mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-14 05:21:08 +00:00
d2f6de0185
Currently, GtS only supports using the built-in LE client directly for TLS. However, admins may still want to use GtS directly (so without a reverse proxy) but with certificates provided through some other mechanism. They may have some centralised way of provisioning these things themselves, or simply prefer to use LE but with a different challenge like DNS-01 which is not supported by autocert. This adds support for loading a public/private keypair from disk instead of using LE and reconfigures the server to use a TLS listener if we succeed in doing so. Additionally, being able to load TLS keypair from disk opens up the path to using a custom CA for testing purposes avoinding the need for a constellation of containers and something like Pebble or Step CA to provide LE APIs.
244 lines
8 KiB
Go
244 lines
8 KiB
Go
/*
|
|
GoToSocial
|
|
Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package router
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
"codeberg.org/gruf/go-bytesize"
|
|
"codeberg.org/gruf/go-debug"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/superseriousbusiness/gotosocial/internal/config"
|
|
"github.com/superseriousbusiness/gotosocial/internal/log"
|
|
"golang.org/x/crypto/acme/autocert"
|
|
)
|
|
|
|
const (
|
|
readTimeout = 60 * time.Second
|
|
writeTimeout = 30 * time.Second
|
|
idleTimeout = 30 * time.Second
|
|
readHeaderTimeout = 30 * time.Second
|
|
shutdownTimeout = 30 * time.Second
|
|
maxMultipartMemory = int64(8 * bytesize.MiB)
|
|
)
|
|
|
|
// Router provides the REST interface for gotosocial, using gin.
|
|
type Router interface {
|
|
// Attach global gin middlewares to this router.
|
|
AttachGlobalMiddleware(handlers ...gin.HandlerFunc) gin.IRoutes
|
|
// AttachGroup attaches the given handlers into a group with the given relativePath as
|
|
// base path for that group. It then returns the *gin.RouterGroup so that the caller
|
|
// can add any extra middlewares etc specific to that group, as desired.
|
|
AttachGroup(relativePath string, handlers ...gin.HandlerFunc) *gin.RouterGroup
|
|
// Attach a single gin handler to the router with the given method and path.
|
|
// To make middleware management easier, AttachGroup should be preferred where possible.
|
|
// However, this function can be used for attaching single handlers that only require
|
|
// global middlewares.
|
|
AttachHandler(method string, path string, handler gin.HandlerFunc)
|
|
|
|
// Attach 404 NoRoute handler
|
|
AttachNoRouteHandler(handler gin.HandlerFunc)
|
|
// Start the router
|
|
Start()
|
|
// Stop the router
|
|
Stop(ctx context.Context) error
|
|
}
|
|
|
|
// router fulfils the Router interface using gin and logrus
|
|
type router struct {
|
|
engine *gin.Engine
|
|
srv *http.Server
|
|
certManager *autocert.Manager
|
|
}
|
|
|
|
// Start starts the router nicely. It will serve two handlers if letsencrypt is enabled, and only the web/API handler if letsencrypt is not enabled.
|
|
func (r *router) Start() {
|
|
// listen is the server start function, by
|
|
// default pointing to regular HTTP listener,
|
|
// but updated to TLS if LetsEncrypt is enabled.
|
|
listen := r.srv.ListenAndServe
|
|
|
|
// During config validation we already checked that both Chain and Key are set
|
|
// so we can forego checking for both here
|
|
if chain := config.GetTLSCertificateChain(); chain != "" {
|
|
pkey := config.GetTLSCertificateKey()
|
|
cer, err := tls.LoadX509KeyPair(chain, pkey)
|
|
if err != nil {
|
|
log.Fatalf(
|
|
nil,
|
|
"tls: failed to load keypair from %s and %s, ensure they are PEM-encoded and can be read by this process: %s",
|
|
chain, pkey, err,
|
|
)
|
|
}
|
|
r.srv.TLSConfig = &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
Certificates: []tls.Certificate{cer},
|
|
}
|
|
// TLS is enabled, update the listen function
|
|
listen = func() error { return r.srv.ListenAndServeTLS("", "") }
|
|
}
|
|
|
|
if config.GetLetsEncryptEnabled() {
|
|
// LetsEncrypt support is enabled
|
|
|
|
// Prepare an HTTPS-redirect handler for LetsEncrypt fallback
|
|
redirect := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
target := "https://" + r.Host + r.URL.Path
|
|
if len(r.URL.RawQuery) > 0 {
|
|
target += "?" + r.URL.RawQuery
|
|
}
|
|
http.Redirect(rw, r, target, http.StatusTemporaryRedirect)
|
|
})
|
|
|
|
go func() {
|
|
// Take our own copy of HTTP server
|
|
// with updated autocert manager endpoint
|
|
srv := (*r.srv) //nolint
|
|
srv.Handler = r.certManager.HTTPHandler(redirect)
|
|
srv.Addr = fmt.Sprintf("%s:%d",
|
|
config.GetBindAddress(),
|
|
config.GetLetsEncryptPort(),
|
|
)
|
|
|
|
// Start the LetsEncrypt autocert manager HTTP server.
