infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-06-28 05:08:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

add a handler for the acme http-01 validiation mechanism to all plain http (non-tls) webservers (ports), not only to the one listening on port 80

Browse Source 
because this mechanism is most needed behind a reverse proxy, where acme
tls-alpn-01 won't work (because the reverse proxy won't pass on the alpn
extensions). if that's the case, there is obviously a webserver on port 443.
and it likely also running on port 80. so before this change, if tls-alpn-01
isn't available, http-01 also wasn't available, leaving no validation
mechanisms.

for issue #218 by mgkirs, thanks for reporting and details. hope this helps.
This commit is contained in:
Mechiel Lukkien 2024-10-10 14:04:13 +02:00
parent 354b9f4d98
commit 0fbf24160c
No known key found for this signature in database
1 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
http/web.go
View File

@ -15,6 +15,7 @@ import (
"net/http" "net/http"
"os" "os"
"path" "path"
"slices"
"sort" "sort"
"strings" "strings"
"time" "time"
@ -605,6 +606,16 @@ func portServes(l config.Listener) map[int]*serve {
return s return s
} }
// If TLS with ACME is enabled on this plain HTTP port, and it hasn't been enabled
// yet, add http-01 validation mechanism handler to server.
ensureACMEHTTP01 := func(srv *serve) {
if l.TLS != nil && l.TLS.ACME != "" && !slices.Contains(srv.Kinds, "acme-http-01") {
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
srv.Kinds = append(srv.Kinds, "acme-http-01")
srv.SystemHandle("acme-http-01", nil, "/.well-known/acme-challenge/", m.Manager.HTTPHandler(nil))
}
}
if l.TLS != nil && l.TLS.ACME != "" && (l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled) { if l.TLS != nil && l.TLS.ACME != "" && (l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled) {
port := config.Port(mox.Conf.Static.ACME[l.TLS.ACME].Port, 443) port := config.Port(mox.Conf.Static.ACME[l.TLS.ACME].Port, 443)
ensureServe(true, port, "acme-tls-alpn-01", false) ensureServe(true, port, "acme-tls-alpn-01", false)
@ -620,6 +631,7 @@ func portServes(l config.Listener) map[int]*serve {
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webaccount.Handler(path, l.AccountHTTP.Forwarded)))) handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webaccount.Handler(path, l.AccountHTTP.Forwarded))))
srv.ServiceHandle("account", accountHostMatch, path, handler) srv.ServiceHandle("account", accountHostMatch, path, handler)
redirectToTrailingSlash(srv, accountHostMatch, "account", path) redirectToTrailingSlash(srv, accountHostMatch, "account", path)
ensureACMEHTTP01(srv)
} }
if l.AccountHTTPS.Enabled { if l.AccountHTTPS.Enabled {
port := config.Port(l.AccountHTTPS.Port, 443) port := config.Port(l.AccountHTTPS.Port, 443)
@ -643,6 +655,7 @@ func portServes(l config.Listener) map[int]*serve {
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webadmin.Handler(path, l.AdminHTTP.Forwarded)))) handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webadmin.Handler(path, l.AdminHTTP.Forwarded))))
srv.ServiceHandle("admin", listenerHostMatch, path, handler) srv.ServiceHandle("admin", listenerHostMatch, path, handler)
redirectToTrailingSlash(srv, listenerHostMatch, "admin", path) redirectToTrailingSlash(srv, listenerHostMatch, "admin", path)
ensureACMEHTTP01(srv)
} }
if l.AdminHTTPS.Enabled { if l.AdminHTTPS.Enabled {
port := config.Port(l.AdminHTTPS.Port, 443) port := config.Port(l.AdminHTTPS.Port, 443)
@ -671,6 +684,7 @@ func portServes(l config.Listener) map[int]*serve {
handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], webapisrv.NewServer(maxMsgSize, path, l.WebAPIHTTP.Forwarded))) handler := mox.SafeHeaders(http.StripPrefix(path[:len(path)-1], webapisrv.NewServer(maxMsgSize, path, l.WebAPIHTTP.Forwarded)))
