2019-07-01 01:07:58 +03:00
|
|
|
// Copyright 2015 Matthew Holt and The Caddy Authors
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2019-04-25 22:54:48 +03:00
|
|
|
package caddytls
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2019-07-01 20:47:46 +03:00
|
|
|
"log"
|
2019-04-25 22:54:48 +03:00
|
|
|
"net/http"
|
2019-07-01 20:47:46 +03:00
|
|
|
"os"
|
2019-06-21 05:36:29 +03:00
|
|
|
"time"
|
2019-04-25 22:54:48 +03:00
|
|
|
|
2019-07-02 21:37:06 +03:00
|
|
|
"github.com/caddyserver/caddy/v2"
|
2019-04-25 22:54:48 +03:00
|
|
|
"github.com/go-acme/lego/challenge"
|
|
|
|
"github.com/mholt/certmagic"
|
2019-06-21 05:36:29 +03:00
|
|
|
"golang.org/x/time/rate"
|
2019-04-25 22:54:48 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
2019-06-14 20:58:28 +03:00
|
|
|
caddy.RegisterModule(caddy.Module{
|
2019-04-25 22:54:48 +03:00
|
|
|
Name: "tls",
|
2019-05-21 23:22:21 +03:00
|
|
|
New: func() interface{} { return new(TLS) },
|
2019-04-25 22:54:48 +03:00
|
|
|
})
|
2019-07-01 20:47:46 +03:00
|
|
|
|
|
|
|
// opt-in TLS 1.3 for Go1.12
|
|
|
|
// TODO: remove this line when Go1.13 is released.
|
|
|
|
if err := os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1"); err != nil {
|
|
|
|
log.Println("[ERROR] failed to set environment variable: ", err)
|
|
|
|
}
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// TLS represents a process-wide TLS configuration.
|
|
|
|
type TLS struct {
|
2019-05-30 08:11:46 +03:00
|
|
|
Certificates map[string]json.RawMessage `json:"certificates,omitempty"`
|
2019-08-09 21:05:47 +03:00
|
|
|
Automation AutomationConfig `json:"automation"`
|
|
|
|
SessionTickets SessionTicketService `json:"session_tickets"`
|
2019-04-25 22:54:48 +03:00
|
|
|
|
|
|
|
certificateLoaders []CertificateLoader
|
|
|
|
certCache *certmagic.Cache
|
2019-06-14 20:58:28 +03:00
|
|
|
ctx caddy.Context
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
2019-04-26 21:35:39 +03:00
|
|
|
// Provision sets up the configuration for the TLS app.
|
2019-06-14 20:58:28 +03:00
|
|
|
func (t *TLS) Provision(ctx caddy.Context) error {
|
2019-05-17 01:05:38 +03:00
|
|
|
t.ctx = ctx
|
|
|
|
|
2019-04-25 22:54:48 +03:00
|
|
|
// set up the certificate cache
|
|
|
|
// TODO: this makes a new cache every time; better to only make a new
|
|
|
|
// cache (or even better, add/remove only what is necessary) if the
|
|
|
|
// certificates config has been updated
|
|
|
|
t.certCache = certmagic.NewCache(certmagic.CacheOptions{
|
|
|
|
GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
|
|
|
|
return t.getConfigForName(cert.Names[0])
|
|
|
|
},
|
|
|
|
})
|
|
|
|
|
2019-05-30 08:11:46 +03:00
|
|
|
// automation/management policies
|
2019-04-25 22:54:48 +03:00
|
|
|
for i, ap := range t.Automation.Policies {
|
2019-06-05 07:43:21 +03:00
|
|
|
val, err := ctx.LoadModuleInline("module", "tls.management", ap.ManagementRaw)
|
2019-04-25 22:54:48 +03:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("loading TLS automation management module: %s", err)
|
|
|
|
}
|
2019-06-05 07:43:21 +03:00
|
|
|
t.Automation.Policies[i].Management = val.(managerMaker)
|
|
|
|
t.Automation.Policies[i].ManagementRaw = nil // allow GC to deallocate - TODO: Does this help?
