File: autocert.go

package info (click to toggle)
golang-golang-x-tools 1%3A0.0~git20190125.d66bd3c%2Bds-4
  • links: PTS, VCS
  • area: main
  • in suites: buster, buster-backports
  • size: 8,912 kB
  • sloc: asm: 1,394; yacc: 155; makefile: 109; sh: 108; ansic: 17; xml: 11
file content (88 lines) | stat: -rw-r--r-- 2,327 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// +build autocert

// This file adds automatic TLS certificate support (using
// golang.org/x/crypto/acme/autocert), conditional on the use of the
// autocert build tag. It sets the serveAutoCertHook func variable
// non-nil. It is used by main.go.
//
// TODO: make this the default? We're in the Go 1.8 freeze now, so
// this is too invasive to be default, but we want it for
// https://beta.golang.org/

package main

import (
	"crypto/tls"
	"flag"
	"net"
	"net/http"
	"time"

	"golang.org/x/crypto/acme/autocert"
	"golang.org/x/net/http2"
)

var (
	autoCertDirFlag  = flag.String("autocert_cache_dir", "/var/cache/autocert", "Directory to cache TLS certs")
	autoCertHostFlag = flag.String("autocert_hostname", "", "optional hostname to require in autocert SNI requests")
)

func init() {
	runHTTPS = runHTTPSAutocert
	certInit = certInitAutocert
	wrapHTTPMux = wrapHTTPMuxAutocert
}

var autocertManager *autocert.Manager

func certInitAutocert() {
	autocertManager = &autocert.Manager{
		Cache:  autocert.DirCache(*autoCertDirFlag),
		Prompt: autocert.AcceptTOS,
	}
	if *autoCertHostFlag != "" {
		autocertManager.HostPolicy = autocert.HostWhitelist(*autoCertHostFlag)
	}
}

func runHTTPSAutocert(h http.Handler) error {
	srv := &http.Server{
		Handler: h,
		TLSConfig: &tls.Config{
			GetCertificate: autocertManager.GetCertificate,
		},
		IdleTimeout: 60 * time.Second,
	}
	http2.ConfigureServer(srv, &http2.Server{})
	ln, err := net.Listen("tcp", ":443")
	if err != nil {
		return err
	}
	return srv.Serve(tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, srv.TLSConfig))
}

func wrapHTTPMuxAutocert(h http.Handler) http.Handler {
	return autocertManager.HTTPHandler(h)
}

// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
// connections. It's used by ListenAndServe and ListenAndServeTLS so
// dead TCP connections (e.g. closing laptop mid-download) eventually
// go away.
type tcpKeepAliveListener struct {
	*net.TCPListener
}

func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
	tc, err := ln.AcceptTCP()
	if err != nil {
		return
	}
	tc.SetKeepAlive(true)
	tc.SetKeepAlivePeriod(3 * time.Minute)
	return tc, nil
}