dispatch/pkg/https/https.go

package https

import (
	"crypto/tls"
	"fmt"
	"net"
	"net/http"
	"net/url"
	"time"

	"github.com/caddyserver/certmagic"
	"github.com/khlieng/dispatch/pkg/netutil"
	"github.com/klauspost/cpuid"
)

type Config struct {
	Addr      string
	PortHTTP  string
	PortHTTPS string
	HTTPOnly  bool

	StoragePath string
	Domain      string
	Email       string

	Cert string
	Key  string
}

func Serve(handler http.Handler, cfg Config) error {
	errCh := make(chan error, 1)

	httpSrv := &http.Server{
		Addr: net.JoinHostPort(cfg.Addr, cfg.PortHTTP),
	}

	if !cfg.HTTPOnly {
		httpSrv.ReadTimeout = 5 * time.Second
		httpSrv.WriteTimeout = 5 * time.Second

		httpsSrv := &http.Server{
			Addr:        net.JoinHostPort(cfg.Addr, cfg.PortHTTPS),
			ReadTimeout: 5 * time.Second,
			IdleTimeout: 120 * time.Second,
			Handler:     handler,
		}

		redirect := HTTPSRedirect(cfg.PortHTTPS, handler)

		if cfg.Cert != "" || cfg.Key != "" {
			httpSrv.Handler = redirect
			httpsSrv.TLSConfig = TLSConfig(nil)

			go func() {
				errCh <- httpSrv.ListenAndServe()
			}()

			go func() {
				errCh <- httpsSrv.ListenAndServeTLS(cfg.Cert, cfg.Key)
			}()
		} else {
			if cfg.StoragePath != "" {
				certmagic.Default.Storage = &certmagic.FileStorage{
					Path: cfg.StoragePath,
				}
			}

			certmagic.Default.MustStaple = true

			magic := certmagic.NewDefault()

			acme := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
				Agreed: true,
				Email:  cfg.Email,
			})

			magic.Issuer = acme

			domains := []string{cfg.Domain}
			if cfg.Domain == "" {
				domains = []string{}
				magic.OnDemand = maxObtain(3)
			}

			err := magic.ManageSync(domains)
			if err != nil {
				return err
			}

			httpSrv.Handler = acme.HTTPChallengeHandler(redirect)
			httpsSrv.TLSConfig = TLSConfig(magic.TLSConfig())

			go func() {
				errCh <- httpSrv.ListenAndServe()
			}()

			go func() {
				errCh <- httpsSrv.ListenAndServeTLS("", "")
			}()
		}
	} else {
		httpSrv.ReadTimeout = 5 * time.Second
		httpSrv.IdleTimeout = 120 * time.Second
		httpSrv.Handler = handler

		return httpSrv.ListenAndServe()
	}

	return <-errCh
}

func HTTPSRedirect(portHTTPS string, fallback http.Handler) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		host, _, err := net.SplitHostPort(r.Host)
		if err != nil {
			host = r.Host
		}

		if fallback != nil && netutil.IsPrivate(host) {
			fallback.ServeHTTP(w, r)
			return
		}

		u := url.URL{
			Scheme: "https",
			Host:   net.JoinHostPort(host, portHTTPS),
			Path:   r.RequestURI,
		}

		w.Header().Set("Connection", "close")
		w.Header().Set("Location", u.String())
		w.WriteHeader(http.StatusMovedPermanently)
	}
}

func TLSConfig(tlsConfig *tls.Config) *tls.Config {
	if tlsConfig == nil {
		tlsConfig = &tls.Config{}
	}

	tlsConfig.MinVersion = tls.VersionTLS12
	tlsConfig.CipherSuites = defaultCipherSuites()
	tlsConfig.CurvePreferences = []tls.CurveID{
		tls.X25519,
		tls.CurveP256,
	}
	tlsConfig.PreferServerCipherSuites = true

	return tlsConfig
}

func defaultCipherSuites() []uint16 {
	if cpuid.CPU.AesNi() {
		return []uint16{
			tls.TLS_FALLBACK_SCSV,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		}
	}

	return []uint16{
		tls.TLS_FALLBACK_SCSV,
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
}

func maxObtain(limit int) *certmagic.OnDemandConfig {
	requested := []string{}

	return &certmagic.OnDemandConfig{
		DecisionFunc: func(name string) error {
			for _, n := range requested {
				if name == n {
					return nil
				}
			}

			if len(requested) == limit {
				return fmt.Errorf("OnDemand cert limit reached")
			}

			requested = append(requested, name)
			return nil
		},
	}
}
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`package https`

			`import (`
			`"crypto/tls"`
Update server dependencies 2020-04-29 02:23:32 +00:00			`"fmt"`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`"net"`
			`"net/http"`
			`"net/url"`
			`"time"`

Update server dependencies 2020-04-29 02:23:32 +00:00			`"github.com/caddyserver/certmagic"`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`"github.com/khlieng/dispatch/pkg/netutil"`
			`"github.com/klauspost/cpuid"`
			`)`

			`type Config struct {`
			`Addr string`
			`PortHTTP string`
			`PortHTTPS string`
			`HTTPOnly bool`

			`StoragePath string`
			`Domain string`
			`Email string`

			`Cert string`
			`Key string`
			`}`

			`func Serve(handler http.Handler, cfg Config) error {`
			`errCh := make(chan error, 1)`

