mirror of
https://github.com/mjl-/mox.git
synced 2024-12-26 00:13:47 +03:00
add a handler for the acme http-01 validiation mechanism to all plain http (non-tls) webservers (ports), not only to the one listening on port 80
because this mechanism is most needed behind a reverse proxy, where acme tls-alpn-01 won't work (because the reverse proxy won't pass on the alpn extensions). if that's the case, there is obviously a webserver on port 443. and it likely also running on port 80. so before this change, if tls-alpn-01 isn't available, http-01 also wasn't available, leaving no validation mechanisms. for issue #218 by mgkirs, thanks for reporting and details. hope this helps.
This commit is contained in:
Mechiel Lukkien
parent
354b9f4d98
commit
0fbf24160c
1 changed files with 23 additions and 9 deletions
32
http/web.go
32
http/web.go
|
|
@ -15,6 +15,7 @@ import (
|
|||
"net/http"
|
||||
"os"
|
||||
"path"
|
||||
"slices"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
|
@ -605,6 +606,16 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
return s
|
||||
}
|
||||
|
||||
// If TLS with ACME is enabled on this plain HTTP port, and it hasn't been enabled
|
||||
// yet, add http-01 validation mechanism handler to server.
|
||||
ensureACMEHTTP01 := func(srv *serve) {
|
||||
if l.TLS != nil && l.TLS.ACME != "" && !slices.Contains(srv.Kinds, "acme-http-01") {
|
||||
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
|
||||
srv.Kinds = append(srv.Kinds, "acme-http-01")
|
||||
srv.SystemHandle("acme-http-01", nil, "/.well-known/acme-challenge/", m.Manager.HTTPHandler(nil))
|
||||
}
|
||||
}
|
||||
|
||||
if l.TLS != nil && l.TLS.ACME != "" && (l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled) {
|
||||
port := config.Port(mox.Conf.Static.ACME[l.TLS.ACME].Port, 443)
|
||||
ensureServe(true, port, "acme-tls-alpn-01", false)
|
||||
|
|
@ -620,6 +631,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webaccount.Handler(path, l.AccountHTTP.Forwarded))))
|
||||
srv.ServiceHandle("account", accountHostMatch, path, handler)
|
||||
redirectToTrailingSlash(srv, accountHostMatch, "account", path)
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
if l.AccountHTTPS.Enabled {
|
||||
port := config.Port(l.AccountHTTPS.Port, 443)
|
||||
|
|
@ -643,6 +655,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webadmin.Handler(path, l.AdminHTTP.Forwarded))))
|
||||
srv.ServiceHandle("admin", listenerHostMatch, path, handler)
|
||||
redirectToTrailingSlash(srv, listenerHostMatch, "admin", path)
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
if l.AdminHTTPS.Enabled {
|
||||
port := config.Port(l.AdminHTTPS.Port, 443)
|
||||
|
|
@ -671,6 +684,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], webapisrv.NewServer(maxMsgSize, path, l.WebAPIHTTP.Forwarded)))
|
||||
srv.ServiceHandle("webapi", accountHostMatch, path, handler)
|
||||
redirectToTrailingSlash(srv, accountHostMatch, "webapi", path)
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
if l.WebAPIHTTPS.Enabled {
|
||||
port := config.Port(l.WebAPIHTTPS.Port, 443)
|
||||
|
|
@ -701,6 +715,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
handler := http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webmail.Handler(maxMsgSize, path, l.WebmailHTTP.Forwarded, accountPath)))
|
||||
srv.ServiceHandle("webmail", accountHostMatch, path, handler)
|
||||
redirectToTrailingSlash(srv, accountHostMatch, "webmail", path)
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
if l.WebmailHTTPS.Enabled {
|
||||
port := config.Port(l.WebmailHTTPS.Port, 443)
|
||||
|
|
@ -740,6 +755,9 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
if l.AutoconfigHTTPS.Enabled {
|
||||
port := config.Port(l.AutoconfigHTTPS.Port, 443)
|
||||
srv := ensureServe(!l.AutoconfigHTTPS.NonTLS, port, "autoconfig-https", false)
|
||||
if l.AutoconfigHTTPS.NonTLS {
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
autoconfigMatch := func(ipdom dns.IPDomain) bool {
|
||||
dom := ipdom.Domain
|
||||
if dom.IsZero() {
|
||||
|
|
@ -767,6 +785,9 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
if l.MTASTSHTTPS.Enabled {
|
||||
port := config.Port(l.MTASTSHTTPS.Port, 443)
|
||||
srv := ensureServe(!l.MTASTSHTTPS.NonTLS, port, "mtasts-https", false)
|
||||
if l.MTASTSHTTPS.NonTLS {
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
mtastsMatch := func(ipdom dns.IPDomain) bool {
|
||||
// todo: may want to check this against the configured domains, could in theory be just a webserver.
|
||||
dom := ipdom.Domain
|
||||
|
|
@ -791,6 +812,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
port := config.Port(l.WebserverHTTP.Port, 80)
|
||||
srv := ensureServe(false, port, "webserver-http", false)
|
||||
srv.Webserver = true
|
||||
ensureACMEHTTP01(srv)
|
||||
}
|
||||
if l.WebserverHTTPS.Enabled {
|
||||
port := config.Port(l.WebserverHTTPS.Port, 443)
|
||||
|
|
@ -799,15 +821,6 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
}
|
||||
|
||||
if l.TLS != nil && l.TLS.ACME != "" {
|
||||
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
|
||||
|
||||
// If we are listening on port 80 for plain http, also register acme http-01
|
||||
// validation handler.
|
||||
if srv, ok := portServe[80]; ok && srv.TLSConfig == nil {
|
||||
srv.Kinds = append(srv.Kinds, "acme-http-01")
|
||||
srv.SystemHandle("acme-http-01", nil, "/.well-known/acme-challenge/", m.Manager.HTTPHandler(nil))
|
||||
}
|
||||
|
||||
hosts := map[dns.Domain]struct{}{
|
||||
mox.Conf.Static.HostnameDomain: {},
|
||||
}
|
||||
|
|
@ -832,6 +845,7 @@ func portServes(l config.Listener) map[int]*serve {
|
|||
}
|
||||
}
|
||||
|
||||
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
|
||||
ensureManagerHosts[m] = hosts
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue