From 936b8aef13b164ce74f9ec11bf1385275d282df8 Mon Sep 17 00:00:00 2001 From: Steve Manuel Date: Fri, 21 Oct 2016 21:48:18 -0700 Subject: adding support for TLS encryption, providing http/2 over HTTPS connections via port 443 - certificates obtained from Lets Encrypt, which is currently the default and only supprted CA --- system/tls/enable.go | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ system/tls/init.go | 74 ---------------------------------------------------- 2 files changed, 74 insertions(+), 74 deletions(-) create mode 100644 system/tls/enable.go delete mode 100644 system/tls/init.go (limited to 'system') diff --git a/system/tls/enable.go b/system/tls/enable.go new file mode 100644 index 0000000..4be0aa8 --- /dev/null +++ b/system/tls/enable.go @@ -0,0 +1,74 @@ +package tls + +import ( + "crypto/tls" + "log" + "net/http" + "os" + "path/filepath" + "time" + + "github.com/bosssauce/ponzu/system/db" + + "golang.org/x/crypto/acme/autocert" +) + +var m autocert.Manager + +// setup attempts to locate or create the cert cache directory and the certs for TLS encryption +func setup() { + pwd, err := os.Getwd() + if err != nil { + log.Fatalln("Couldn't find working directory to locate or save certificates.") + } + + cache := autocert.DirCache(filepath.Join(pwd, "system", "tls", "certs")) + if _, err := os.Stat(string(cache)); os.IsNotExist(err) { + err := os.MkdirAll(string(cache), os.ModePerm|os.ModeDir) + if err != nil { + log.Fatalln("Couldn't create cert directory at", cache) + } + } + + // get host/domain and email from Config to use for TLS request to Let's encryption. + // we will fail fatally if either are not found since Let's Encrypt will rate-limit + // and sending incomplete requests is wasteful and guarenteed to fail its check + host, err := db.Config("domain") + if err != nil { + log.Fatalln("Error identifying host/domain during TLS set-up.", err) + } + + if host == nil { + log.Fatalln("No 'domain' field set in Configuration. Please add a domain before attempting to make certificates.") + } + + email, err := db.Config("admin_email") + if err != nil { + log.Fatalln("Error identifying admin email during TLS set-up.", err) + } + + if email == nil { + log.Fatalln("No 'admin_email' field set in Configuration. Please add an admin email before attempting to make certificates.") + } + + m = autocert.Manager{ + Prompt: autocert.AcceptTOS, + Cache: cache, + HostPolicy: autocert.HostWhitelist(string(host)), + RenewBefore: time.Hour * 24 * 30, + Email: string(email), + } + +} + +// Enable runs the setup for creating or locating certificates and starts the TLS server +func Enable() { + setup() + + server := &http.Server{ + Addr: ":443", + TLSConfig: &tls.Config{GetCertificate: m.GetCertificate}, + } + + go log.Fatalln(server.ListenAndServeTLS("", "")) +} diff --git a/system/tls/init.go b/system/tls/init.go deleted file mode 100644 index 80e1ef3..0000000 --- a/system/tls/init.go +++ /dev/null @@ -1,74 +0,0 @@ -package tls - -import ( - "crypto/tls" - "log" - "net/http" - "os" - "path/filepath" - "time" - - "github.com/bosssauce/ponzu/system/db" - - "golang.org/x/crypto/acme/autocert" -) - -var m autocert.Manager - -// setup attempts to locate or create the cert cache directory and the certs for TLS encryption -func setup() { - pwd, err := os.Getwd() - if err != nil { - log.Fatalln("Couldn't find working directory to locate or save certificates.") - } - - cache := autocert.DirCache(filepath.Join(pwd, "system", "tls", "certs")) - if _, err := os.Stat(string(cache)); os.IsNotExist(err) { - err := os.MkdirAll(string(cache), os.ModePerm|os.ModeDir) - if err != nil { - log.Fatalln("Couldn't create cert directory at", cache) - } - } - - // get host/domain and email from Config to use for TLS request to Let's encryption. - // we will fail fatally if either are not found since Let's Encrypt will rate-limit - // and sending incomplete requests is wasteful and guarenteed to fail its check - host, err := db.Config("domain") - if err != nil { - log.Fatalln("Error identifying host/domain during TLS set-up.", err) - } - - if host == nil { - log.Fatalln("No 'domain' field set in Configuration. Please add a domain before attempting to make certificates.") - } - - email, err := db.Config("admin_email") - if err != nil { - log.Fatalln("Error identifying admin email during TLS set-up.", err) - } - - if email == nil { - log.Fatalln("No 'admin_email' field set in Configuration. Please add an admin email before attempting to make certificates.") - } - - m = autocert.Manager{ - Prompt: autocert.AcceptTOS, - Cache: cache, - HostPolicy: autocert.HostWhitelist(string(host)), - RenewBefore: time.Hour * 24 * 30, - Email: string(email), - } - -} - -// Enable runs the setup for creating or locating certificates and starts the TLS server -func Enable() { - setup() - - server := &http.Server{ - Addr: ":443", - TLSConfig: &tls.Config{GetCertificate: m.GetCertificate}, - } - - go server.ListenAndServeTLS("", "") -} -- cgit v1.2.3