-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
Copy pathserver_listen.go
148 lines (140 loc) · 3.32 KB
/
server_listen.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
package chserver
import (
"crypto/tls"
"crypto/x509"
"errors"
"net"
"os"
"os/user"
"path/filepath"
"github.com/jpillora/chisel/share/settings"
"golang.org/x/crypto/acme/autocert"
)
// TLSConfig enables configures TLS
type TLSConfig struct {
Key string
Cert string
Domains []string
CA string
}
func (s *Server) listener(host, port string) (net.Listener, error) {
hasDomains := len(s.config.TLS.Domains) > 0
hasKeyCert := s.config.TLS.Key != "" && s.config.TLS.Cert != ""
if hasDomains && hasKeyCert {
return nil, errors.New("cannot use key/cert and domains")
}
var tlsConf *tls.Config
if hasDomains {
tlsConf = s.tlsLetsEncrypt(s.config.TLS.Domains)
}
extra := ""
if hasKeyCert {
c, err := s.tlsKeyCert(s.config.TLS.Key, s.config.TLS.Cert, s.config.TLS.CA)
if err != nil {
return nil, err
}
tlsConf = c
if port != "443" && hasDomains {
extra = " (WARNING: LetsEncrypt will attempt to connect to your domain on port 443)"
}
}
//tcp listen
l, err := net.Listen("tcp", host+":"+port)
if err != nil {
return nil, err
}
//optionally wrap in tls
proto := "http"
if tlsConf != nil {
proto += "s"
l = tls.NewListener(l, tlsConf)
}
s.Infof("Listening on %s://%s:%s%s", proto, host, port, extra)
return l, nil
}
func (s *Server) tlsLetsEncrypt(domains []string) *tls.Config {
//prepare cert manager
m := &autocert.Manager{
Prompt: func(tosURL string) bool {
s.Infof("Accepting LetsEncrypt TOS and fetching certificate...")
return true
},
Email: settings.Env("LE_EMAIL"),
HostPolicy: autocert.HostWhitelist(domains...),
}
//configure file cache
c := settings.Env("LE_CACHE")
if c == "" {
h := os.Getenv("HOME")
if h == "" {
if u, err := user.Current(); err == nil {
h = u.HomeDir
}
}
c = filepath.Join(h, ".cache", "chisel")
}
if c != "-" {
s.Infof("LetsEncrypt cache directory %s", c)
m.Cache = autocert.DirCache(c)
}
//return lets-encrypt tls config
return m.TLSConfig()
}
func (s *Server) tlsKeyCert(key, cert string, ca string) (*tls.Config, error) {
keypair, err := tls.LoadX509KeyPair(cert, key)
if err != nil {
return nil, err
}
//file based tls config using tls defaults
c := &tls.Config{
Certificates: []tls.Certificate{keypair},
}
//mTLS requires server's CA
if ca != "" {
if err := addCA(ca, c); err != nil {
return nil, err
}
s.Infof("Loaded CA path: %s", ca)
}
return c, nil
}
func addCA(ca string, c *tls.Config) error {
fileInfo, err := os.Stat(ca)
if err != nil {
return err
}
clientCAPool := x509.NewCertPool()
if fileInfo.IsDir() {
//this is a directory holding CA bundle files
files, err := os.ReadDir(ca)
if err != nil {
return err
}
//add all cert files from path
for _, file := range files {
f := file.Name()
if err := addPEMFile(filepath.Join(ca, f), clientCAPool); err != nil {
return err
}
}
} else {
//this is a CA bundle file
if err := addPEMFile(ca, clientCAPool); err != nil {
return err
}
}
//set client CAs and enable cert verification
c.ClientCAs = clientCAPool
c.ClientAuth = tls.RequireAndVerifyClientCert
return nil
}
func addPEMFile(path string, pool *x509.CertPool) error {
content, err := os.ReadFile(path)
if err != nil {
return err
}
if !pool.AppendCertsFromPEM(content) {
return errors.New("Fail to load certificates from : " + path)
}
return nil
}