2019-03-11 18:56:48 +02:00
package http01
2016-01-15 06:06:25 +02:00
import (
"fmt"
2021-12-09 19:27:37 +02:00
"io/fs"
2016-01-15 06:06:25 +02:00
"net"
"net/http"
2019-10-05 13:44:38 +02:00
"net/textproto"
2021-12-09 19:27:37 +02:00
"os"
2016-01-15 06:06:25 +02:00
"strings"
2018-05-30 19:53:04 +02:00
2020-09-02 03:20:01 +02:00
"github.com/go-acme/lego/v4/log"
2016-01-15 06:06:25 +02:00
)
2020-05-08 19:35:25 +02:00
// ProviderServer implements ChallengeProvider for `http-01` challenge.
2018-12-06 23:50:17 +02:00
// It may be instantiated without using the NewProviderServer function if
2016-02-14 17:56:14 +02:00
// you want only to use the default values.
2018-12-06 23:50:17 +02:00
type ProviderServer struct {
2021-12-09 19:27:37 +02:00
address string
network string // must be valid argument to net.Listen
socketMode fs . FileMode
2019-10-05 13:44:38 +02:00
matcher domainMatcher
2016-01-15 06:06:25 +02:00
done chan bool
listener net . Listener
}
2018-12-06 23:50:17 +02:00
// NewProviderServer creates a new ProviderServer on the selected interface and port.
2016-02-14 17:56:14 +02:00
// Setting iface and / or port to an empty string will make the server fall back to
// the "any" interface and port 80 respectively.
2018-12-06 23:50:17 +02:00
func NewProviderServer ( iface , port string ) * ProviderServer {
2019-10-05 13:44:38 +02:00
if port == "" {
port = "80"
}
2021-12-09 19:27:37 +02:00
return & ProviderServer { network : "tcp" , address : net . JoinHostPort ( iface , port ) , matcher : & hostMatcher { } }
}
func NewUnixProviderServer ( socketPath string , mode fs . FileMode ) * ProviderServer {
return & ProviderServer { network : "unix" , address : socketPath , socketMode : mode , matcher : & hostMatcher { } }
2016-02-14 17:56:14 +02:00
}
2018-12-06 23:50:17 +02:00
// Present starts a web server and makes the token available at `ChallengePath(token)` for web requests.
func ( s * ProviderServer ) Present ( domain , token , keyAuth string ) error {
2016-01-15 06:06:25 +02:00
var err error
2021-12-09 19:27:37 +02:00
s . listener , err = net . Listen ( s . network , s . GetAddress ( ) )
2016-01-15 06:06:25 +02:00
if err != nil {
2020-03-20 23:53:09 +02:00
return fmt . Errorf ( "could not start HTTP server for challenge: %w" , err )
2016-01-15 06:06:25 +02:00
}
2021-12-09 19:27:37 +02:00
if s . network == "unix" {
if err = os . Chmod ( s . address , s . socketMode ) ; err != nil {
return fmt . Errorf ( "chmod %s: %w" , s . address , err )
}
}
2016-01-15 06:06:25 +02:00
s . done = make ( chan bool )
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
go s . serve ( domain , token , keyAuth )
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
return nil
}
2018-12-06 23:50:17 +02:00
func ( s * ProviderServer ) GetAddress ( ) string {
2021-12-09 19:27:37 +02:00
return s . address
2018-12-06 23:50:17 +02:00
}
2020-05-08 19:35:25 +02:00
// CleanUp closes the HTTP server and removes the token from `ChallengePath(token)`.
2018-12-06 23:50:17 +02:00
func ( s * ProviderServer ) CleanUp ( domain , token , keyAuth string ) error {
2016-01-15 06:06:25 +02:00
if s . listener == nil {
return nil
}
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
s . listener . Close ( )
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
<- s . done
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
return nil
}
2019-10-05 13:44:38 +02:00
// SetProxyHeader changes the validation of incoming requests.
// By default, s matches the "Host" header value to the domain name.
//
// When the server runs behind a proxy server, this is not the correct place to look at;
// Apache and NGINX have traditionally moved the original Host header into a new header named "X-Forwarded-Host".
// Other webservers might use different names;
2020-05-08 19:35:25 +02:00
// and RFC7239 has standardized a new header named "Forwarded" (with slightly different semantics).
2019-10-05 13:44:38 +02:00
//
// The exact behavior depends on the value of headerName:
// - "" (the empty string) and "Host" will restore the default and only check the Host header
2021-10-22 21:26:08 +02:00
// - "Forwarded" will look for a Forwarded header, and inspect it according to https://www.rfc-editor.org/rfc/rfc7239.html
2020-05-08 19:35:25 +02:00
// - any other value will check the header value with the same name.
2019-10-05 13:44:38 +02:00
func ( s * ProviderServer ) SetProxyHeader ( headerName string ) {
switch h := textproto . CanonicalMIMEHeaderKey ( headerName ) ; h {
case "" , "Host" :
s . matcher = & hostMatcher { }
case "Forwarded" :
s . matcher = & forwardedMatcher { }
default :
s . matcher = arbitraryMatcher ( h )
}
}
2018-12-06 23:50:17 +02:00
func ( s * ProviderServer ) serve ( domain , token , keyAuth string ) {
path := ChallengePath ( token )
2016-01-15 06:06:25 +02:00
2021-12-09 19:27:37 +02:00
// The incoming request will be validated to prevent DNS rebind attacks.
2019-10-05 13:44:38 +02:00
// We only respond with the keyAuth, when we're receiving a GET requests with
// the "Host" header matching the domain (the latter is configurable though SetProxyHeader).
2016-01-15 06:06:25 +02:00
mux := http . NewServeMux ( )
mux . HandleFunc ( path , func ( w http . ResponseWriter , r * http . Request ) {
2019-10-05 13:44:38 +02:00
if r . Method == http . MethodGet && s . matcher . matches ( r , domain ) {
2020-10-17 14:51:55 +02:00
w . Header ( ) . Set ( "Content-Type" , "text/plain" )
2024-11-11 19:45:08 +02:00
2018-09-24 21:07:20 +02:00
_ , err := w . Write ( [ ] byte ( keyAuth ) )
if err != nil {
http . Error ( w , err . Error ( ) , http . StatusInternalServerError )
return
}
2024-11-11 19:45:08 +02:00
2018-06-21 19:06:16 +02:00
log . Infof ( "[%s] Served key authentication" , domain )
2024-11-11 19:45:08 +02:00
return
}
log . Warnf ( "Received request for domain %s with method %s but the domain did not match any challenge. Please ensure you are passing the %s header properly." , r . Host , r . Method , s . matcher . name ( ) )
_ , err := w . Write ( [ ] byte ( "TEST" ) )
if err != nil {
http . Error ( w , err . Error ( ) , http . StatusInternalServerError )
return
2016-01-15 06:06:25 +02:00
}
} )
2018-09-24 21:07:20 +02:00
httpServer := & http . Server { Handler : mux }
2018-12-06 23:50:17 +02:00
// Once httpServer is shut down
// we don't want any lingering connections, so disable KeepAlives.
2016-02-07 15:25:31 +02:00
httpServer . SetKeepAlivesEnabled ( false )
2018-09-24 21:07:20 +02:00
err := httpServer . Serve ( s . listener )
2018-12-06 23:50:17 +02:00
if err != nil && ! strings . Contains ( err . Error ( ) , "use of closed network connection" ) {
2018-09-24 21:07:20 +02:00
log . Println ( err )
}
2024-11-11 19:45:08 +02:00
2016-01-15 06:06:25 +02:00
s . done <- true
}