diff --git a/internal/config/config.go b/internal/config/config.go index 2d7ff47..48d619a 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -47,10 +47,10 @@ const ( tlsDisableKey = "IONSCALE_TLS_DISABLE" tlsCertFileKey = "IONSCALE_TLS_CERT_FILE" tlsKeyFileKey = "IONSCALE_TLS_KEY_FILE" - tlsCertMagicCAKey = "IONSCALE_TLS_CERT_MAGIC_CA" - tlsCertMagicDomainKey = "IONSCALE_TLS_CERT_MAGIC_DOMAIN" - tlsCertMagicEmailKey = "IONSCALE_TLS_CERT_MAGIC_EMAIL" - tlsCertMagicStoragePath = "IONSCALE_TLS_CERT_MAGIC_STORAGE_PATH" + tlsAcmeKey = "IONSCALE_TLS_ACME" + tlsAcmeCAKey = "IONSCALE_TLS_ACME_CA" + tlsAcmeEmailKey = "IONSCALE_TLS_ACME_EMAIL" + tlsAcmePath = "IONSCALE_TLS_ACME_PATH" metricsListenAddrKey = "IONSCALE_METRICS_LISTEN_ADDR" loggingLevelKey = "IONSCALE_LOGGING_LEVEL" loggingFormatKey = "IONSCALE_LOGGING_FORMAT" @@ -74,13 +74,12 @@ func defaultConfig() *Config { Url: GetString(databaseUrlKey, "ionscale.db"), }, Tls: Tls{ - Disable: GetBool(tlsDisableKey, false), - CertFile: GetString(tlsCertFileKey, ""), - KeyFile: GetString(tlsKeyFileKey, ""), - CertMagicCA: GetString(tlsCertMagicCAKey, certmagic.LetsEncryptProductionCA), - CertMagicDomain: GetString(tlsCertMagicDomainKey, ""), - CertMagicEmail: GetString(tlsCertMagicEmailKey, ""), - CertMagicStoragePath: GetString(tlsCertMagicStoragePath, ""), + Disable: GetBool(tlsDisableKey, false), + CertFile: GetString(tlsCertFileKey, ""), + KeyFile: GetString(tlsKeyFileKey, ""), + AcmeCA: GetString(tlsAcmeCAKey, certmagic.LetsEncryptProductionCA), + AcmeEmail: GetString(tlsAcmeEmailKey, ""), + AcmePath: GetString(tlsAcmePath, ""), }, AuthProvider: AuthProvider{ Issuer: GetString(authProviderIssuerKey, ""), @@ -115,13 +114,13 @@ type Config struct { } type Tls struct { - Disable bool `yaml:"disable"` - CertFile string `yaml:"cert_file,omitempty"` - KeyFile string `yaml:"key_file,omitempty"` - CertMagicDomain string `yaml:"cert_magic_domain,omitempty"` - CertMagicEmail string `yaml:"cert_magic_email,omitempty"` - CertMagicCA string `yaml:"cert_magic_ca,omitempty"` - CertMagicStoragePath string `yaml:"cert_magic_storage_path,omitempty"` + Disable bool `yaml:"disable"` + CertFile string `yaml:"cert_file,omitempty"` + KeyFile string `yaml:"key_file,omitempty"` + AcmeEnabled bool `yaml:"acme,omitempty"` + AcmeEmail string `yaml:"acme_email,omitempty"` + AcmeCA string `yaml:"acme_ca,omitempty"` + AcmePath string `yaml:"acme_path,omitempty"` } type Logging struct { diff --git a/internal/handlers/http_redirect.go b/internal/handlers/http_redirect.go index 876b063..a5694c2 100644 --- a/internal/handlers/http_redirect.go +++ b/internal/handlers/http_redirect.go @@ -9,7 +9,11 @@ import ( ) func HttpRedirectHandler(tls config.Tls) echo.HandlerFunc { - if tls.CertMagicDomain != "" { + if tls.Disable { + return IndexHandler(http.StatusNotFound) + } + + if tls.AcmeEnabled { cfg := certmagic.NewDefault() if len(cfg.Issuers) > 0 { if am, ok := cfg.Issuers[0].