Let's Encrypt

2016-01-04 19:26:32 +01:00 · 2016-01-04 19:26:32 +01:00 · b55cb13e44
commit b55cb13e44
parent 22892a4073
82 changed files with 13536 additions and 107 deletions
--- a/server/https.go
+++ b/server/https.go
@ -0,0 +1,82 @@
+package server
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/khlieng/dispatch/Godeps/_workspace/src/github.com/spf13/viper"
+)
+
+type restartableHTTPS struct {
+	listener net.Listener
+	handler  http.Handler
+	addr     string
+	cert     string
+	key      string
+}
+
+func (r *restartableHTTPS) start() error {
+	var err error
+
+	config := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		Certificates: make([]tls.Certificate, 1),
+	}
+
+	config.Certificates[0], err = tls.LoadX509KeyPair(r.cert, r.key)
+	if err != nil {
+		return err
+	}
+
+	ln, err := net.Listen("tcp", r.addr)
+	if err != nil {
+		return err
+	}
+
+	r.listener = tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
+	return http.Serve(r.listener, r.handler)
+}
+
+func (r *restartableHTTPS) stop() {
+	r.listener.Close()
+}
+
+func (r *restartableHTTPS) restart() {
+	r.stop()
+	go r.start()
+}
+
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return
+	}
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(3 * time.Minute)
+	return tc, nil
+}
+
+func certExists() bool {
+	cert := viper.GetString("https.cert")
+	key := viper.GetString("https.key")
+
+	if cert == "" || key == "" {
+		return false
+	}
+
+	if _, err := os.Stat(cert); err != nil {
+		return false
+	}
+	if _, err := os.Stat(key); err != nil {
+		return false
+	}
+
+	return true
+}
--- a/server/irc.go
+++ b/server/irc.go
@ -0,0 +1,36 @@
+package server
+
+import (
+	"github.com/khlieng/dispatch/irc"
+	"github.com/khlieng/dispatch/storage"
+)
+
+func reconnectIRC() {
+	for _, user := range storage.LoadUsers() {
+		session := NewSession()
+		session.user = user
+		sessions[user.UUID] = session
+		go session.write()
+
+		channels := user.GetChannels()
+
+		for _, server := range user.GetServers() {
+			i := irc.NewClient(server.Nick, server.Username)
+			i.TLS = server.TLS
+			i.Password = server.Password
+			i.Realname = server.Realname
+
+			i.Connect(server.Address)
+			session.setIRC(i.Host, i)
+			go newIRCHandler(i, session).run()
+
+			var joining []string
+			for _, channel := range channels {
+				if channel.Server == server.Address {
+					joining = append(joining, channel.Name)
+				}
+			}
+			i.Join(joining...)
+		}
+	}
+}
--- a/server/irc_handler_test.go
+++ b/server/irc_handler_test.go
@ -4,7 +4,6 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
-	"path"
 	"testing"

 	"github.com/khlieng/dispatch/Godeps/_workspace/src/github.com/stretchr/testify/assert"
@ -21,8 +20,9 @@ func TestMain(m *testing.M) {
 		log.Fatal(err)
 	}

-	os.Mkdir(path.Join(tempdir, "logs"), 0777)
-	storage.Initialize(tempdir)
+	storage.SetDirectory(tempdir)
+	os.MkdirAll(storage.Path.Logs(), 0700)
+	storage.Initialize()
 	user = storage.NewUser("uuid")
 	channelStore = storage.NewChannelStore()

--- a/server/server.go
+++ b/server/server.go
@ -2,13 +2,17 @@ package server

 import (
 	"log"
+	"net"
 	"net/http"
-	"strconv"
+	"net/http/httputil"
+	"net/url"
+	"strings"
 	"sync"

 	"github.com/khlieng/dispatch/Godeps/_workspace/src/github.com/gorilla/websocket"
+	"github.com/khlieng/dispatch/Godeps/_workspace/src/github.com/spf13/viper"

-	"github.com/khlieng/dispatch/irc"
+	"github.com/khlieng/dispatch/letsencrypt"
 	"github.com/khlieng/dispatch/storage"
 )

@ -26,21 +30,66 @@ var (
 	}
 )

