fix: Fix username extraction
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
c0b87be246
commit
412e5d2fac
@ -2,6 +2,7 @@ package server
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"errors"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
@ -63,31 +64,38 @@ func getDomainKey(domain, pagesDomain string) string {
|
|||||||
return domain
|
return domain
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func usernameFromDomain(domain string) string {
|
||||||
|
return strings.Split(domain, ".")[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
func getUsername(sni, pagesDomain string) (string, error) {
|
||||||
|
if !strings.HasSuffix(sni, pagesDomain) {
|
||||||
|
log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain)
|
||||||
|
|
||||||
|
// Note: We do not check err here because err != nil
|
||||||
|
// always implies that cname == "", which does not have
|
||||||
|
// pagesDomain as a suffix.
|
||||||
|
query, err := dns.LookupCNAME(sni)
|
||||||
|
if !strings.HasSuffix(query, pagesDomain) {
|
||||||
|
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err)
|
||||||
|
return "", errors.New("CNAME does not resolve to subdomain of pages domain")
|
||||||
|
}
|
||||||
|
|
||||||
|
return usernameFromDomain(query), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return usernameFromDomain(sni), nil
|
||||||
|
}
|
||||||
|
|
||||||
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
|
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
// Validate that we should even care about this domain
|
// Validate that we should even care about this domain
|
||||||
isPagesDomain := info.ServerName == pagesDomain
|
isPagesDomain := info.ServerName == pagesDomain
|
||||||
cname := ""
|
username, err := getUsername(info.ServerName, pagesDomain)
|
||||||
if !strings.HasSuffix(info.ServerName, pagesDomain) {
|
if err != nil {
|
||||||
// Note: We do not check err here because err != nil
|
log.Warnf("Failed to get username for %s: %v", info.ServerName, err)
|
||||||
// always implies that cname == "", which does not have
|
return cache.FallbackCertificate.TlsCertificate, nil
|
||||||
// pagesDomain as a suffix.
|
|
||||||
cname, err := dns.LookupCNAME(info.ServerName)
|
|
||||||
if !strings.HasSuffix(cname, pagesDomain) {
|
|
||||||
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err)
|
|
||||||
return cache.FallbackCertificate.TlsCertificate, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Figure out a username for later username checks
|
|
||||||
username := ""
|
|
||||||
if cname == "" {
|
|
||||||
// domain ends on pagesDomain
|
|
||||||
username = strings.Split(info.ServerName, ".")[0]
|
|
||||||
} else {
|
|
||||||
// cname ends on pagesDomain
|
|
||||||
username = strings.Split(cname, ".")[0]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Find the correct certificate
|
// Find the correct certificate
|
||||||
|
Loading…
Reference in New Issue
Block a user