
// TODO: these are placeholders until we add options for each in settings with appropriate warning
|
|
enableHTTPChallenge := true
|
|
enableTLSALPNChallenge := true
|
|
|
|
magic := certmagic.NewDefault()
|
|
magic.Storage = &certmagic.FileStorage{Path: directory}
|
|
myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
|
|
Email: email,
|
|
Agreed: setting.LetsEncryptTOS,
|
|
DisableHTTPChallenge: !enableHTTPChallenge,
|
|
DisableTLSALPNChallenge: !enableTLSALPNChallenge,
|
|
})
|
|
|
|
magic.Issuer = myACME
|
|
|
|
// this obtains certificates or renews them if necessary
|
|
err := magic.ManageSync([]string{domain})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tlsConfig := magic.TLSConfig()
|
|
|
|
if enableHTTPChallenge {
|
|
go func() {
|
|
log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
|
|
// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
|
|
var err = runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
|
|
if err != nil {
|
|
log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
|
|
}
|
|
}()
|
|
}
|
|
|
|
return runHTTPSWithTLSConfig("tcp", listenAddr, tlsConfig, context2.ClearHandler(m))
|
|
}
|
|
|
|
func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "GET" && r.Method != "HEAD" {
|
|
http.Error(w, "Use HTTPS", http.StatusBadRequest)
|
|
return
|
|
}
|
|
// Remove the trailing slash at the end of setting.AppURL, the request
|
|
// URI always contains a leading slash, which would result in a double
|
|
// slash
|
|
target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()
|
|
http.Redirect(w, r, target, http.StatusFound)
|
|
}
|