srv.ServiceHandle("webapi", accountHostMatch, path, handler) srv.ServiceHandle("webapi", accountHostMatch, path, handler)
redirectToTrailingSlash(srv, accountHostMatch, "webapi", path) redirectToTrailingSlash(srv, accountHostMatch, "webapi", path)
ensureACMEHTTP01(srv)
} }
if l.WebAPIHTTPS.Enabled { if l.WebAPIHTTPS.Enabled {
port := config.Port(l.WebAPIHTTPS.Port, 443) port := config.Port(l.WebAPIHTTPS.Port, 443)
@ -701,6 +715,7 @@ func portServes(l config.Listener) map[int]*serve {
handler := http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webmail.Handler(maxMsgSize, path, l.WebmailHTTP.Forwarded, accountPath))) handler := http.StripPrefix(path[:len(path)-1], http.HandlerFunc(webmail.Handler(maxMsgSize, path, l.WebmailHTTP.Forwarded, accountPath)))
srv.ServiceHandle("webmail", accountHostMatch, path, handler) srv.ServiceHandle("webmail", accountHostMatch, path, handler)
redirectToTrailingSlash(srv, accountHostMatch, "webmail", path) redirectToTrailingSlash(srv, accountHostMatch, "webmail", path)
ensureACMEHTTP01(srv)
} }
if l.WebmailHTTPS.Enabled { if l.WebmailHTTPS.Enabled {
port := config.Port(l.WebmailHTTPS.Port, 443) port := config.Port(l.WebmailHTTPS.Port, 443)
@ -740,6 +755,9 @@ func portServes(l config.Listener) map[int]*serve {
if l.AutoconfigHTTPS.Enabled { if l.AutoconfigHTTPS.Enabled {
port := config.Port(l.AutoconfigHTTPS.Port, 443) port := config.Port(l.AutoconfigHTTPS.Port, 443)
srv := ensureServe(!l.AutoconfigHTTPS.NonTLS, port, "autoconfig-https", false) srv := ensureServe(!l.AutoconfigHTTPS.NonTLS, port, "autoconfig-https", false)
if l.AutoconfigHTTPS.NonTLS {
ensureACMEHTTP01(srv)
}
autoconfigMatch := func(ipdom dns.IPDomain) bool { autoconfigMatch := func(ipdom dns.IPDomain) bool {
dom := ipdom.Domain dom := ipdom.Domain
if dom.IsZero() { if dom.IsZero() {
@ -767,6 +785,9 @@ func portServes(l config.Listener) map[int]*serve {
if l.MTASTSHTTPS.Enabled { if l.MTASTSHTTPS.Enabled {
port := config.Port(l.MTASTSHTTPS.Port, 443) port := config.Port(l.MTASTSHTTPS.Port, 443)
srv := ensureServe(!l.MTASTSHTTPS.NonTLS, port, "mtasts-https", false) srv := ensureServe(!l.MTASTSHTTPS.NonTLS, port, "mtasts-https", false)
if l.MTASTSHTTPS.NonTLS {
ensureACMEHTTP01(srv)
}
mtastsMatch := func(ipdom dns.IPDomain) bool { mtastsMatch := func(ipdom dns.IPDomain) bool {
// todo: may want to check this against the configured domains, could in theory be just a webserver. // todo: may want to check this against the configured domains, could in theory be just a webserver.
dom := ipdom.Domain dom := ipdom.Domain
@ -791,6 +812,7 @@ func portServes(l config.Listener) map[int]*serve {
port := config.Port(l.WebserverHTTP.Port, 80) port := config.Port(l.WebserverHTTP.Port, 80)
srv := ensureServe(false, port, "webserver-http", false) srv := ensureServe(false, port, "webserver-http", false)
srv.Webserver = true srv.Webserver = true
ensureACMEHTTP01(srv)
} }
if l.WebserverHTTPS.Enabled { if l.WebserverHTTPS.Enabled {
port := config.Port(l.WebserverHTTPS.Port, 443) port := config.Port(l.WebserverHTTPS.Port, 443)
@ -799,15 +821,6 @@ func portServes(l config.Listener) map[int]*serve {
} }
if l.TLS != nil && l.TLS.ACME != "" { if l.TLS != nil && l.TLS.ACME != "" {
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
// If we are listening on port 80 for plain http, also register acme http-01
// validation handler.
if srv, ok := portServe[80]; ok && srv.TLSConfig == nil {
srv.Kinds = append(srv.Kinds, "acme-http-01")
srv.SystemHandle("acme-http-01", nil, "/.well-known/acme-challenge/", m.Manager.HTTPHandler(nil))
}
hosts := map[dns.Domain]struct{}{ hosts := map[dns.Domain]struct{}{
mox.Conf.Static.HostnameDomain: {}, mox.Conf.Static.HostnameDomain: {},
} }
@ -832,6 +845,7 @@ func portServes(l config.Listener) map[int]*serve {
} }
} }
m := mox.Conf.Static.ACME[l.TLS.ACME].Manager
ensureManagerHosts[m] = hosts ensureManagerHosts[m] = hosts
} }