2021-01-24 18:37:35 -05:00
// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package cmd
import (
"net/http"
"strings"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"github.com/caddyserver/certmagic"
context2 "github.com/gorilla/context"
)
func runLetsEncrypt ( listenAddr , domain , directory , email string , m http . Handler ) error {
// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
// Due to docker port mapping this can't be checked programatically
// TODO: these are placeholders until we add options for each in settings with appropriate warning
enableHTTPChallenge := true
enableTLSALPNChallenge := true
magic := certmagic . NewDefault ( )
magic . Storage = & certmagic . FileStorage { Path : directory }
myACME := certmagic . NewACMEManager ( magic , certmagic . ACMEManager {
Email : email ,
Agreed : setting . LetsEncryptTOS ,
DisableHTTPChallenge : ! enableHTTPChallenge ,
DisableTLSALPNChallenge : ! enableTLSALPNChallenge ,
} )
magic . Issuer = myACME
// this obtains certificates or renews them if necessary
err := magic . ManageSync ( [ ] string { domain } )
if err != nil {
return err
}
tlsConfig := magic . TLSConfig ( )
if enableHTTPChallenge {
go func ( ) {
log . Info ( "Running Let's Encrypt handler on %s" , setting . HTTPAddr + ":" + setting . PortToRedirect )
// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
2021-03-08 02:43:59 +00:00
var err = runHTTP ( "tcp" , setting . HTTPAddr + ":" + setting . PortToRedirect , "Let's Encrypt HTTP Challenge" , myACME . HTTPChallengeHandler ( http . HandlerFunc ( runLetsEncryptFallbackHandler ) ) )
2021-01-24 18:37:35 -05:00
if err != nil {
log . Fatal ( "Failed to start the Let's Encrypt handler on port %s: %v" , setting . PortToRedirect , err )
}
} ( )
}
2021-03-08 02:43:59 +00:00
return runHTTPSWithTLSConfig ( "tcp" , listenAddr , "Web" , tlsConfig , context2 . ClearHandler ( m ) )
2021-01-24 18:37:35 -05:00
}
func runLetsEncryptFallbackHandler ( w http . ResponseWriter , r * http . Request ) {
if r . Method != "GET" && r . Method != "HEAD" {
http . Error ( w , "Use HTTPS" , http . StatusBadRequest )
return
}
// Remove the trailing slash at the end of setting.AppURL, the request
// URI always contains a leading slash, which would result in a double
// slash
target := strings . TrimSuffix ( setting . AppURL , "/" ) + r . URL . RequestURI ( )
http . Redirect ( w , r , target , http . StatusFound )
}