(*certmagic.ACMEIssuer); ok { @@ -19,10 +23,6 @@ func HttpRedirectHandler(tls config.Tls) echo.HandlerFunc { } } - if tls.Disable { - return IndexHandler(http.StatusNotFound) - } - return echo.WrapHandler(http.HandlerFunc(httpRedirectHandler)) } diff --git a/internal/server/server.go b/internal/server/server.go index 4d76b44..9bc7b94 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -23,6 +23,7 @@ import ( "log" "net" "net/http" + "net/url" "os" "strings" "tailscale.com/types/key" @@ -52,17 +53,22 @@ func Start(c *config.Config) error { go offlineTimers.Start() go reaper.Start() + serverUrl, err := url.Parse(c.ServerUrl) + if err != nil { + return err + } + // prepare CertMagic - if c.Tls.CertMagicDomain != "" { + if c.Tls.AcmeEnabled { certmagic.DefaultACME.Agreed = true - certmagic.DefaultACME.Email = c.Tls.CertMagicEmail - certmagic.DefaultACME.CA = c.Tls.CertMagicCA - if c.Tls.CertMagicStoragePath != "" { - certmagic.Default.Storage = &certmagic.FileStorage{Path: c.Tls.CertMagicStoragePath} + certmagic.DefaultACME.Email = c.Tls.AcmeEmail + certmagic.DefaultACME.CA = c.Tls.AcmeCA + if c.Tls.AcmePath != "" { + certmagic.Default.Storage = &certmagic.FileStorage{Path: c.Tls.AcmePath} } cfg := certmagic.NewDefault() - if err := cfg.ManageAsync(context.Background(), []string{c.Tls.CertMagicDomain}); err != nil { + if err := cfg.ManageAsync(context.Background(), []string{serverUrl.Host}); err != nil { return err } @@ -166,8 +172,8 @@ func Start(c *config.Config) error { g.Go(func() error { return http.Serve(nonTlsL, nonTlsAppHandler) }) } - if c.Tls.CertMagicDomain != "" { - logger.Info("TLS is enabled with CertMagic", "domain", c.Tls.CertMagicDomain) + if c.Tls.AcmeEnabled { + logger.Info("TLS is enabled with ACME", "domain", serverUrl.Host) logger.Info("Server is running", "http_addr", c.HttpListenAddr, "https_addr", c.HttpsListenAddr, "metrics_addr", c.MetricsListenAddr) } else if !c.Tls.Disable { logger.Info("TLS is enabled", "cert", c.Tls.CertFile) @@ -202,25 +208,25 @@ func metricsListener(config *config.Config) (net.Listener, error) { } func tlsListener(config *config.Config) (net.Listener, error) { - if config.Tls.CertMagicDomain != "" { + if config.Tls.Disable { + return nil, nil + } + + if config.Tls.AcmeEnabled { cfg := certmagic.NewDefault() tlsConfig := cfg.TLSConfig() tlsConfig.NextProtos = append([]string{"h2", "http/1.1"}, tlsConfig.NextProtos...) return tls.Listen("tcp", config.HttpsListenAddr, tlsConfig) } - if !config.Tls.Disable { - cer, err := tls.LoadX509KeyPair(config.Tls.CertFile, config.Tls.KeyFile) - if err != nil { - return nil, err - } - - tlsConfig := &tls.Config{Certificates: []tls.Certificate{cer}} - - return tls.Listen("tcp", config.HttpsListenAddr, tlsConfig) + cer, err := tls.LoadX509KeyPair(config.Tls.CertFile, config.Tls.KeyFile) + if err != nil { + return nil, err } - return nil, nil + tlsConfig := &tls.Config{Certificates: []tls.Certificate{cer}} + + return tls.Listen("tcp", config.HttpsListenAddr, tlsConfig) } func nonTlsListener(config *config.Config) (net.Listener, error) {