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// certificate loaders
|
|
|
|
for modName, rawMsg := range t.Certificates {
|
|
|
|
if modName == automateKey {
|
|
|
|
continue // special case; these will be loaded in later
|
|
|
|
}
|
2019-05-17 01:05:38 +03:00
|
|
|
val, err := ctx.LoadModule("tls.certificates."+modName, rawMsg)
|
2019-04-25 22:54:48 +03:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("loading certificate module '%s': %s", modName, err)
|
|
|
|
}
|
|
|
|
t.certificateLoaders = append(t.certificateLoaders, val.(CertificateLoader))
|
|
|
|
}
|
|
|
|
|
2019-05-30 08:11:46 +03:00
|
|
|
// session ticket ephemeral keys (STEK) service and provider
|
|
|
|
err := t.SessionTickets.provision(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("provisioning session tickets configuration: %v", err)
|
|
|
|
}
|
|
|
|
|
2019-06-21 05:36:29 +03:00
|
|
|
// on-demand rate limiting
|
|
|
|
if t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
|
|
|
|
limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
|
|
|
|
// TODO: Burst size is not updated, see https://github.com/golang/go/issues/23575
|
|
|
|
onDemandRateLimiter.SetLimit(limit)
|
|
|
|
} else {
|
|
|
|
// if no rate limit is specified, be sure to remove any existing limit
|
|
|
|
onDemandRateLimiter.SetLimit(0)
|
|
|
|
}
|
|
|
|
|
2019-08-09 21:05:47 +03:00
|
|
|
// load manual/static (unmanaged) certificates - we do this in
|
|
|
|
// provision so that other apps (such as http) can know which
|
|
|
|
// certificates have been manually loaded
|
2019-06-27 01:03:29 +03:00
|
|
|
magic := certmagic.New(t.certCache, certmagic.Config{
|
2019-08-09 21:05:47 +03:00
|
|
|
Storage: ctx.Storage(),
|
2019-06-27 01:03:29 +03:00
|
|
|
})
|
2019-04-25 22:54:48 +03:00
|
|
|
for _, loader := range t.certificateLoaders {
|
|
|
|
certs, err := loader.LoadCertificates()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("loading certificates: %v", err)
|
|
|
|
}
|
|
|
|
for _, cert := range certs {
|
2019-06-24 21:16:10 +03:00
|
|
|
err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
|
2019-04-25 22:54:48 +03:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("caching unmanaged certificate: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-09 21:05:47 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Start activates the TLS module.
|
|
|
|
func (t *TLS) Start() error {
|
2019-04-25 22:54:48 +03:00
|
|
|
// load automated (managed) certificates
|
|
|
|
if automatedRawMsg, ok := t.Certificates[automateKey]; ok {
|
|
|
|
var names []string
|
|
|
|
err := json.Unmarshal(automatedRawMsg, &names)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("automate: decoding names: %v", err)
|
|
|
|
}
|
|
|
|
err = t.Manage(names)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("automate: managing %v: %v", names, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
t.Certificates = nil // allow GC to deallocate - TODO: Does this help?
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Stop stops the TLS module and cleans up any allocations.
|
|
|
|
func (t *TLS) Stop() error {
|
|
|
|
if t.certCache != nil {
|
|
|
|
// TODO: ensure locks are cleaned up too... maybe in certmagic though
|
|
|
|
t.certCache.Stop()
|
|
|
|
}
|
2019-05-30 08:11:46 +03:00
|
|
|
t.SessionTickets.stop()
|
2019-04-25 22:54:48 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Manage immediately begins managing names according to the
|
|
|
|
// matching automation policy.
|
|
|
|
func (t *TLS) Manage(names []string) error {
|
|
|
|
for _, name := range names {
|
|
|
|
ap := t.getAutomationPolicyForName(name)
|
2019-05-17 01:05:38 +03:00
|
|
|
magic := certmagic.New(t.certCache, ap.makeCertMagicConfig(t.ctx))
|
2019-04-25 22:54:48 +03:00
|
|
|
err := magic.Manage([]string{name})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("automate: manage %s: %v", name, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// HandleHTTPChallenge ensures that the HTTP challenge is handled for the
|
|
|
|
// certificate named by r.Host, if it is an HTTP challenge request.
|
|
|
|
func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool {
|
|
|
|
if !certmagic.LooksLikeHTTPChallenge(r) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
ap := t.getAutomationPolicyForName(r.Host)
|
2019-05-17 01:05:38 +03:00
|
|
|
magic := certmagic.New(t.certCache, ap.makeCertMagicConfig(t.ctx))
|
2019-04-25 22:54:48 +03:00
|
|
|
return magic.HandleHTTPChallenge(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *TLS) getConfigForName(name string) (certmagic.Config, error) {
|
|
|
|
ap := t.getAutomationPolicyForName(name)
|
2019-05-17 01:05:38 +03:00
|
|
|
return ap.makeCertMagicConfig(t.ctx), nil
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
|
|
|
|
for _, ap := range t.Automation.Policies {
|
|
|
|
if len(ap.Hosts) == 0 {
|
|
|
|
// no host filter is an automatic match
|
|
|
|
return ap
|
|
|
|
}
|
|
|
|
for _, h := range ap.Hosts {
|
|
|
|
if h == name {
|
|
|
|
return ap
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// default automation policy
|
2019-06-05 07:43:21 +03:00
|
|
|
mgmt := new(ACMEManagerMaker)
|
|
|
|
mgmt.SetDefaults()
|
|
|
|
return AutomationPolicy{Management: mgmt}
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
2019-08-09 21:05:47 +03:00
|
|
|
// CertificatesWithSAN returns the list of all certificates
|
|
|
|
// in the cache the match the given SAN value.
|
|
|
|
func (t *TLS) CertificatesWithSAN(san string) []certmagic.Certificate {
|
|
|
|
return t.certCache.CertificatesWithSAN(san)
|
|
|
|
}
|
|
|
|
|
2019-04-25 22:54:48 +03:00
|
|
|
// CertificateLoader is a type that can load certificates.
|
2019-06-24 21:16:10 +03:00
|
|
|
// Certificates can optionally be associated with tags.
