143 lines
4.6 KiB
Go
143 lines
4.6 KiB
Go
package cmd
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/rs/zerolog"
|
|
"github.com/rs/zerolog/log"
|
|
"github.com/urfave/cli/v2"
|
|
|
|
"codeberg.org/codeberg/pages/server"
|
|
"codeberg.org/codeberg/pages/server/cache"
|
|
"codeberg.org/codeberg/pages/server/certificates"
|
|
"codeberg.org/codeberg/pages/server/database"
|
|
)
|
|
|
|
// AllowedCorsDomains lists the domains for which Cross-Origin Resource Sharing is allowed.
|
|
// TODO: make it a flag
|
|
var AllowedCorsDomains = [][]byte{
|
|
[]byte("tilde.team"),
|
|
}
|
|
|
|
// BlacklistedPaths specifies forbidden path prefixes for all Codeberg Pages.
|
|
// TODO: Make it a flag too
|
|
var BlacklistedPaths = [][]byte{
|
|
[]byte("/.well-known/acme-challenge/"),
|
|
}
|
|
|
|
// Serve sets up and starts the web server.
|
|
func Serve(ctx *cli.Context) error {
|
|
verbose := ctx.Bool("verbose")
|
|
if !verbose {
|
|
zerolog.SetGlobalLevel(zerolog.InfoLevel)
|
|
}
|
|
|
|
giteaRoot := strings.TrimSuffix(ctx.String("gitea-root"), "/")
|
|
giteaAPIToken := ctx.String("gitea-api-token")
|
|
rawDomain := ctx.String("raw-domain")
|
|
mainDomainSuffix := []byte(ctx.String("pages-domain"))
|
|
rawInfoPage := ctx.String("raw-info-page")
|
|
listeningAddress := fmt.Sprintf("%s:%s", ctx.String("host"), ctx.String("port"))
|
|
enableHTTPServer := ctx.Bool("enable-http-server")
|
|
|
|
acmeAPI := ctx.String("acme-api-endpoint")
|
|
acmeMail := ctx.String("acme-email")
|
|
acmeUseRateLimits := ctx.Bool("acme-use-rate-limits")
|
|
acmeAcceptTerms := ctx.Bool("acme-accept-terms")
|
|
acmeEabKID := ctx.String("acme-eab-kid")
|
|
acmeEabHmac := ctx.String("acme-eab-hmac")
|
|
dnsProvider := ctx.String("dns-provider")
|
|
if (!acmeAcceptTerms || dnsProvider == "") && acmeAPI != "https://acme.mock.directory" {
|
|
return errors.New("you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory")
|
|
}
|
|
|
|
allowedCorsDomains := AllowedCorsDomains
|
|
if len(rawDomain) != 0 {
|
|
allowedCorsDomains = append(allowedCorsDomains, []byte(rawDomain))
|
|
}
|
|
|
|
// Make sure MainDomain has a trailing dot, and GiteaRoot has no trailing slash
|
|
if !bytes.HasPrefix(mainDomainSuffix, []byte{'.'}) {
|
|
mainDomainSuffix = append([]byte{'.'}, mainDomainSuffix...)
|
|
}
|
|
|
|
keyCache := cache.NewKeyValueCache()
|
|
challengeCache := cache.NewKeyValueCache()
|
|
// canonicalDomainCache stores canonical domains
|
|
canonicalDomainCache := cache.NewKeyValueCache()
|
|
// dnsLookupCache stores DNS lookups for custom domains
|
|
dnsLookupCache := cache.NewKeyValueCache()
|
|
// branchTimestampCache stores branch timestamps for faster cache checking
|
|
branchTimestampCache := cache.NewKeyValueCache()
|
|
// fileResponseCache stores responses from the Gitea server
|
|
// TODO: make this an MRU cache with a size limit
|
|
fileResponseCache := cache.NewKeyValueCache()
|
|
|
|
// Create handler based on settings
|
|
handler := server.Handler(mainDomainSuffix, []byte(rawDomain),
|
|
giteaRoot, rawInfoPage, giteaAPIToken,
|
|
BlacklistedPaths, allowedCorsDomains,
|
|
dnsLookupCache, canonicalDomainCache, branchTimestampCache, fileResponseCache)
|
|
|
|
fastServer := server.SetupServer(handler)
|
|
httpServer := server.SetupHTTPACMEChallengeServer(challengeCache)
|
|
|
|
// Setup listener and TLS
|
|
log.Info().Msgf("Listening on https://%s", listeningAddress)
|
|
listener, err := net.Listen("tcp", listeningAddress)
|
|
if err != nil {
|
|
return fmt.Errorf("couldn't create listener: %s", err)
|
|
}
|
|
|
|
// TODO: make "key-database.pogreb" set via flag
|
|
certDB, err := database.New("key-database.pogreb")
|
|
if err != nil {
|
|
return fmt.Errorf("could not create database: %v", err)
|
|
}
|
|
defer certDB.Close() //nolint:errcheck // database has no close ... sync behave like it
|
|
|
|
listener = tls.NewListener(listener, certificates.TLSConfig(mainDomainSuffix,
|
|
giteaRoot, giteaAPIToken, dnsProvider,
|
|
acmeUseRateLimits,
|
|
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
|
|
certDB))
|
|
|
|
acmeConfig, err := certificates.SetupAcmeConfig(acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, acmeAcceptTerms)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := certificates.SetupCertificates(mainDomainSuffix, dnsProvider, acmeConfig, acmeUseRateLimits, enableHTTPServer, challengeCache, certDB); err != nil {
|
|
return err
|
|
}
|
|
|
|
interval := 12 * time.Hour
|
|
certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background())
|
|
defer cancelCertMaintain()
|
|
go certificates.MaintainCertDB(certMaintainCtx, interval, mainDomainSuffix, dnsProvider, acmeUseRateLimits, certDB)
|
|
|
|
if enableHTTPServer {
|
|
go func() {
|
|
err := httpServer.ListenAndServe("[::]:80")
|
|
if err != nil {
|
|
log.Panic().Err(err).Msg("Couldn't start HTTP fastServer")
|
|
}
|
|
}()
|
|
}
|
|
|
|
// Start the web fastServer
|
|
err = fastServer.Serve(listener)
|
|
if err != nil {
|
|
log.Panic().Err(err).Msg("Couldn't start fastServer")
|
|
}
|
|
|
|
return nil
|
|
}
|