Pull https handling out into a new package

pkg/https/https.go

@@ -0,0 +1,170 @@
+package https
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/khlieng/dispatch/pkg/netutil"
+	"github.com/klauspost/cpuid"
+	"github.com/mholt/certmagic"
+)
+
+type Config struct {
+	Addr      string
+	PortHTTP  string
+	PortHTTPS string
+	HTTPOnly  bool
+
+	StoragePath string
+	Domain      string
+	Email       string
+
+	Cert string
+	Key  string
+}
+
+func Serve(handler http.Handler, cfg Config) error {
+	errCh := make(chan error, 1)
+
+	httpSrv := &http.Server{
+		Addr: net.JoinHostPort(cfg.Addr, cfg.PortHTTP),
+	}
+
+	if !cfg.HTTPOnly {
+		httpSrv.ReadTimeout = 5 * time.Second
+		httpSrv.WriteTimeout = 5 * time.Second
+
+		httpsSrv := &http.Server{
+			Addr:         net.JoinHostPort(cfg.Addr, cfg.PortHTTPS),
+			ReadTimeout:  5 * time.Second,
+			WriteTimeout: 10 * time.Second,
+			IdleTimeout:  120 * time.Second,
+			Handler:      handler,
+		}
+
+		redirect := HTTPSRedirect(cfg.PortHTTPS, handler)
+
+		if cfg.Cert != "" || cfg.Key != "" {
+			httpSrv.Handler = redirect
+			httpsSrv.TLSConfig = TLSConfig(nil)
+
+			go func() {
+				errCh <- httpSrv.ListenAndServe()
+			}()
+
+			go func() {
+				errCh <- httpsSrv.ListenAndServeTLS(cfg.Cert, cfg.Key)
+			}()
+		} else {
+			var cache *certmagic.Cache
+			if cfg.StoragePath != "" {
+				cache = certmagic.NewCache(&certmagic.FileStorage{
+					Path: cfg.StoragePath,
+				})
+			}
+
+			magic := certmagic.NewWithCache(cache, certmagic.Config{
+				Agreed:     true,
+				Email:      cfg.Email,
+				MustStaple: true,
+			})
+
+			domains := []string{cfg.Domain}
+			if cfg.Domain == "" {
+				domains = []string{}
+				magic.OnDemand = &certmagic.OnDemandConfig{MaxObtain: 3}
+			}
+
+			err := magic.Manage(domains)
+			if err != nil {
+				return err
+			}
+
+			httpSrv.Handler = magic.HTTPChallengeHandler(redirect)
+			httpsSrv.TLSConfig = TLSConfig(magic.TLSConfig())
+
+			go func() {
+				errCh <- httpSrv.ListenAndServe()
+			}()
+
+			go func() {
+				errCh <- httpsSrv.ListenAndServeTLS("", "")
+			}()
+		}
+	} else {
+		httpSrv.ReadTimeout = 5 * time.Second
+		httpSrv.WriteTimeout = 10 * time.Second
+		httpSrv.IdleTimeout = 120 * time.Second
+		httpSrv.Handler = handler
+
+		return httpSrv.ListenAndServe()
+	}
+
+	return <-errCh
+}
+
+func HTTPSRedirect(portHTTPS string, fallback http.Handler) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		host, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			host = r.Host
+		}
+
+		if fallback != nil && netutil.IsPrivate(host) {
+			fallback.ServeHTTP(w, r)
+			return
+		}
+
+		u := url.URL{
+			Scheme: "https",
+			Host:   net.JoinHostPort(host, portHTTPS),
+			Path:   r.RequestURI,
+		}
+
+		w.Header().Set("Connection", "close")
+		w.Header().Set("Location", u.String())
+		w.WriteHeader(http.StatusMovedPermanently)
+	}
+}
+
+func TLSConfig(tlsConfig *tls.Config) *tls.Config {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{}
+	}
+
+	tlsConfig.MinVersion = tls.VersionTLS12
+	tlsConfig.CipherSuites = defaultCipherSuites()
+	tlsConfig.CurvePreferences = []tls.CurveID{
+		tls.X25519,
+		tls.CurveP256,
+	}
+	tlsConfig.PreferServerCipherSuites = true
+
+	return tlsConfig
+}
+
+func defaultCipherSuites() []uint16 {
+	if cpuid.CPU.AesNi() {
+		return []uint16{
+			tls.TLS_FALLBACK_SCSV,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		}
+	}
+
+	return []uint16{
+		tls.TLS_FALLBACK_SCSV,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
+}