Add `tls on_demand validate_command`
This commit is contained in:
Simon Ser
parent
0fb214afc1
commit
36ae57103c
|
|
@ -5,6 +5,8 @@ import (
|
|||
"fmt"
|
||||
"net"
|
||||
"net/url"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"git.sr.ht/~emersion/go-scfg"
|
||||
|
|
@ -161,10 +163,46 @@ func parseTLS(srv *Server, d *scfg.Directive) error {
|
|||
}
|
||||
srv.ACMEManager.Email = email
|
||||
case "on_demand":
|
||||
srv.ACMEConfig.OnDemand = &certmagic.OnDemandConfig{}
|
||||
if err := parseTLSOnDemand(srv, child); err != nil {
|
||||
return err
|
||||
}
|
||||
default:
|
||||
return fmt.Errorf("unknown %q directive", child.Name)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func parseTLSOnDemand(srv *Server, d *scfg.Directive) error {
|
||||
if srv.ACMEConfig.OnDemand == nil {
|
||||
srv.ACMEConfig.OnDemand = &certmagic.OnDemandConfig{}
|
||||
}
|
||||
|
||||
for _, child := range d.Children {
|
||||
switch child.Name {
|
||||
case "validate_command":
|
||||
var cmdName string
|
||||
if err := child.ParseParams(&cmdName); err != nil {
|
||||
return err
|
||||
}
|
||||
decisionFunc := srv.ACMEConfig.OnDemand.DecisionFunc
|
||||
srv.ACMEConfig.OnDemand.DecisionFunc = func(name string) error {
|
||||
if decisionFunc != nil {
|
||||
if err := decisionFunc(name); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
cmd := exec.Command(cmdName, child.Params[1:]...)
|
||||
cmd.Env = append(os.Environ(), "TLSTUNNEL_NAME="+name)
|
||||
if err := cmd.Run(); err != nil {
|
||||
return fmt.Errorf("failed to validate domain %q with command %q: %v", name, cmdName, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
default:
|
||||
return fmt.Errorf("unknown %q directive", child.Name)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ The following directives are supported:
|
|||
The email address to use when creating or selecting an existing ACME
|
||||
server account
|
||||
|
||||
*on_demand*
|
||||
*on_demand* { ... }
|
||||
Enable on-demand TLS.
|
||||
|
||||
When enabled, a TLS handshake may trigger maintenance for the relevant
|
||||
|
|
@ -104,6 +104,18 @@ The following directives are supported:
|
|||
existing certificate is available, the certificate is renewed in the
|
||||
background if necessary.
|
||||
|
||||
Warning: to prevent abuse, you should specify a _validate_command_
|
||||
sub-directive.
|
||||
|
||||
The on_demand directive supports the following optional sub-directives:
|
||||
|
||||
*validate_command* command [arguments...]
|
||||
Command to run before an on-demand certificate is obtained. If the
|
||||
command returns a non-zero exit status, the request is denied.
|
||||
|
||||
The environment will contain a *TLSTUNNEL_NAME* variable with the
|
||||
domain name to be validated.
|
||||
|
||||
# FILES
|
||||
|
||||
_/etc/tlstunnel/config_
|
||||
|
|
|
|||
Loading…
Reference in New Issue