Wildcards #2

Merged
PapaTutuWawa merged 17 commits from feat/wildcards into master 2024-01-11 20:04:50 +00:00
Showing only changes of commit 412e5d2fac - Show all commits

View File

@ -2,6 +2,7 @@ package server
import ( import (
"crypto/tls" "crypto/tls"
"errors"
"strings" "strings"
"sync" "sync"
@ -63,32 +64,39 @@ func getDomainKey(domain, pagesDomain string) string {
return domain return domain
} }
func usernameFromDomain(domain string) string {
return strings.Split(domain, ".")[0]
}
func getUsername(sni, pagesDomain string) (string, error) {
if !strings.HasSuffix(sni, pagesDomain) {
log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain)
// Note: We do not check err here because err != nil
// always implies that cname == "", which does not have
// pagesDomain as a suffix.
query, err := dns.LookupCNAME(sni)
if !strings.HasSuffix(query, pagesDomain) {
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err)
return "", errors.New("CNAME does not resolve to subdomain of pages domain")
}
return usernameFromDomain(query), nil
}
return usernameFromDomain(sni), nil
}
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config { func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
return &tls.Config{ return &tls.Config{
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
// Validate that we should even care about this domain // Validate that we should even care about this domain
isPagesDomain := info.ServerName == pagesDomain isPagesDomain := info.ServerName == pagesDomain
cname := "" username, err := getUsername(info.ServerName, pagesDomain)
if !strings.HasSuffix(info.ServerName, pagesDomain) { if err != nil {
// Note: We do not check err here because err != nil log.Warnf("Failed to get username for %s: %v", info.ServerName, err)
// always implies that cname == "", which does not have
// pagesDomain as a suffix.
cname, err := dns.LookupCNAME(info.ServerName)
if !strings.HasSuffix(cname, pagesDomain) {
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err)
return cache.FallbackCertificate.TlsCertificate, nil return cache.FallbackCertificate.TlsCertificate, nil
} }
}
// Figure out a username for later username checks
username := ""
if cname == "" {
// domain ends on pagesDomain
username = strings.Split(info.ServerName, ".")[0]
} else {
// cname ends on pagesDomain
username = strings.Split(cname, ".")[0]
}
// Find the correct certificate // Find the correct certificate
domainKey := getDomainKey(info.ServerName, pagesDomain) domainKey := getDomainKey(info.ServerName, pagesDomain)