2020-09-10 13:05:43 +00:00
|
|
|
package tlstunnel
|
|
|
|
|
|
|
|
import (
|
2020-10-19 15:27:29 +00:00
|
|
|
"crypto/tls"
|
2020-09-10 13:05:43 +00:00
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/url"
|
2021-02-17 18:44:57 +00:00
|
|
|
"os"
|
|
|
|
"os/exec"
|
2020-09-10 13:05:43 +00:00
|
|
|
"strings"
|
2020-10-19 14:44:46 +00:00
|
|
|
|
|
|
|
"git.sr.ht/~emersion/go-scfg"
|
2021-02-17 17:34:13 +00:00
|
|
|
"github.com/caddyserver/certmagic"
|
2020-09-10 13:05:43 +00:00
|
|
|
)
|
|
|
|
|
2020-10-19 14:44:46 +00:00
|
|
|
func parseConfig(srv *Server, cfg scfg.Block) error {
|
|
|
|
for _, d := range cfg {
|
2020-09-10 13:05:43 +00:00
|
|
|
var err error
|
|
|
|
switch d.Name {
|
|
|
|
case "frontend":
|
|
|
|
err = parseFrontend(srv, d)
|
|
|
|
case "tls":
|
|
|
|
err = parseTLS(srv, d)
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unknown %q directive", d.Name)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("directive %q: %v", d.Name, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-10-19 14:44:46 +00:00
|
|
|
func parseFrontend(srv *Server, d *scfg.Directive) error {
|
2020-12-11 10:17:58 +00:00
|
|
|
frontend := &Frontend{}
|
2020-09-10 13:05:43 +00:00
|
|
|
srv.Frontends = append(srv.Frontends, frontend)
|
|
|
|
|
|
|
|
// TODO: support multiple backends
|
2020-10-19 14:44:46 +00:00
|
|
|
backendDirective := d.Children.Get("backend")
|
2020-09-10 13:05:43 +00:00
|
|
|
if backendDirective == nil {
|
|
|
|
return fmt.Errorf("missing backend directive in frontend block")
|
|
|
|
}
|
|
|
|
if err := parseBackend(&frontend.Backend, backendDirective); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-10-19 15:27:29 +00:00
|
|
|
unmanaged := false
|
|
|
|
tlsDirective := d.Children.Get("tls")
|
|
|
|
if tlsDirective != nil {
|
|
|
|
var err error
|
|
|
|
unmanaged, err = parseFrontendTLS(srv, tlsDirective)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-19 08:53:36 +00:00
|
|
|
protocolDirective := d.Children.Get("protocol")
|
|
|
|
if protocolDirective != nil {
|
|
|
|
frontend.Protocols = protocolDirective.Params
|
|
|
|
}
|
|
|
|
|
2022-06-25 09:43:16 +00:00
|
|
|
addresses := append([]string(nil), d.Params...)
|
|
|
|
for _, listenDirective := range d.Children.GetAll("listen") {
|
|
|
|
addresses = append(addresses, listenDirective.Params...)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, addr := range addresses {
|
2020-09-12 11:41:11 +00:00
|
|
|
host, port, err := net.SplitHostPort(addr)
|
2020-09-10 13:05:43 +00:00
|
|
|
if err != nil {
|
2020-09-12 11:41:11 +00:00
|
|
|
return fmt.Errorf("failed to parse frontend address %q: %v", addr, err)
|
2020-09-10 13:05:43 +00:00
|
|
|
}
|
|
|
|
|
2020-10-19 15:27:29 +00:00
|
|
|
if host != "" && !unmanaged {
|
2020-09-12 11:41:11 +00:00
|
|
|
srv.ManagedNames = append(srv.ManagedNames, host)
|
2020-09-10 13:05:43 +00:00
|
|
|
}
|
|
|
|
|
2020-09-12 11:41:11 +00:00
|
|
|
// TODO: allow to customize listen host
|
|
|
|
addr := net.JoinHostPort("", port)
|
2020-09-10 13:05:43 +00:00
|
|
|
|
|
|
|
ln := srv.RegisterListener(addr)
|
2020-09-12 11:41:11 +00:00
|
|
|
if err := ln.RegisterFrontend(host, frontend); err != nil {
|
2020-09-10 13:05:43 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-10-19 14:44:46 +00:00
|
|
|
func parseBackend(backend *Backend, d *scfg.Directive) error {
|
2020-09-10 13:05:43 +00:00
|
|
|
var backendURI string
|
|
|
|
if err := d.ParseParams(&backendURI); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !strings.Contains(backendURI, ":/") {
|
|
|
|
// This is a raw domain name, make it an URL with an empty scheme
|
|
|
|
backendURI = "//" + backendURI
|
|
|
|
}
|
|
|
|
|
|
|
|
u, err := url.Parse(backendURI)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to parse backend URI %q: %v", backendURI, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.HasSuffix(u.Scheme, "+proxy") {
|
|
|
|
u.Scheme = strings.TrimSuffix(u.Scheme, "+proxy")
