168 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			168 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package main
 | |
| 
 | |
| import (
 | |
| 	"crypto/tls"
 | |
| 	"flag"
 | |
| 	"fmt"
 | |
| 	"net"
 | |
| 	"net/http"
 | |
| 	"os"
 | |
| 	"path/filepath"
 | |
| 	"strconv"
 | |
| 	"strings"
 | |
| 	"time"
 | |
| )
 | |
| 
 | |
| func usage() {
 | |
| 	fmt.Fprintf(os.Stderr, "\nusage: go run serve.go [optional flags]\n")
 | |
| 	flag.PrintDefaults()
 | |
| 	fmt.Println()
 | |
| 
 | |
| 	os.Exit(2)
 | |
| }
 | |
| 
 | |
| type myHandler struct {
 | |
| 	certMap map[string]tls.Certificate
 | |
| }
 | |
| 
 | |
| type myCert struct {
 | |
| 	cert      *tls.Certificate
 | |
| 	touchedAt time.Time
 | |
| }
 | |
| 
 | |
| func (m *myHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 | |
| 	// Print debug info
 | |
| 	fmt.Println(r.Host)
 | |
| 	fmt.Println(r.Method)
 | |
| 	fmt.Println(r.RequestURI)
 | |
| 	fmt.Println(r.URL) // has many keys, such as Query
 | |
| 	for k, v := range r.Header {
 | |
| 		fmt.Println(k, v)
 | |
| 	}
 | |
| 
 | |
| 	fmt.Println(r.Body)
 | |
| 	fmt.Println()
 | |
| 	fmt.Println()
 | |
| 
 | |
| 	// End the request
 | |
| 	// TODO serve from hosting directory
 | |
| 	fmt.Fprintf(w, "Hi there, %s %q? Wow!\n\nWith Love,\n\t%s", r.Method, r.URL.Path[1:], r.Host)
 | |
| }
 | |
| 
 | |
| func main() {
 | |
| 	flag.Usage = usage
 | |
| 
 | |
| 	port := flag.Uint("port", 443, "https port")
 | |
| 	certsPath := flag.String("letsencrypt-path", "/etc/letsencrypt/live", "path at which an 'xyz.example.com' containing 'fullchain.pem' and 'privkey.pem' can be found")
 | |
| 	defaultHost := flag.String("default-hostname", "localhost.rootprojects.org", "the default folder to find certificates to use when no matches are found")
 | |
| 
 | |
| 	flag.Parse()
 | |
| 
 | |
| 	host := strings.ToLower(*defaultHost)
 | |
| 	// See https://groups.google.com/a/letsencrypt.org/forum/#!topic/ca-dev/l1Dd6jzWeu8
 | |
| 	/*
 | |
| 		if strings.HasPrefix("www.", host) {
 | |
| 			fmt.Println("TODO: 'www.' prefixed certs should be obtained for every 'example.com' domain.")
