reproxy/app/proxy/ssl.go

package proxy

import (
	"crypto/tls"
	"fmt"
	"net/http"
	"strings"

	log "github.com/go-pkgz/lgr"
	"golang.org/x/crypto/acme/autocert"

	R "github.com/go-pkgz/rest"
)

// sslMode defines ssl mode for rest server
type sslMode int8

const (
	// SSLNone defines to run http server only
	SSLNone sslMode = iota

	// SSLStatic defines to run both https and http server. Redirect http to https
	SSLStatic

	// SSLAuto defines to run both https and http server. Redirect http to https. Https server with autocert support
	SSLAuto
)

// SSLConfig holds all ssl params for rest server
type SSLConfig struct {
	SSLMode       sslMode
	Cert          string
	Key           string
	ACMELocation  string
	ACMEEmail     string
	FQDNs         []string
	RedirHTTPPort int
}

// httpToHTTPSRouter creates new router which does redirect from http to https server
// with default middlewares. Used in 'static' ssl mode.
func (h *Http) httpToHTTPSRouter() http.Handler {
	log.Printf("[DEBUG] create https-to-http redirect routes")
	return R.Wrap(h.redirectHandler(), R.Recoverer(log.Default()))
}

// httpChallengeRouter creates new router which performs ACME "http-01" challenge response
// with default middlewares. This part is necessary to obtain certificate from LE.
// If it receives not a acme challenge it performs redirect to https server.
// Used in 'auto' ssl mode.
func (h *Http) httpChallengeRouter(m *autocert.Manager) http.Handler {
	log.Printf("[DEBUG] create http-challenge routes")
	return R.Wrap(m.HTTPHandler(h.redirectHandler()), R.Recoverer(log.Default()))
}

func (h *Http) redirectHandler() http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		server := strings.Split(r.Host, ":")[0]
		newURL := fmt.Sprintf("https://%s:443%s", server, r.URL.Path)
		if r.URL.RawQuery != "" {
			newURL += "?" + r.URL.RawQuery
		}
		http.Redirect(w, r, newURL, http.StatusTemporaryRedirect)
	})
}

func (h *Http) makeAutocertManager() *autocert.Manager {
	log.Printf("[DEBUG] autocert manager for domains: %+v, location: %s, email: %q",
		h.SSLConfig.FQDNs, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail)
	return &autocert.Manager{
		Prompt:     autocert.AcceptTOS,
		Cache:      autocert.DirCache(h.SSLConfig.ACMELocation),
		HostPolicy: autocert.HostWhitelist(h.SSLConfig.FQDNs...),
		Email:      h.SSLConfig.ACMEEmail,
	}
}

// makeHTTPSAutoCertServer makes https server with autocert mode (LE support)
func (h *Http) makeHTTPSAutocertServer(address string, router http.Handler, m *autocert.Manager) *http.Server {
	server := h.makeHTTPServer(address, router)
	cfg := h.makeTLSConfig()
	cfg.GetCertificate = m.GetCertificate
	server.TLSConfig = cfg
	return server
}

// makeHTTPSServer makes https server for static mode
func (h *Http) makeHTTPSServer(address string, router http.Handler) *http.Server {
	server := h.makeHTTPServer(address, router)
	server.TLSConfig = h.makeTLSConfig()
	return server
}

func (h *Http) makeTLSConfig() *tls.Config {
	return &tls.Config{
		PreferServerCipherSuites: true,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
		MinVersion: tls.VersionTLS12,
		CurvePreferences: []tls.CurveID{
			tls.CurveP256,
			tls.X25519,
			tls.CurveP384,
		},
	}
}
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`package proxy`

			`import (`
			`"crypto/tls"`
			`"fmt"`
			`"net/http"`
			`"strings"`

			`log "github.com/go-pkgz/lgr"`
			`"golang.org/x/crypto/acme/autocert"`

			`R "github.com/go-pkgz/rest"`
			`)`

			`// sslMode defines ssl mode for rest server`
			`type sslMode int8`

			`const (`
add ssl suport 2021-04-03 08:22:54 +03:00			`// SSLNone defines to run http server only`
			`SSLNone sslMode = iota`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00
add ssl suport 2021-04-03 08:22:54 +03:00			`// SSLStatic defines to run both https and http server. Redirect http to https`
			`SSLStatic`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00
add ssl suport 2021-04-03 08:22:54 +03:00			`// SSLAuto defines to run both https and http server. Redirect http to https. Https server with autocert support`
			`SSLAuto`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`)`

