diff options
| author | Steve Manuel <nilslice@gmail.com> | 2016-10-21 21:48:18 -0700 |
|---|---|---|
| committer | Steve Manuel <nilslice@gmail.com> | 2016-10-21 21:48:18 -0700 |
| commit | 936b8aef13b164ce74f9ec11bf1385275d282df8 (patch) | |
| tree | 79cec6e00e6acbfca5fd5d7c78619fc26d94554c /system/tls/enable.go | |
| parent | 882a8166ce3095d390871ac6890974eb4c0d326d (diff) | |
adding support for TLS encryption, providing http/2 over HTTPS connections via port 443 - certificates obtained from Lets Encrypt, which is currently the default and only supprted CA
Diffstat (limited to 'system/tls/enable.go')
| -rw-r--r-- | system/tls/enable.go | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/system/tls/enable.go b/system/tls/enable.go new file mode 100644 index 0000000..4be0aa8 --- /dev/null +++ b/system/tls/enable.go @@ -0,0 +1,74 @@ +package tls + +import ( + "crypto/tls" + "log" + "net/http" + "os" + "path/filepath" + "time" + + "github.com/bosssauce/ponzu/system/db" + + "golang.org/x/crypto/acme/autocert" +) + +var m autocert.Manager + +// setup attempts to locate or create the cert cache directory and the certs for TLS encryption +func setup() { + pwd, err := os.Getwd() + if err != nil { + log.Fatalln("Couldn't find working directory to locate or save certificates.") + } + + cache := autocert.DirCache(filepath.Join(pwd, "system", "tls", "certs")) + if _, err := os.Stat(string(cache)); os.IsNotExist(err) { + err := os.MkdirAll(string(cache), os.ModePerm|os.ModeDir) + if err != nil { + log.Fatalln("Couldn't create cert directory at", cache) + } + } + + // get host/domain and email from Config to use for TLS request to Let's encryption. + // we will fail fatally if either are not found since Let's Encrypt will rate-limit + // and sending incomplete requests is wasteful and guarenteed to fail its check + host, err := db.Config("domain") + if err != nil { + log.Fatalln("Error identifying host/domain during TLS set-up.", err) + } + + if host == nil { + log.Fatalln("No 'domain' field set in Configuration. Please add a domain before attempting to make certificates.") + } + + email, err := db.Config("admin_email") + if err != nil { + log.Fatalln("Error identifying admin email during TLS set-up.", err) + } + + if email == nil { + log.Fatalln("No 'admin_email' field set in Configuration. Please add an admin email before attempting to make certificates.") + } + + m = autocert.Manager{ + Prompt: autocert.AcceptTOS, + Cache: cache, + HostPolicy: autocert.HostWhitelist(string(host)), + RenewBefore: time.Hour * 24 * 30, + Email: string(email), + } + +} + +// Enable runs the setup for creating or locating certificates and starts the TLS server +func Enable() { + setup() + + server := &http.Server{ + Addr: ":443", + TLSConfig: &tls.Config{GetCertificate: m.GetCertificate}, + } + + go log.Fatalln(server.ListenAndServeTLS("", "")) +} |