|
2019-04-25 22:54:48 +03:00
|
|
|
type CertificateLoader interface {
|
2019-06-24 21:16:10 +03:00
|
|
|
LoadCertificates() ([]Certificate, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Certificate is a TLS certificate, optionally
|
|
|
|
// associated with arbitrary tags.
|
|
|
|
type Certificate struct {
|
|
|
|
tls.Certificate
|
|
|
|
Tags []string
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// AutomationConfig designates configuration for the
|
|
|
|
// construction and use of ACME clients.
|
|
|
|
type AutomationConfig struct {
|
|
|
|
Policies []AutomationPolicy `json:"policies,omitempty"`
|
2019-06-21 05:36:29 +03:00
|
|
|
OnDemand *OnDemandConfig `json:"on_demand,omitempty"`
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// AutomationPolicy designates the policy for automating the
|
|
|
|
// management of managed TLS certificates.
|
|
|
|
type AutomationPolicy struct {
|
2019-06-05 07:43:21 +03:00
|
|
|
Hosts []string `json:"hosts,omitempty"`
|
2019-06-21 17:52:15 +03:00
|
|
|
ManagementRaw json.RawMessage `json:"management,omitempty"`
|
2019-04-25 22:54:48 +03:00
|
|
|
|
2019-06-05 07:43:21 +03:00
|
|
|
Management managerMaker `json:"-"`
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
2019-06-21 05:36:29 +03:00
|
|
|
// makeCertMagicConfig converts ap into a CertMagic config. Passing onDemand
|
|
|
|
// is necessary because the automation policy does not have convenient access
|
|
|
|
// to the TLS app's global on-demand policies;
|
2019-06-14 20:58:28 +03:00
|
|
|
func (ap AutomationPolicy) makeCertMagicConfig(ctx caddy.Context) certmagic.Config {
|
2019-04-26 21:35:39 +03:00
|
|
|
// default manager (ACME) is a special case because of how CertMagic is designed
|
|
|
|
// TODO: refactor certmagic so that ACME manager is not a special case by extracting
|
|
|
|
// its config fields out of the certmagic.Config struct, or something...
|
2019-06-05 07:43:21 +03:00
|
|
|
if acmeMgmt, ok := ap.Management.(*ACMEManagerMaker); ok {
|
2019-05-17 01:05:38 +03:00
|
|
|
return acmeMgmt.makeCertMagicConfig(ctx)
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return certmagic.Config{
|
2019-06-05 07:43:21 +03:00
|
|
|
NewManager: ap.Management.newManager,
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ChallengesConfig configures the ACME challenges.
|
|
|
|
type ChallengesConfig struct {
|
|
|
|
HTTP HTTPChallengeConfig `json:"http"`
|
|
|
|
TLSALPN TLSALPNChallengeConfig `json:"tls-alpn"`
|
2019-06-05 07:43:21 +03:00
|
|
|
DNSRaw json.RawMessage `json:"dns,omitempty"`
|
2019-04-25 22:54:48 +03:00
|
|
|
|
2019-06-05 07:43:21 +03:00
|
|
|
DNS challenge.Provider `json:"-"`
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// HTTPChallengeConfig configures the ACME HTTP challenge.
|
|
|
|
type HTTPChallengeConfig struct {
|
|
|
|
Disabled bool `json:"disabled,omitempty"`
|
|
|
|
AlternatePort int `json:"alternate_port,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// TLSALPNChallengeConfig configures the ACME TLS-ALPN challenge.
|
|
|
|
type TLSALPNChallengeConfig struct {
|
|
|
|
Disabled bool `json:"disabled,omitempty"`
|
|
|
|
AlternatePort int `json:"alternate_port,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// OnDemandConfig configures on-demand TLS, for obtaining
|
|
|
|
// needed certificates at handshake-time.
|
|
|
|
type OnDemandConfig struct {
|
2019-06-21 05:36:29 +03:00
|
|
|
RateLimit *RateLimit `json:"rate_limit,omitempty"`
|
|
|
|
Ask string `json:"ask,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// RateLimit specifies an interval with optional burst size.
|
|
|
|
type RateLimit struct {
|
|
|
|
Interval caddy.Duration `json:"interval,omitempty"`
|
|
|
|
Burst int `json:"burst,omitempty"`
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
2019-06-05 07:43:21 +03:00
|
|
|
// managerMaker makes a certificate manager.
|
|
|
|
type managerMaker interface {
|
2019-04-26 21:35:39 +03:00
|
|
|
newManager(interactive bool) (certmagic.Manager, error)
|
2019-04-25 22:54:48 +03:00
|
|
|
}
|
|
|
|
|
2019-06-21 05:36:29 +03:00
|
|
|
// These perpetual values are used for on-demand TLS.
|
|
|
|
var (
|
|
|
|
onDemandRateLimiter = rate.NewLimiter(0, 1)
|
|
|
|
onDemandAskClient = &http.Client{
|
|
|
|
Timeout: 10 * time.Second,
|
|
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
|
|
return fmt.Errorf("following http redirects is not allowed")
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2019-04-25 22:54:48 +03:00
|
|
|
const automateKey = "automate"
|