|
|
log.Infof(nil, "letsencrypt listening on %s", srv.Addr)
|
|
if err := srv.ListenAndServe(); err != nil &&
|
|
err != http.ErrServerClosed {
|
|
log.Fatalf(nil, "letsencrypt: listen: %s", err)
|
|
}
|
|
}()
|
|
|
|
// TLS is enabled, update the listen function
|
|
listen = func() error { return r.srv.ListenAndServeTLS("", "") }
|
|
}
|
|
|
|
// Pass the server handler through a debug pprof middleware handler.
|
|
// For standard production builds this will be a no-op, but when the
|
|
// "debug" or "debugenv" build-tag is set pprof stats will be served
|
|
// at the standard "/debug/pprof" URL.
|
|
r.srv.Handler = debug.WithPprof(r.srv.Handler)
|
|
if debug.DEBUG {
|
|
// Profiling requires timeouts longer than 30s, so reset these.
|
|
log.Warn(nil, "resetting http.Server{} timeout to support profiling")
|
|
r.srv.ReadTimeout = 0
|
|
r.srv.WriteTimeout = 0
|
|
}
|
|
|
|
// Start the main listener.
|
|
go func() {
|
|
log.Infof(nil, "listening on %s", r.srv.Addr)
|
|
if err := listen(); err != nil && err != http.ErrServerClosed {
|
|
log.Fatalf(nil, "listen: %s", err)
|
|
}
|
|
}()
|
|
}
|
|
|
|
// Stop shuts down the router nicely
|
|
func (r *router) Stop(ctx context.Context) error {
|
|
log.Infof(nil, "shutting down http router with %s grace period", shutdownTimeout)
|
|
timeout, cancel := context.WithTimeout(ctx, shutdownTimeout)
|
|
defer cancel()
|
|
|
|
if err := r.srv.Shutdown(timeout); err != nil {
|
|
return fmt.Errorf("error shutting down http router: %s", err)
|
|
}
|
|
|
|
log.Info(nil, "http router closed connections and shut down gracefully")
|
|
return nil
|
|
}
|
|
|
|
// New returns a new Router.
|
|
//
|
|
// The router's Attach functions should be used *before* the router is Started.
|
|
//
|
|
// When the router's work is finished, Stop should be called on it to close connections gracefully.
|
|
//
|
|
// The provided context will be used as the base context for all requests passing
|
|
// through the underlying http.Server, so this should be a long-running context.
|
|
func New(ctx context.Context) (Router, error) {
|
|
gin.SetMode(gin.TestMode)
|
|
|
|
// create the actual engine here -- this is the core request routing handler for gts
|
|
engine := gin.New()
|
|
engine.MaxMultipartMemory = maxMultipartMemory
|
|
|
|
// set up IP forwarding via x-forward-* headers.
|
|
trustedProxies := config.GetTrustedProxies()
|
|
if err := engine.SetTrustedProxies(trustedProxies); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// set template functions
|
|
LoadTemplateFunctions(engine)
|
|
|
|
// load templates onto the engine
|
|
if err := LoadTemplates(engine); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// use the passed-in command context as the base context for the server,
|
|
// since we'll never want the server to live past the command anyway
|
|
baseCtx := func(_ net.Listener) context.Context {
|
|
return ctx
|
|
}
|
|
|
|
bindAddress := config.GetBindAddress()
|
|
port := config.GetPort()
|
|
addr := fmt.Sprintf("%s:%d", bindAddress, port)
|
|
|
|
s := &http.Server{
|
|
Addr: addr,
|
|
Handler: engine, // use gin engine as handler
|
|
ReadTimeout: readTimeout,
|
|
ReadHeaderTimeout: readHeaderTimeout,
|
|
WriteTimeout: writeTimeout,
|
|
IdleTimeout: idleTimeout,
|
|
BaseContext: baseCtx,
|
|
}
|
|
|
|
// We need to spawn the underlying server slightly differently depending on whether lets encrypt is enabled or not.
|
|
// In either case, the gin engine will still be used for routing requests.
|
|
leEnabled := config.GetLetsEncryptEnabled()
|
|
|
|
var m *autocert.Manager
|
|
if leEnabled {
|
|
// le IS enabled, so roll up an autocert manager for handling letsencrypt requests
|
|
host := config.GetHost()
|
|
leCertDir := config.GetLetsEncryptCertDir()
|
|
leEmailAddress := config.GetLetsEncryptEmailAddress()
|
|
m = &autocert.Manager{
|
|
Prompt: autocert.AcceptTOS,
|
|
HostPolicy: autocert.HostWhitelist(host),
|
|
Cache: autocert.DirCache(leCertDir),
|
|
Email: leEmailAddress,
|
|
}
|
|
s.TLSConfig = m.TLSConfig()
|
|
}
|
|
|
|
return &router{
|
|
engine: engine,
|
|
srv: s,
|
|
certManager: m,
|
|
}, nil
|
|
}
|