-func Run(port int) {
+func Run() {
 	defer storage.Close()

 	channelStore = storage.NewChannelStore()
 	sessions = make(map[string]*Session)

-	reconnect()
+	reconnectIRC()
+	startHTTP()

-	log.Println("Listening on port", port)
-	log.Fatal(http.ListenAndServe(":"+strconv.Itoa(port), handler{}))
+	select {}
 }

-type handler struct{}
+func startHTTP() {
+	port := viper.GetString("port")

-func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if viper.GetBool("https.enabled") {
+		var err error
+		portHTTPS := viper.GetString("https.port")
+		redirect := viper.GetBool("https.redirect")
+
+		https := restartableHTTPS{
+			addr:    ":" + portHTTPS,
+			handler: http.HandlerFunc(serve),
+		}
+
+		if viper.GetBool("https.redirect") {
+			log.Println("[HTTP] Listening on port", port, "(HTTPS Redirect)")
+			go http.ListenAndServe(":"+port, createHTTPSRedirect(portHTTPS))
+		}
+
+		if certExists() {
+			https.cert = viper.GetString("https.cert")
+			https.key = viper.GetString("https.key")
+		} else if domain := viper.GetString("letsencrypt.domain"); domain != "" {
+			dir := storage.Path.LetsEncrypt()
+			email := viper.GetString("letsencrypt.email")
+			lePort := viper.GetString("letsencrypt.port")
+
+			if viper.GetBool("letsencrypt.proxy") && lePort != "" && (port != "80" || !redirect) {
+				log.Println("[HTTP] Listening on port 80 (Let's Encrypt Proxy))")
+				go http.ListenAndServe(":80", http.HandlerFunc(letsEncryptProxy))
+			}
+
+			https.cert, https.key, err = letsencrypt.Run(dir, domain, email, lePort, https.restart)
+			if err != nil {
+				log.Fatal(err)
+			}
+		} else {
+			log.Fatal("Could not locate SSL certificate or private key")
+		}
+
+		log.Println("[HTTPS] Listening on port", portHTTPS)
+		https.start()
+	} else {
+		log.Println("[HTTP] Listening on port", port)
+		log.Fatal(http.ListenAndServe(":"+port, http.HandlerFunc(serve)))
+	}
+}
+
+func serve(w http.ResponseWriter, r *http.Request) {
 	if r.Method != "GET" {
 		return
 	}
@ -65,32 +114,39 @@ func upgradeWS(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func reconnect() {
-	for _, user := range storage.LoadUsers() {
-		session := NewSession()
-		session.user = user
-		sessions[user.UUID] = session
-		go session.write()
-
-		channels := user.GetChannels()
-
-		for _, server := range user.GetServers() {
-			i := irc.NewClient(server.Nick, server.Username)
-			i.TLS = server.TLS
-			i.Password = server.Password
-			i.Realname = server.Realname
-
-			i.Connect(server.Address)
-			session.setIRC(i.Host, i)
-			go newIRCHandler(i, session).run()
-
-			var joining []string
-			for _, channel := range channels {
-				if channel.Server == server.Address {
-					joining = append(joining, channel.Name)
-				}
-			}
-			i.Join(joining...)
+func createHTTPSRedirect(portHTTPS string) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge") {
+			letsEncryptProxy(w, r)
+			return
 		}
-	}
+
+		host, _, err := net.SplitHostPort(r.Host)
+		if err != nil {
+			host = r.Host
+		}
+
+		u := url.URL{
+			Scheme: "https",
+			Host:   net.JoinHostPort(host, portHTTPS),
+			Path:   r.RequestURI,
+		}
+
+		w.Header().Set("Location", u.String())
+		w.WriteHeader(http.StatusMovedPermanently)
+	})
+}
+
+func letsEncryptProxy(w http.ResponseWriter, r *http.Request) {
+	host, _, err := net.SplitHostPort(r.Host)
+	if err != nil {
+		host = r.Host
+	}
+
+	upstream := &url.URL{
+		Scheme: "http",
+		Host:   net.JoinHostPort(host, viper.GetString("letsencrypt.port")),
+	}
+
+	httputil.NewSingleHostReverseProxy(upstream).ServeHTTP(w, r)
 }