From 535293706513ef530e3fad101bc414bd94ccbad9 Mon Sep 17 00:00:00 2001 From: Ivan Davydov Date: Wed, 14 Aug 2024 16:29:04 +0300 Subject: [PATCH] Apply JnCrMx's patch for optional HTTP-only mode --- cli/flags.go | 6 +++ config/assets/test_config.toml | 1 + config/config.go | 1 + config/setup.go | 3 ++ example_config.toml | 1 + server/startup.go | 90 +++++++++++++++++++--------------- 6 files changed, 62 insertions(+), 40 deletions(-) diff --git a/cli/flags.go b/cli/flags.go index 934ef8d..f8e4552 100644 --- a/cli/flags.go +++ b/cli/flags.go @@ -152,6 +152,12 @@ var ( EnvVars: []string{"PROFILING_ADDRESS"}, Value: "localhost:9999", }, + &cli.BoolFlag{ + Name: "http-only-mode", + Usage: "serve content directly via HTTP using the Host header to identify the repository", + EnvVars: []string{"HTTP_ONLY_MODE"}, + Value: false, + }, // ############################ // ### ACME Client Settings ### diff --git a/config/assets/test_config.toml b/config/assets/test_config.toml index acb2c55..cb01aab 100644 --- a/config/assets/test_config.toml +++ b/config/assets/test_config.toml @@ -9,6 +9,7 @@ mainDomain = 'codeberg.page' rawDomain = 'raw.codeberg.page' allowedCorsDomains = ['fonts.codeberg.org', 'design.codeberg.org'] blacklistedPaths = ['do/not/use'] +httpOnlyMode = false [forge] root = 'https://codeberg.org' diff --git a/config/config.go b/config/config.go index 2accbf5..9095337 100644 --- a/config/config.go +++ b/config/config.go @@ -18,6 +18,7 @@ type ServerConfig struct { PagesBranches []string AllowedCorsDomains []string BlacklistedPaths []string + HttpOnlyMode bool `default:"false"` } type ForgeConfig struct { diff --git a/config/setup.go b/config/setup.go index f1388fe..bf39821 100644 --- a/config/setup.go +++ b/config/setup.go @@ -84,6 +84,9 @@ func mergeServerConfig(ctx *cli.Context, config *ServerConfig) { if ctx.IsSet("blacklisted-paths") { config.BlacklistedPaths = ctx.StringSlice("blacklisted-paths") } + if ctx.IsSet("http-only-mode") { + config.HttpOnlyMode = ctx.Bool("http-only-mode") + } // add the paths that should always be blacklisted config.BlacklistedPaths = append(config.BlacklistedPaths, ALWAYS_BLACKLISTED_PATHS...) diff --git a/example_config.toml b/example_config.toml index c8dacb2..5976ee3 100644 --- a/example_config.toml +++ b/example_config.toml @@ -10,6 +10,7 @@ rawDomain = 'raw.codeberg.page' pagesBranches = ["pages"] allowedCorsDomains = [] blacklistedPaths = [] +httpOnlyMode = false [forge] root = 'https://codeberg.org' diff --git a/server/startup.go b/server/startup.go index 6642d83..a46a7bc 100644 --- a/server/startup.go +++ b/server/startup.go @@ -79,51 +79,61 @@ func Serve(ctx *cli.Context) error { return fmt.Errorf("could not create new gitea client: %v", err) } - acmeClient, err := acme.CreateAcmeClient(cfg.ACME, cfg.Server.HttpServerEnabled, challengeCache) - if err != nil { - return err - } + var listener net.Listener + if cfg.Server.HttpOnlyMode { + log.Info().Msgf("Create TCP listener on %s", listeningHTTPAddress) + listener_, err := net.Listen("tcp", listeningHTTPAddress) + if err != nil { + return fmt.Errorf("couldn't create listener: %v", err) + } + listener = listener_ + } else { + acmeClient, err := acme.CreateAcmeClient(cfg.ACME, cfg.Server.HttpServerEnabled, challengeCache) + if err != nil { + return err + } - if err := certificates.SetupMainDomainCertificates(cfg.Server.MainDomain, acmeClient, certDB); err != nil { - return err - } + if err := certificates.SetupMainDomainCertificates(cfg.Server.MainDomain, acmeClient, certDB); err != nil { + return err + } - // Create listener for SSL connections - log.Info().Msgf("Create TCP listener for SSL on %s", listeningSSLAddress) - listener, err := net.Listen("tcp", listeningSSLAddress) - if err != nil { - return fmt.Errorf("couldn't create listener: %v", err) - } + // Create listener for SSL connections + log.Info().Msgf("Create TCP listener for SSL on %s", listeningSSLAddress) + listener, err := net.Listen("tcp", listeningSSLAddress) + if err != nil { + return fmt.Errorf("couldn't create listener: %v", err) + } - // Setup listener for SSL connections - listener = tls.NewListener(listener, certificates.TLSConfig( - cfg.Server.MainDomain, - giteaClient, - acmeClient, - cfg.Server.PagesBranches[0], - challengeCache, canonicalDomainCache, - certDB, - cfg.ACME.NoDNS01, - cfg.Server.RawDomain, - )) + // Setup listener for SSL connections + listener = tls.NewListener(listener, certificates.TLSConfig( + cfg.Server.MainDomain, + giteaClient, + acmeClient, + cfg.Server.PagesBranches[0], + challengeCache, canonicalDomainCache, + certDB, + cfg.ACME.NoDNS01, + cfg.Server.RawDomain, + )) - interval := 12 * time.Hour - certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background()) - defer cancelCertMaintain() - go certificates.MaintainCertDB(certMaintainCtx, interval, acmeClient, cfg.Server.MainDomain, certDB) + interval := 12 * time.Hour + certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background()) + defer cancelCertMaintain() + go certificates.MaintainCertDB(certMaintainCtx, interval, acmeClient, cfg.Server.MainDomain, certDB) - if cfg.Server.HttpServerEnabled { - // Create handler for http->https redirect and http acme challenges - httpHandler := certificates.SetupHTTPACMEChallengeServer(challengeCache, uint(cfg.Server.Port)) + if cfg.Server.HttpServerEnabled { + // Create handler for http->https redirect and http acme challenges + httpHandler := certificates.SetupHTTPACMEChallengeServer(challengeCache, uint(cfg.Server.Port)) - // Create listener for http and start listening - go func() { - log.Info().Msgf("Start HTTP server listening on %s", listeningHTTPAddress) - err := http.ListenAndServe(listeningHTTPAddress, httpHandler) - if err != nil { - log.Error().Err(err).Msg("Couldn't start HTTP server") - } - }() + // Create listener for http and start listening + go func() { + log.Info().Msgf("Start HTTP server listening on %s", listeningHTTPAddress) + err := http.ListenAndServe(listeningHTTPAddress, httpHandler) + if err != nil { + log.Error().Err(err).Msg("Couldn't start HTTP server") + } + }() + } } if ctx.IsSet("enable-profiling") { @@ -134,7 +144,7 @@ func Serve(ctx *cli.Context) error { sslHandler := handler.Handler(cfg.Server, giteaClient, canonicalDomainCache, redirectsCache) // Start the ssl listener - log.Info().Msgf("Start SSL server using TCP listener on %s", listener.Addr()) + log.Info().Msgf("Start main server using TCP listener on %s", listener.Addr()) return http.Serve(listener, sslHandler) }