pogpp/lego
1
0
Fork 0
forked from TrueCloudLab/lego
Code Pull requests Activity
lego/challenge/http01/http_challenge_server.go

123 lines
4 KiB
Go
Raw Normal View History

chore: migrate to new org. (#824)
2019-03-11 16:56:48 +00:00
package http01
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
import (
"fmt"
"net"
"net/http"
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
"net/textproto"
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
"strings"
ACME V2 support (#555)
2018-05-30 17:53:04 +00:00
chore: migrate to go module (v3.0.0) - chore: update dependencies: use version with go modules. - chore: remove dep. - chore: update backoff imports. - chore: init go module. - chore: update CI. - chore: mod v3 - chore: update docker image.
2019-07-30 19:19:32 +00:00
"github.com/go-acme/lego/v3/log"
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
)
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
// ProviderServer implements ChallengeProvider for `http-01` challenge
// It may be instantiated without using the NewProviderServer function if
Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout. Made the solvers exported and added New... functions to them.
2016-02-14 15:56:14 +00:00
// you want only to use the default values.
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
type ProviderServer struct {
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
iface string
port string
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
matcher domainMatcher
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
done chan bool
listener net.Listener
}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
// NewProviderServer creates a new ProviderServer on the selected interface and port.
Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout. Made the solvers exported and added New... functions to them.
2016-02-14 15:56:14 +00:00
// Setting iface and / or port to an empty string will make the server fall back to
// the "any" interface and port 80 respectively.
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
func NewProviderServer(iface, port string) *ProviderServer {
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
if port == "" {
port = "80"
}
return &ProviderServer{iface: iface, port: port, matcher: &hostMatcher{}}
Move the HTTP-01 and TLS-SNI-01 default solvers to a more unified layout. Made the solvers exported and added New... functions to them.
2016-02-14 15:56:14 +00:00
}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
// Present starts a web server and makes the token available at `ChallengePath(token)` for web requests.
func (s *ProviderServer) Present(domain, token, keyAuth string) error {
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
var err error
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
s.listener, err = net.Listen("tcp", s.GetAddress())
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
if err != nil {
chore: wrap errors. (#1070)
2020-02-27 18:14:46 +00:00
return fmt.Errorf("could not start HTTP server for challenge -> %w", err)
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
}
s.done = make(chan bool)
go s.serve(domain, token, keyAuth)
return nil
}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
func (s *ProviderServer) GetAddress() string {
return net.JoinHostPort(s.iface, s.port)
}
// CleanUp closes the HTTP server and removes the token from `ChallengePath(token)`
func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
if s.listener == nil {
return nil
}
s.listener.Close()
<-s.done
return nil
}
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
// SetProxyHeader changes the validation of incoming requests.
// By default, s matches the "Host" header value to the domain name.
//
// When the server runs behind a proxy server, this is not the correct place to look at;
// Apache and NGINX have traditionally moved the original Host header into a new header named "X-Forwarded-Host".
// Other webservers might use different names;
// and RFC7239 has standadized a new header named "Forwarded" (with slightly different semantics).
//
// The exact behavior depends on the value of headerName:
// - "" (the empty string) and "Host" will restore the default and only check the Host header
// - "Forwarded" will look for a Forwarded header, and inspect it according to https://tools.ietf.org/html/rfc7239
// - any other value will check the header value with the same name
func (s *ProviderServer) SetProxyHeader(headerName string) {
switch h := textproto.CanonicalMIMEHeaderKey(headerName); h {
case "", "Host":
s.matcher = &hostMatcher{}
case "Forwarded":
s.matcher = &forwardedMatcher{}
default:
s.matcher = arbitraryMatcher(h)
}
}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
func (s *ProviderServer) serve(domain, token, keyAuth string) {
path := ChallengePath(token)
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
// The incoming request must will be validated to prevent DNS rebind attacks.
// We only respond with the keyAuth, when we're receiving a GET requests with
// the "Host" header matching the domain (the latter is configurable though SetProxyHeader).
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
mux := http.NewServeMux()
mux.HandleFunc(path, func(w http.ResponseWriter, r *http.Request) {
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
if r.Method == http.MethodGet && s.matcher.matches(r, domain) {
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
w.Header().Add("Content-Type", "text/plain")
Migrate to golangci-lint (#644) * refactor: linting. - errcheck - govet - golint - goconst - spellcheck - ... * refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
_, err := w.Write([]byte(keyAuth))
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
Review DNS providers (#580) * refactor: create log.Infof and log.Warnf * refactor: review DNS providers. - use one `http.Client` by provider instead of one client by request - use the same receiver name `d` for all `DNSProvider` - use `http.MethodXXX` * refactor: logger init.
2018-06-21 17:06:16 +00:00
log.Infof("[%s] Served key authentication", domain)
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
} else {
feat: ease operation behind proxy servers (#974)
2019-10-05 11:44:38 +00:00
log.Warnf("Received request for domain %s with method %s but the domain did not match any challenge. Please ensure your are passing the %s header properly.", r.Host, r.Method, s.matcher.name())
Migrate to golangci-lint (#644) * refactor: linting. - errcheck - govet - golint - goconst - spellcheck - ... * refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
_, err := w.Write([]byte("TEST"))
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
}
})
Migrate to golangci-lint (#644) * refactor: linting. - errcheck - govet - golint - goconst - spellcheck - ... * refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
httpServer := &http.Server{Handler: mux}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
// Once httpServer is shut down
// we don't want any lingering connections, so disable KeepAlives.
http-01 challenge: disable TCP connection reuse If TCP connection reuse (KeepAlives) are left on then, in a sequence of challenges arising from a multiple-domain certficate, challenges after the 1st can fail due to reusing the now defunct tcp connection used in the first challenge. This has been observed when using the Go standard library reverse proxy to forward the challenges to Lego. Fixes #107
2016-02-07 13:25:31 +00:00
httpServer.SetKeepAlivesEnabled(false)
Migrate to golangci-lint (#644) * refactor: linting. - errcheck - govet - golint - goconst - spellcheck - ... * refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
err := httpServer.Serve(s.listener)
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns
2018-12-06 21:50:17 +00:00
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
Migrate to golangci-lint (#644) * refactor: linting. - errcheck - govet - golint - goconst - spellcheck - ... * refactor: migrate from gometalinter to golangci-lint.
2018-09-24 19:07:20 +00:00
log.Println(err)
}
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations
2016-01-15 04:06:25 +00:00
s.done <- true
}
Copy permalink