fix: Fix username extraction
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
c0b87be246
commit
412e5d2fac
@ -2,6 +2,7 @@ package server
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
@ -63,32 +64,39 @@ func getDomainKey(domain, pagesDomain string) string {
|
||||
return domain
|
||||
}
|
||||
|
||||
func usernameFromDomain(domain string) string {
|
||||
return strings.Split(domain, ".")[0]
|
||||
}
|
||||
|
||||
func getUsername(sni, pagesDomain string) (string, error) {
|
||||
if !strings.HasSuffix(sni, pagesDomain) {
|
||||
log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain)
|
||||
|
||||
// Note: We do not check err here because err != nil
|
||||
// always implies that cname == "", which does not have
|
||||
// pagesDomain as a suffix.
|
||||
query, err := dns.LookupCNAME(sni)
|
||||
if !strings.HasSuffix(query, pagesDomain) {
|
||||
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err)
|
||||
return "", errors.New("CNAME does not resolve to subdomain of pages domain")
|
||||
}
|
||||
|
||||
return usernameFromDomain(query), nil
|
||||
}
|
||||
|
||||
return usernameFromDomain(sni), nil
|
||||
}
|
||||
|
||||
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
|
||||
return &tls.Config{
|
||||
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
// Validate that we should even care about this domain
|
||||
isPagesDomain := info.ServerName == pagesDomain
|
||||
cname := ""
|
||||
if !strings.HasSuffix(info.ServerName, pagesDomain) {
|
||||
// Note: We do not check err here because err != nil
|
||||
// always implies that cname == "", which does not have
|
||||
// pagesDomain as a suffix.
|
||||
cname, err := dns.LookupCNAME(info.ServerName)
|
||||
if !strings.HasSuffix(cname, pagesDomain) {
|
||||
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err)
|
||||
username, err := getUsername(info.ServerName, pagesDomain)
|
||||
if err != nil {
|
||||
log.Warnf("Failed to get username for %s: %v", info.ServerName, err)
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
}
|
||||
}
|
||||
|
||||
// Figure out a username for later username checks
|
||||
username := ""
|
||||
if cname == "" {
|
||||
// domain ends on pagesDomain
|
||||
username = strings.Split(info.ServerName, ".")[0]
|
||||
} else {
|
||||
// cname ends on pagesDomain
|
||||
username = strings.Split(cname, ".")[0]
|
||||
}
|
||||
|
||||
// Find the correct certificate
|
||||
domainKey := getDomainKey(info.ServerName, pagesDomain)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user