			`// SSLConfig holds all ssl params for rest server`
			`type SSLConfig struct {`
allow custom https and http ports 2021-04-03 09:20:24 +03:00			`SSLMode sslMode`
			`Cert string`
			`Key string`
			`ACMELocation string`
			`ACMEEmail string`
			`FQDNs []string`
lint: multiple warns cleanup 2021-04-09 23:05:22 +03:00			`RedirHTTPPort int`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`}`

			`// httpToHTTPSRouter creates new router which does redirect from http to https server`
			`// with default middlewares. Used in 'static' ssl mode.`
			`func (h *Http) httpToHTTPSRouter() http.Handler {`
			`log.Printf("[DEBUG] create https-to-http redirect routes")`
add ssl suport 2021-04-03 08:22:54 +03:00			`return R.Wrap(h.redirectHandler(), R.Recoverer(log.Default()))`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`}`

			`// httpChallengeRouter creates new router which performs ACME "http-01" challenge response`
			`// with default middlewares. This part is necessary to obtain certificate from LE.`
			`// If it receives not a acme challenge it performs redirect to https server.`
			`// Used in 'auto' ssl mode.`
			`func (h Http) httpChallengeRouter(m autocert.Manager) http.Handler {`
			`log.Printf("[DEBUG] create http-challenge routes")`
add ssl suport 2021-04-03 08:22:54 +03:00			`return R.Wrap(m.HTTPHandler(h.redirectHandler()), R.Recoverer(log.Default()))`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`}`

			`func (h *Http) redirectHandler() http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`server := strings.Split(r.Host, ":")[0]`
			`newURL := fmt.Sprintf("https://%s:443%s", server, r.URL.Path)`
			`if r.URL.RawQuery != "" {`
			`newURL += "?" + r.URL.RawQuery`
			`}`
			`http.Redirect(w, r, newURL, http.StatusTemporaryRedirect)`
			`})`
			`}`

			`func (h Http) makeAutocertManager() autocert.Manager {`
add autocert details log 2021-05-04 20:51:07 +03:00			`log.Printf("[DEBUG] autocert manager for domains: %+v, location: %s, email: %q",`
			`h.SSLConfig.FQDNs, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail)`
WIP: add 3 types of server 2021-04-02 11:13:49 +03:00			`return &autocert.Manager{`
			`Prompt: autocert.AcceptTOS,`
			`Cache: autocert.DirCache(h.SSLConfig.ACMELocation),`
			`HostPolicy: autocert.HostWhitelist(h.SSLConfig.FQDNs...),`
			`Email: h.SSLConfig.ACMEEmail,`
			`}`
			`}`

			`// makeHTTPSAutoCertServer makes https server with autocert mode (LE support)`
			`func (h Http) makeHTTPSAutocertServer(address string, router http.Handler, m autocert.Manager) *http.Server {`
			`server := h.makeHTTPServer(address, router)`
			`cfg := h.makeTLSConfig()`
			`cfg.GetCertificate = m.GetCertificate`
			`server.TLSConfig = cfg`
			`return server`
			`}`

			`// makeHTTPSServer makes https server for static mode`
			`func (h Http) makeHTTPSServer(address string, router http.Handler) http.Server {`
			`server := h.makeHTTPServer(address, router)`
			`server.TLSConfig = h.makeTLSConfig()`
			`return server`
			`}`

			`func (h Http) makeTLSConfig() tls.Config {`
			`return &tls.Config{`
			`PreferServerCipherSuites: true,`
			`CipherSuites: []uint16{`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`},`
			`MinVersion: tls.VersionTLS12,`
			`CurvePreferences: []tls.CurveID{`
			`tls.CurveP256,`
			`tls.X25519,`
			`tls.CurveP384,`
			`},`
			`}`
			`}`