tlstunnel/directives.go

package tlstunnel

import (
	"crypto/tls"
	"fmt"
	"net"
	"net/url"
	"strings"

	"git.sr.ht/~emersion/go-scfg"
)

func parseConfig(srv *Server, cfg scfg.Block) error {
	for _, d := range cfg {
		var err error
		switch d.Name {
		case "frontend":
			err = parseFrontend(srv, d)
		case "tls":
			err = parseTLS(srv, d)
		default:
			return fmt.Errorf("unknown %q directive", d.Name)
		}
		if err != nil {
			return fmt.Errorf("directive %q: %v", d.Name, err)
		}
	}
	return nil
}

func parseFrontend(srv *Server, d *scfg.Directive) error {
	frontend := &Frontend{Server: srv}
	srv.Frontends = append(srv.Frontends, frontend)

	// TODO: support multiple backends
	backendDirective := d.Children.Get("backend")
	if backendDirective == nil {
		return fmt.Errorf("missing backend directive in frontend block")
	}
	if err := parseBackend(&frontend.Backend, backendDirective); err != nil {
		return err
	}

	unmanaged := false
	tlsDirective := d.Children.Get("tls")
	if tlsDirective != nil {
		var err error
		unmanaged, err = parseFrontendTLS(srv, tlsDirective)
		if err != nil {
			return err
		}
	}

	for _, addr := range d.Params {
		host, port, err := net.SplitHostPort(addr)
		if err != nil {
			return fmt.Errorf("failed to parse frontend address %q: %v", addr, err)
		}

		if host != "" && !unmanaged {
			srv.ManagedNames = append(srv.ManagedNames, host)
		}

		// TODO: allow to customize listen host
		addr := net.JoinHostPort("", port)

		ln := srv.RegisterListener(addr)
		if err := ln.RegisterFrontend(host, frontend); err != nil {
			return err
		}
	}

	return nil
}

func parseBackend(backend *Backend, d *scfg.Directive) error {
	var backendURI string
	if err := d.ParseParams(&backendURI); err != nil {
		return err
	}
	if !strings.Contains(backendURI, ":/") {
		// This is a raw domain name, make it an URL with an empty scheme
		backendURI = "//" + backendURI
	}

	u, err := url.Parse(backendURI)
	if err != nil {
		return fmt.Errorf("failed to parse backend URI %q: %v", backendURI, err)
	}

	if strings.HasSuffix(u.Scheme, "+proxy") {
		u.Scheme = strings.TrimSuffix(u.Scheme, "+proxy")
		backend.Proxy = true
	}

	switch u.Scheme {
	case "", "tcp":
		backend.Network = "tcp"
		backend.Address = u.Host
	case "unix":
		backend.Network = "unix"
		backend.Address = u.Host
	default:
		return fmt.Errorf("failed to setup backend %q: unsupported URI scheme", backendURI)
	}

	return nil
}

func parseFrontendTLS(srv *Server, d *scfg.Directive) (unmanaged bool, err error) {
	for _, child := range d.Children {
		switch child.Name {
		case "load":
			var certPath, keyPath string
			if err := child.ParseParams(&certPath, &keyPath); err != nil {
				return false, err
			}

			cert, err := tls.LoadX509KeyPair(certPath, keyPath)
			if err != nil {
				return false, fmt.Errorf("directive \"load\": %v", err)
			}

			srv.UnmanagedCerts = append(srv.UnmanagedCerts, cert)
			unmanaged = true
		default:
			return false, fmt.Errorf("unknown %q directive", child.Name)
		}
	}
	return unmanaged, nil
}

func parseTLS(srv *Server, d *scfg.Directive) error {
	for _, child := range d.Children {
		switch child.Name {
		case "acme_ca":
			var caURL string
			if err := child.ParseParams(&caURL); err != nil {
				return err
			}
			srv.ACMEManager.CA = caURL
		case "email":
			var email string
			if err := child.ParseParams(&email); err != nil {
				return err
			}
			srv.ACMEManager.Email = email
		default:
			return fmt.Errorf("unknown %q directive", child.Name)
		}
	}
	return nil
}
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`package tlstunnel`

			`import (`
Add "tls load" frontend directive 2020-10-19 15:27:29 +00:00			`"crypto/tls"`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`"fmt"`
			`"net"`
			`"net/url"`
			`"strings"`
Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00
			`"git.sr.ht/~emersion/go-scfg"`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`)`

Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00			`func parseConfig(srv *Server, cfg scfg.Block) error {`
			`for _, d := range cfg {`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`var err error`
			`switch d.Name {`
			`case "frontend":`
			`err = parseFrontend(srv, d)`
			`case "tls":`
			`err = parseTLS(srv, d)`
			`default:`
			`return fmt.Errorf("unknown %q directive", d.Name)`
			`}`
			`if err != nil {`
			`return fmt.Errorf("directive %q: %v", d.Name, err)`
			`}`
			`}`
			`return nil`
			`}`

Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00			`func parseFrontend(srv Server, d scfg.Directive) error {`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`frontend := &Frontend{Server: srv}`
			`srv.Frontends = append(srv.Frontends, frontend)`

