replace listener config option IPsNATed with NATIPs, and let autotls check NATIPs

NATIPs lists the public IPs, so we can still do the DNS checks on them. with
IPsNATed, we disabled the checks.

based on feedback by kikoreis in issue #52
This commit is contained in:
Mechiel Lukkien
2023-08-11 10:13:17 +02:00
parent d7df70acd8
commit 55d05c6bea
6 changed files with 82 additions and 19 deletions

View File

@ -272,7 +272,15 @@ func (c *Config) allowACMEHosts(checkACMEHosts bool) {
}
}
m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, c.Static.Listeners["public"].IPs, checkACMEHosts)
public := c.Static.Listeners["public"]
ips := public.IPs
if len(public.NATIPs) > 0 {
ips = public.NATIPs
}
if public.IPsNATed {
ips = nil
}
m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, ips, checkACMEHosts)
}
}
@ -629,6 +637,17 @@ func PrepareStaticConfig(ctx context.Context, configFile string, conf *Config, c
}
l.SMTP.DNSBLZones = append(l.SMTP.DNSBLZones, d)
}
if l.IPsNATed && len(l.NATIPs) > 0 {
addErrorf("listener %q has both IPsNATed and NATIPs (remove deprecated IPsNATed)", name)
}
for _, ipstr := range l.NATIPs {
ip := net.ParseIP(ipstr)
if ip == nil {
addErrorf("listener %q has invalid ip %q", name, ipstr)
} else if ip.IsUnspecified() || ip.IsLoopback() {
addErrorf("listener %q has NAT ip that is the unspecified or loopback address %s", name, ipstr)
}
}
checkPath := func(kind string, enabled bool, path string) {
if enabled && path != "" && !strings.HasPrefix(path, "/") {
addErrorf("listener %q has %s with path %q that must start with a slash", name, kind, path)