// Package http provides HTTP listeners/servers, for // autoconfiguration/autodiscovery, the account and admin web interface and // MTA-STS policies. package http import ( "crypto/tls" "fmt" golog "log" "net" "net/http" "strings" "time" _ "net/http/pprof" "github.com/prometheus/client_golang/prometheus/promhttp" "github.com/mjl-/mox/config" "github.com/mjl-/mox/dns" "github.com/mjl-/mox/mlog" "github.com/mjl-/mox/mox-" ) var xlog = mlog.New("http") // Set some http headers that should prevent potential abuse. Better safe than sorry. func safeHeaders(fn http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { h := w.Header() h.Set("X-Frame-Options", "deny") h.Set("X-Content-Type-Options", "nosniff") h.Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline' data:") h.Set("Referrer-Policy", "same-origin") fn(w, r) } } // ListenAndServe starts listeners for HTTP, including those required for ACME to // generate TLS certificates. func ListenAndServe() { type serve struct { kinds []string tlsConfig *tls.Config mux *http.ServeMux } for name, l := range mox.Conf.Static.Listeners { portServe := map[int]serve{} var ensureServe func(https bool, port int, kind string) serve ensureServe = func(https bool, port int, kind string) serve { s, ok := portServe[port] if !ok { s = serve{nil, nil, &http.ServeMux{}} } s.kinds = append(s.kinds, kind) if https && port == 443 && l.TLS.ACME != "" { s.tlsConfig = l.TLS.ACMEConfig } else if https { s.tlsConfig = l.TLS.Config if l.TLS.ACME != "" { ensureServe(true, 443, "acme-tls-alpn-01") } } portServe[port] = s return s } if l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled { ensureServe(true, 443, "acme-tls-alpn01") } if l.AdminHTTP.Enabled { srv := ensureServe(false, config.Port(l.AdminHTTP.Port, 80), "admin-http") srv.mux.HandleFunc("/", safeHeaders(adminIndex)) srv.mux.HandleFunc("/admin/", safeHeaders(adminHandle)) srv.mux.HandleFunc("/account/", safeHeaders(accountHandle)) } if l.AdminHTTPS.Enabled { srv := ensureServe(true, config.Port(l.AdminHTTPS.Port, 443), "admin-https") srv.mux.HandleFunc("/", safeHeaders(adminIndex)) srv.mux.HandleFunc("/admin/", safeHeaders(adminHandle)) srv.mux.HandleFunc("/account/", safeHeaders(accountHandle)) } if l.MetricsHTTP.Enabled { srv := ensureServe(false, config.Port(l.MetricsHTTP.Port, 8010), "metrics-http") srv.mux.Handle("/metrics", safeHeaders(promhttp.Handler().ServeHTTP)) srv.mux.HandleFunc("/", safeHeaders(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/" { http.NotFound(w, r) return } else if r.Method != "GET" { http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) return } w.Header().Set("Content-Type", "text/html") fmt.Fprint(w, `
see /metrics`) })) } if l.AutoconfigHTTPS.Enabled { srv := ensureServe(true, 443, "autoconfig-https") srv.mux.HandleFunc("/mail/config-v1.1.xml", safeHeaders(autoconfHandle(l))) srv.mux.HandleFunc("/autodiscover/autodiscover.xml", safeHeaders(autodiscoverHandle(l))) } if l.MTASTSHTTPS.Enabled { srv := ensureServe(true, 443, "mtasts-https") srv.mux.HandleFunc("/.well-known/mta-sts.txt", safeHeaders(mtastsPolicyHandle)) } if l.PprofHTTP.Enabled { // Importing net/http/pprof registers handlers on the default serve mux. port := config.Port(l.PprofHTTP.Port, 8011) if _, ok := portServe[port]; ok { xlog.Fatal("cannot serve pprof on same endpoint as other http services") } portServe[port] = serve{[]string{"pprof-http"}, nil, http.DefaultServeMux} } // We'll explicitly ensure these TLS certs exist (e.g. are created with ACME) // immediately after startup. We only do so for our explicitly hostnames, not for // autoconfig or mta-sts DNS records, they can be requested on demand (perhaps // never). ensureHosts := map[dns.Domain]struct{}{} if l.TLS != nil && l.TLS.ACME != "" { m := mox.Conf.Static.ACME[l.TLS.ACME].Manager m.AllowHostname(mox.Conf.Static.HostnameDomain) ensureHosts[mox.Conf.Static.HostnameDomain] = struct{}{} if l.HostnameDomain.ASCII != "" { m.AllowHostname(l.HostnameDomain) ensureHosts[l.HostnameDomain] = struct{}{} } go func() { // Just in case someone adds quite some domains to their config. We don't want to // hit any ACME rate limits. if len(ensureHosts) > 10 { return } time.Sleep(1 * time.Second) i := 0 for hostname := range ensureHosts { if i > 0 { // Sleep just a little. We don't want to hammer our ACME provider, e.g. Let's Encrypt. time.Sleep(10 * time.Second) } i++ hello := &tls.ClientHelloInfo{ ServerName: hostname.ASCII, // Make us fetch an ECDSA P256 cert. // We add TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 to get around the ecDSA check in autocert. CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_AES_128_GCM_SHA256}, SupportedCurves: []tls.CurveID{tls.CurveP256}, SignatureSchemes: []tls.SignatureScheme{tls.ECDSAWithP256AndSHA256}, SupportedVersions: []uint16{tls.VersionTLS13}, } xlog.Print("ensuring certificate availability", mlog.Field("hostname", hostname)) if _, err := m.Manager.GetCertificate(hello); err != nil { xlog.Errorx("requesting automatic certificate", err, mlog.Field("hostname", hostname)) } } }() } for port, srv := range portServe { for _, ip := range l.IPs { listenAndServe(ip, port, srv.tlsConfig, name, srv.kinds, srv.mux) } } } } func adminIndex(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/" { http.NotFound(w, r) return } if r.Method != "GET" { http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) return } const html = `