 | |
| 		}
 | |
| 		host = strings.TrimPrefix("www.", host)
 | |
| 	*/
 | |
| 
 | |
| 	fmt.Printf("Loading Certificates %s/%s/{privkey.pem,fullchain.pem}\n", *certsPath, *defaultHost)
 | |
| 	privkeyPath := filepath.Join(*certsPath, *defaultHost, "privkey.pem")
 | |
| 	certPath := filepath.Join(*certsPath, *defaultHost, "fullchain.pem")
 | |
| 	defaultCert, err := tls.LoadX509KeyPair(certPath, privkeyPath)
 | |
| 	if err != nil {
 | |
| 		fmt.Fprintf(os.Stderr, "Couldn't load default certificates: %s\n", err)
 | |
| 		os.Exit(1)
 | |
| 	}
 | |
| 
 | |
| 	addr := ":" + strconv.Itoa(int(*port))
 | |
| 
 | |
| 	conn, err := net.Listen("tcp", addr)
 | |
| 	if nil != err {
 | |
| 		fmt.Fprintf(os.Stderr, "Couldn't bind to TCP socket %q: %s\n", addr, err)
 | |
| 		os.Exit(1)
 | |
| 	}
 | |
| 
 | |
| 	certMap := make(map[string]myCert)
 | |
| 	tlsConfig := new(tls.Config)
 | |
| 	tlsConfig.Certificates = []tls.Certificate{defaultCert}
 | |
| 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 | |
| 
 | |
| 		// Load from memory
 | |
| 		// TODO unload untouched certificates every x minutes
 | |
| 		if myCert, ok := certMap[clientHello.ServerName]; ok {
 | |
| 			myCert.touchedAt = time.Now()
 | |
| 			return myCert.cert, nil
 | |
| 		}
 | |
| 
 | |
| 		privkeyPath := filepath.Join(*certsPath, clientHello.ServerName, "privkey.pem")
 | |
| 		certPath := filepath.Join(*certsPath, clientHello.ServerName, "fullchain.pem")
 | |
| 
 | |
| 		loadCert := func() *tls.Certificate {
 | |
| 			// TODO handle race condition (ask Matt)
 | |
| 			// the transaction is idempotent, however, so it shouldn't matter
 | |
| 			if _, err := os.Stat(privkeyPath); err == nil {
 | |
| 				fmt.Printf("Loading Certificates %s/%s/{privkey.pem,fullchain.pem}\n\n", *certsPath, clientHello.ServerName)
 | |
| 				cert, err := tls.LoadX509KeyPair(certPath, privkeyPath)
 | |
| 				if nil != err {
 | |
| 					return &cert
 | |
| 				}
 | |
| 				return nil
 | |
| 			}
 | |
| 
 | |
| 			return nil
 | |
| 		}
 | |
| 
 | |
| 		if cert := loadCert(); nil != cert {
 | |
| 			certMap[clientHello.ServerName] = myCert{
 | |
| 				cert:      cert,
 | |
| 				touchedAt: time.Now(),
 | |
| 			}
 | |
| 			return cert, nil
 | |
| 		}
 | |
| 
 | |
| 		// TODO try to get cert via letsencrypt python client
 | |
| 		// TODO check for a hosting directory before attempting this
 | |
| 		/*
 | |
| 			cmd := exec.Command(
 | |
| 				"./venv/bin/letsencrypt",
 | |
| 				"--text",
 | |
| 				"--agree-eula",
 | |
| 				"--email", "coolaj86@gmail.com",
 | |
| 				"--authenticator", "standalone",
 | |
| 				"--domains", "www.example.com",
 | |
| 				"--domains", "example.com",
 | |
| 				"--dvsni-port", "65443",
 | |
| 				"auth",
 | |
| 			)
 | |
| 			err := cmd.Run()
 | |
| 			if nil != err {
 | |
| 				if cert := loadCert(); nil != cert {
 | |
| 					return cert, nil
 | |
| 				}
 | |
| 			}
 | |
| 		*/
 | |
| 
 | |
| 		fmt.Fprintf(os.Stderr, "Failed to load certificates for %q.\n", clientHello.ServerName)
 | |
| 		fmt.Fprintf(os.Stderr, "\tTried %s/{privkey.pem,fullchain.pem}\n", filepath.Join(*certsPath, clientHello.ServerName))
 | |
| 		//fmt.Fprintf(os.Stderr, "\tand letsencrypt api\n")
 | |
| 		fmt.Fprintf(os.Stderr, "\n")
 | |
| 		// TODO how to prevent attack and still enable retry?
 | |
| 		// perhaps check DNS and hosting directory, wait 5 minutes?
 | |
| 		certMap[clientHello.ServerName] = myCert{
 | |
| 			cert:      &defaultCert,
 | |
| 			touchedAt: time.Now(),
 | |
| 		}
 | |
| 		return &defaultCert, nil
 | |
| 	}
 | |
| 	tlsListener := tls.NewListener(conn, tlsConfig)
 | |
| 
 | |
| 	server := &http.Server{
 | |
| 		Addr:    addr,
 | |
| 		Handler: &myHandler{},
 | |
| 	}
 | |
| 	fmt.Printf("Listening on https://%s:%d\n\n", host, *port)
 | |
| 	server.Serve(tlsListener)
 | |
| }
 |