			`httpSrv := &http.Server{`
			`Addr: net.JoinHostPort(cfg.Addr, cfg.PortHTTP),`
			`}`

			`if !cfg.HTTPOnly {`
			`httpSrv.ReadTimeout = 5 * time.Second`
			`httpSrv.WriteTimeout = 5 * time.Second`

			`httpsSrv := &http.Server{`
Implement DCC streaming 2020-05-20 05:21:12 +00:00			`Addr: net.JoinHostPort(cfg.Addr, cfg.PortHTTPS),`
			`ReadTimeout: 5 * time.Second,`
			`IdleTimeout: 120 * time.Second,`
			`Handler: handler,`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`}`

			`redirect := HTTPSRedirect(cfg.PortHTTPS, handler)`

			`if cfg.Cert != "" \|\| cfg.Key != "" {`
			`httpSrv.Handler = redirect`
			`httpsSrv.TLSConfig = TLSConfig(nil)`

			`go func() {`
			`errCh <- httpSrv.ListenAndServe()`
			`}()`

			`go func() {`
			`errCh <- httpsSrv.ListenAndServeTLS(cfg.Cert, cfg.Key)`
			`}()`
			`} else {`
			`if cfg.StoragePath != "" {`
Update dependencies 2019-06-09 00:01:48 +00:00			`certmagic.Default.Storage = &certmagic.FileStorage{`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`Path: cfg.StoragePath,`
Update dependencies 2019-06-09 00:01:48 +00:00			`}`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`}`

Update dependencies 2019-06-09 00:01:48 +00:00			`certmagic.Default.MustStaple = true`

			`magic := certmagic.NewDefault()`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00
Update server dependencies 2020-04-29 02:23:32 +00:00			`acme := certmagic.NewACMEManager(magic, certmagic.ACMEManager{`
			`Agreed: true,`
			`Email: cfg.Email,`
			`})`

			`magic.Issuer = acme`

Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`domains := []string{cfg.Domain}`
			`if cfg.Domain == "" {`
			`domains = []string{}`
Update server dependencies 2020-04-29 02:23:32 +00:00			`magic.OnDemand = maxObtain(3)`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`}`

Update server dependencies 2020-04-29 02:23:32 +00:00			`err := magic.ManageSync(domains)`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`if err != nil {`
			`return err`
			`}`

Update server dependencies 2020-04-29 02:23:32 +00:00			`httpSrv.Handler = acme.HTTPChallengeHandler(redirect)`
Pull https handling out into a new package 2018-12-31 02:33:05 +00:00			`httpsSrv.TLSConfig = TLSConfig(magic.TLSConfig())`

			`go func() {`
			`errCh <- httpSrv.ListenAndServe()`
			`}()`

			`go func() {`
			`errCh <- httpsSrv.ListenAndServeTLS("", "")`
			`}()`
			`}`
			`} else {`
			`httpSrv.ReadTimeout = 5 * time.Second`
			`httpSrv.IdleTimeout = 120 * time.Second`
			`httpSrv.Handler = handler`

			`return httpSrv.ListenAndServe()`
			`}`

			`return <-errCh`
			`}`

			`func HTTPSRedirect(portHTTPS string, fallback http.Handler) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`host, _, err := net.SplitHostPort(r.Host)`
			`if err != nil {`
			`host = r.Host`
			`}`

			`if fallback != nil && netutil.IsPrivate(host) {`
			`fallback.ServeHTTP(w, r)`
			`return`
			`}`

			`u := url.URL{`
			`Scheme: "https",`
			`Host: net.JoinHostPort(host, portHTTPS),`
			`Path: r.RequestURI,`
			`}`

			`w.Header().Set("Connection", "close")`
			`w.Header().Set("Location", u.String())`
			`w.WriteHeader(http.StatusMovedPermanently)`
			`}`
			`}`

			`func TLSConfig(tlsConfig tls.Config) tls.Config {`
			`if tlsConfig == nil {`
			`tlsConfig = &tls.Config{}`
			`}`

			`tlsConfig.MinVersion = tls.VersionTLS12`
			`tlsConfig.CipherSuites = defaultCipherSuites()`
			`tlsConfig.CurvePreferences = []tls.CurveID{`
			`tls.X25519,`
			`tls.CurveP256,`
			`}`
			`tlsConfig.PreferServerCipherSuites = true`

			`return tlsConfig`
			`}`

			`func defaultCipherSuites() []uint16 {`
			`if cpuid.CPU.AesNi() {`
			`return []uint16{`
			`tls.TLS_FALLBACK_SCSV,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,`
			`tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,`
			`}`
			`}`

			`return []uint16{`
			`tls.TLS_FALLBACK_SCSV,`
			`tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,`
			`tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}`
			`}`
Update server dependencies 2020-04-29 02:23:32 +00:00
			`func maxObtain(limit int) *certmagic.OnDemandConfig {`
			`requested := []string{}`

			`return &certmagic.OnDemandConfig{`
			`DecisionFunc: func(name string) error {`
			`for _, n := range requested {`
			`if name == n {`
			`return nil`
			`}`
			`}`

			`if len(requested) == limit {`
			`return fmt.Errorf("OnDemand cert limit reached")`
			`}`

			`requested = append(requested, name)`
			`return nil`
			`},`
			`}`
			`}`