|
|
|
|
backend.Proxy = true
|
|
|
|
}
|
|
|
|
|
|
|
|
switch u.Scheme {
|
2020-10-31 09:34:02 +00:00
|
|
|
case "tls":
|
|
|
|
host, _, err := net.SplitHostPort(u.Host)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to parse backend address %q: %v", u.Host, err)
|
|
|
|
}
|
|
|
|
backend.TLSConfig = &tls.Config{
|
|
|
|
ServerName: host,
|
|
|
|
}
|
|
|
|
fallthrough
|
2020-09-10 13:05:43 +00:00
|
|
|
case "", "tcp":
|
|
|
|
backend.Network = "tcp"
|
|
|
|
backend.Address = u.Host
|
|
|
|
case "unix":
|
|
|
|
backend.Network = "unix"
|
2020-11-06 15:34:07 +00:00
|
|
|
backend.Address = u.Path
|
2020-09-10 13:05:43 +00:00
|
|
|
default:
|
|
|
|
return fmt.Errorf("failed to setup backend %q: unsupported URI scheme", backendURI)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-10-19 15:27:29 +00:00
|
|
|
func parseFrontendTLS(srv *Server, d *scfg.Directive) (unmanaged bool, err error) {
|
|
|
|
for _, child := range d.Children {
|
|
|
|
switch child.Name {
|
|
|
|
case "load":
|
|
|
|
var certPath, keyPath string
|
|
|
|
if err := child.ParseParams(&certPath, &keyPath); err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("directive \"load\": %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
srv.UnmanagedCerts = append(srv.UnmanagedCerts, cert)
|
|
|
|
unmanaged = true
|
|
|
|
default:
|
|
|
|
return false, fmt.Errorf("unknown %q directive", child.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return unmanaged, nil
|
|
|
|
}
|
|
|
|
|
2020-10-19 14:44:46 +00:00
|
|
|
func parseTLS(srv *Server, d *scfg.Directive) error {
|
2020-09-10 13:05:43 +00:00
|
|
|
for _, child := range d.Children {
|
|
|
|
switch child.Name {
|
|
|
|
case "acme_ca":
|
|
|
|
var caURL string
|
|
|
|
if err := child.ParseParams(&caURL); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
srv.ACMEManager.CA = caURL
|
2020-10-02 13:51:43 +00:00
|
|
|
case "email":
|
|
|
|
var email string
|
|
|
|
if err := child.ParseParams(&email); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
srv.ACMEManager.Email = email
|
2021-02-17 17:34:13 +00:00
|
|
|
case "on_demand":
|
2021-02-17 18:44:57 +00:00
|
|
|
if err := parseTLSOnDemand(srv, child); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-09-10 13:05:43 +00:00
|
|
|
default:
|
|
|
|
return fmt.Errorf("unknown %q directive", child.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2021-02-17 18:44:57 +00:00
|
|
|
|
|
|
|
func parseTLSOnDemand(srv *Server, d *scfg.Directive) error {
|
|
|
|
if srv.ACMEConfig.OnDemand == nil {
|
|
|
|
srv.ACMEConfig.OnDemand = &certmagic.OnDemandConfig{}
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, child := range d.Children {
|
|
|
|
switch child.Name {
|
|
|
|
case "validate_command":
|
|
|
|
var cmdName string
|
|
|
|
if err := child.ParseParams(&cmdName); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
decisionFunc := srv.ACMEConfig.OnDemand.DecisionFunc
|
|
|
|
srv.ACMEConfig.OnDemand.DecisionFunc = func(name string) error {
|
|
|
|
if decisionFunc != nil {
|
|
|
|
if err := decisionFunc(name); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2021-08-03 13:27:02 +00:00
|
|
|
|
|
|
|
// If the user has explicitly requested a certificate for this
|
|
|
|
// name to be maintained, no need to perform the command check
|
|
|
|
for _, n := range srv.ManagedNames {
|
|
|
|
if strings.EqualFold(n, name) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-02-17 18:44:57 +00:00
|
|
|
cmd := exec.Command(cmdName, child.Params[1:]...)
|
|
|
|
cmd.Env = append(os.Environ(), "TLSTUNNEL_NAME="+name)
|
|
|
|
if err := cmd.Run(); err != nil {
|
|
|
|
return fmt.Errorf("failed to validate domain %q with command %q: %v", name, cmdName, err)
|
|
|
|
}
|
2021-08-03 13:27:02 +00:00
|
|
|
|
2021-02-17 18:44:57 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unknown %q directive", child.Name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|