			`// TODO: support multiple backends`
Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00			`backendDirective := d.Children.Get("backend")`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`if backendDirective == nil {`
			`return fmt.Errorf("missing backend directive in frontend block")`
			`}`
			`if err := parseBackend(&frontend.Backend, backendDirective); err != nil {`
			`return err`
			`}`

Add "tls load" frontend directive 2020-10-19 15:27:29 +00:00			`unmanaged := false`
			`tlsDirective := d.Children.Get("tls")`
			`if tlsDirective != nil {`
			`var err error`
			`unmanaged, err = parseFrontendTLS(srv, tlsDirective)`
			`if err != nil {`
			`return err`
			`}`
			`}`

Don't try to guess listening address Always listen on all hosts. Only use the host part of a frontend address for TLS cert names. Customizing the listen host will be better done with a `bind` directive, like Caddy does. 2020-09-12 11:41:11 +00:00			`for _, addr := range d.Params {`
			`host, port, err := net.SplitHostPort(addr)`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`if err != nil {`
Don't try to guess listening address Always listen on all hosts. Only use the host part of a frontend address for TLS cert names. Customizing the listen host will be better done with a `bind` directive, like Caddy does. 2020-09-12 11:41:11 +00:00			`return fmt.Errorf("failed to parse frontend address %q: %v", addr, err)`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`}`

Add "tls load" frontend directive 2020-10-19 15:27:29 +00:00			`if host != "" && !unmanaged {`
Don't try to guess listening address Always listen on all hosts. Only use the host part of a frontend address for TLS cert names. Customizing the listen host will be better done with a `bind` directive, like Caddy does. 2020-09-12 11:41:11 +00:00			`srv.ManagedNames = append(srv.ManagedNames, host)`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`}`

Don't try to guess listening address Always listen on all hosts. Only use the host part of a frontend address for TLS cert names. Customizing the listen host will be better done with a `bind` directive, like Caddy does. 2020-09-12 11:41:11 +00:00			`// TODO: allow to customize listen host`
			`addr := net.JoinHostPort("", port)`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00
			`ln := srv.RegisterListener(addr)`
Don't try to guess listening address Always listen on all hosts. Only use the host part of a frontend address for TLS cert names. Customizing the listen host will be better done with a `bind` directive, like Caddy does. 2020-09-12 11:41:11 +00:00			`if err := ln.RegisterFrontend(host, frontend); err != nil {`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`return err`
			`}`
			`}`

			`return nil`
			`}`

Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00			`func parseBackend(backend Backend, d scfg.Directive) error {`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`var backendURI string`
			`if err := d.ParseParams(&backendURI); err != nil {`
			`return err`
			`}`
			`if !strings.Contains(backendURI, ":/") {`
			`// This is a raw domain name, make it an URL with an empty scheme`
			`backendURI = "//" + backendURI`
			`}`

			`u, err := url.Parse(backendURI)`
			`if err != nil {`
			`return fmt.Errorf("failed to parse backend URI %q: %v", backendURI, err)`
			`}`

			`if strings.HasSuffix(u.Scheme, "+proxy") {`
			`u.Scheme = strings.TrimSuffix(u.Scheme, "+proxy")`
			`backend.Proxy = true`
			`}`

			`switch u.Scheme {`
			`case "", "tcp":`
			`backend.Network = "tcp"`
			`backend.Address = u.Host`
			`case "unix":`
			`backend.Network = "unix"`
			`backend.Address = u.Host`
			`default:`
			`return fmt.Errorf("failed to setup backend %q: unsupported URI scheme", backendURI)`
			`}`

			`return nil`
			`}`

Add "tls load" frontend directive 2020-10-19 15:27:29 +00:00			`func parseFrontendTLS(srv Server, d scfg.Directive) (unmanaged bool, err error) {`
			`for _, child := range d.Children {`
			`switch child.Name {`
			`case "load":`
			`var certPath, keyPath string`
			`if err := child.ParseParams(&certPath, &keyPath); err != nil {`
			`return false, err`
			`}`

			`cert, err := tls.LoadX509KeyPair(certPath, keyPath)`
			`if err != nil {`
			`return false, fmt.Errorf("directive \"load\": %v", err)`
			`}`

			`srv.UnmanagedCerts = append(srv.UnmanagedCerts, cert)`
			`unmanaged = true`
			`default:`
			`return false, fmt.Errorf("unknown %q directive", child.Name)`
			`}`
			`}`
			`return unmanaged, nil`
			`}`

Switch to scfg And we get nested blocks for free. 2020-10-19 14:44:46 +00:00			`func parseTLS(srv Server, d scfg.Directive) error {`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`for _, child := range d.Children {`
			`switch child.Name {`
			`case "acme_ca":`
			`var caURL string`
			`if err := child.ParseParams(&caURL); err != nil {`
			`return err`
			`}`
			`srv.ACMEManager.CA = caURL`
Add the "tls.email" directive To receive expiration warnings from Let's Encrypt. 2020-10-02 13:51:43 +00:00			`case "email":`
			`var email string`
			`if err := child.ParseParams(&email); err != nil {`
			`return err`
			`}`
			`srv.ACMEManager.Email = email`
Move back directive processing to tlstunnel package 2020-09-10 13:05:43 +00:00			`default:`
			`return fmt.Errorf("unknown %q directive", child.Name)`
			`}`
			`}`
			`return nil`
			`}`