From 936b8aef13b164ce74f9ec11bf1385275d282df8 Mon Sep 17 00:00:00 2001 From: Steve Manuel Date: Fri, 21 Oct 2016 21:48:18 -0700 Subject: adding support for TLS encryption, providing http/2 over HTTPS connections via port 443 - certificates obtained from Lets Encrypt, which is currently the default and only supprted CA --- system/tls/enable.go | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 system/tls/enable.go (limited to 'system/tls/enable.go') diff --git a/system/tls/enable.go b/system/tls/enable.go new file mode 100644 index 0000000..4be0aa8 --- /dev/null +++ b/system/tls/enable.go @@ -0,0 +1,74 @@ +package tls + +import ( + "crypto/tls" + "log" + "net/http" + "os" + "path/filepath" + "time" + + "github.com/bosssauce/ponzu/system/db" + + "golang.org/x/crypto/acme/autocert" +) + +var m autocert.Manager + +// setup attempts to locate or create the cert cache directory and the certs for TLS encryption +func setup() { + pwd, err := os.Getwd() + if err != nil { + log.Fatalln("Couldn't find working directory to locate or save certificates.") + } + + cache := autocert.DirCache(filepath.Join(pwd, "system", "tls", "certs")) + if _, err := os.Stat(string(cache)); os.IsNotExist(err) { + err := os.MkdirAll(string(cache), os.ModePerm|os.ModeDir) + if err != nil { + log.Fatalln("Couldn't create cert directory at", cache) + } + } + + // get host/domain and email from Config to use for TLS request to Let's encryption. + // we will fail fatally if either are not found since Let's Encrypt will rate-limit + // and sending incomplete requests is wasteful and guarenteed to fail its check + host, err := db.Config("domain") + if err != nil { + log.Fatalln("Error identifying host/domain during TLS set-up.", err) + } + + if host == nil { + log.Fatalln("No 'domain' field set in Configuration. Please add a domain before attempting to make certificates.") + } + + email, err := db.Config("admin_email") + if err != nil { + log.Fatalln("Error identifying admin email during TLS set-up.", err) + } + + if email == nil { + log.Fatalln("No 'admin_email' field set in Configuration. Please add an admin email before attempting to make certificates.") + } + + m = autocert.Manager{ + Prompt: autocert.AcceptTOS, + Cache: cache, + HostPolicy: autocert.HostWhitelist(string(host)), + RenewBefore: time.Hour * 24 * 30, + Email: string(email), + } + +} + +// Enable runs the setup for creating or locating certificates and starts the TLS server +func Enable() { + setup() + + server := &http.Server{ + Addr: ":443", + TLSConfig: &tls.Config{GetCertificate: m.GetCertificate}, + } + + go log.Fatalln(server.ListenAndServeTLS("", "")) +} -- cgit v1.2.3 From 5d7ac0a00e9f4c33e095be9be4d79ae302c0c4c4 Mon Sep 17 00:00:00 2001 From: Steve Manuel Date: Mon, 24 Oct 2016 15:42:35 -0700 Subject: removing debug printlns and modifying other fmt.Println to log.Println for consistency --- system/tls/enable.go | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'system/tls/enable.go') diff --git a/system/tls/enable.go b/system/tls/enable.go index 4be0aa8..c53fac6 100644 --- a/system/tls/enable.go +++ b/system/tls/enable.go @@ -2,6 +2,7 @@ package tls import ( "crypto/tls" + "fmt" "log" "net/http" "os" @@ -41,6 +42,8 @@ func setup() { if host == nil { log.Fatalln("No 'domain' field set in Configuration. Please add a domain before attempting to make certificates.") } + fmt.Println("Using", host, "as host/domain for certificate...") + fmt.Println("NOTE: if the host/domain is not configured properly or is unreachable, HTTPS set-up will fail.") email, err := db.Config("admin_email") if err != nil { @@ -50,6 +53,7 @@ func setup() { if email == nil { log.Fatalln("No 'admin_email' field set in Configuration. Please add an admin email before attempting to make certificates.") } + fmt.Println("Using", email, "as contact email for certificate...") m = autocert.Manager{ Prompt: autocert.AcceptTOS, @@ -71,4 +75,5 @@ func Enable() { } go log.Fatalln(server.ListenAndServeTLS("", "")) + fmt.Println("Server listening for HTTPS requests...") } -- cgit v1.2.3