improve http request handling for internal services and multiple domains

per listener, you could enable the admin/account/webmail/webapi handlers. but
that would serve those services on their configured paths (/admin/, /,
/webmail/, /webapi/) on all domains mox would be webserving, including any
non-mail domains. so your www.example/admin/ would be serving the admin web
interface, with no way to disabled that.

with this change, the admin interface is only served on requests to (based on
Host header):
- ip addresses
- the listener host name (explicitly configured in the listener, with fallback
  to global hostname)
- "localhost" (for ssh tunnel/forwarding scenario's)

the account/webmail/webapi interfaces are served on the same domains as the
admin interface, and additionally:
- the client settings domains, as optionally configured in each Domain in
  domains.conf. typically "mail.<yourdomain>".

this means the internal services are no longer served on other domains
configured in the webserver, e.g. www.example.org/admin/ will not be handled
specially.

the order of evaluation of routes/services is also changed:
before this change, the internal handlers would always be evaluated first.
with this change, only the system handlers for
MTA-STS/autoconfig/ACME-validation will be evaluated first. then the webserver
handlers. and finally the internal services (admin/account/webmail/webapi).
this allows an admin to configure overrides for some of the domains (per
hostname-matching rules explained above) that would normally serve these
services.

webserver handlers can now be configured that pass the request to an internal
service: in addition to the existing static/redirect/forward config options,
there is now an "internal" config option, naming the service
(admin/account/webmail/webapi) for handling the request. this allows enabling
the internal services on custom domains.

for issue #160 by TragicLifeHu, thanks for reporting!
This commit is contained in:
Mechiel Lukkien
2024-05-11 11:13:14 +02:00
parent 9152384fd3
commit 614576e409
20 changed files with 746 additions and 350 deletions

View File

@ -172,7 +172,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
# NATed. Skips IP-related DNS self-checks. (optional)
IPsNATed: false
# If empty, the config global Hostname is used. (optional)
# If empty, the config global Hostname is used. The internal services webadmin,
# webaccount, webmail and webapi only match requests to IPs, this hostname,
# "localhost". All except webadmin also match for any client settings domain.
# (optional)
Hostname:
# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
@ -303,7 +306,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
AccountHTTP:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -318,7 +322,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
AccountHTTPS:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -336,7 +341,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
AdminHTTP:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -351,7 +357,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
AdminHTTPS:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -365,7 +372,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
WebmailHTTP:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -380,7 +388,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
WebmailHTTPS:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -394,7 +403,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
WebAPIHTTP:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -409,7 +419,8 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
WebAPIHTTPS:
Enabled: false
# Default 80 for HTTP and 443 for HTTPS. (optional)
# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
# matching behaviour. (optional)
Port: 0
# Path to serve requests on. (optional)
@ -1225,12 +1236,15 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
WebDomainRedirects:
x:
# Handle webserver requests by serving static files, redirecting or
# reverse-proxying HTTP(s). The first matching WebHandler will handle the request.
# Built-in handlers, e.g. for account, admin, autoconfig and mta-sts always run
# first. If no handler matches, the response status code is file not found (404).
# If functionality you need is missng, simply forward the requests to an
# application that can provide the needed functionality. (optional)
# Handle webserver requests by serving static files, redirecting, reverse-proxying
# HTTP(s) or passing the request to an internal service. The first matching
# WebHandler will handle the request. Built-in system handlers, e.g. for ACME
# validation, autoconfig and mta-sts always run first. Built-in handlers for
# admin, account, webmail and webapi are evaluated after all handlers, including
# webhandlers (allowing for overrides of internal services for some domains). If
# no handler matches, the response status code is file not found (404). If
# webserver features are missing, forward the requests to an application that
# provides the needed functionality itself. (optional)
WebHandlers:
-
@ -1238,7 +1252,7 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
LogName:
# Both Domain and PathRegexp must match for this WebHandler to match a request.
# Exactly one of WebStatic, WebRedirect, WebForward must be set.
# Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set.
Domain:
# Regular expression matched against request path, must always start with ^ to
@ -1345,6 +1359,15 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
ResponseHeaders:
x:
# Pass request to internal service, like webmail, webapi, etc. (optional)
WebInternal:
# Path to use as root of internal service, e.g. /webmail/.
BasePath:
# Name of the service, values: admin, account, webmail, webapi.
Service:
# Routes for delivering outgoing messages through the queue. Each delivery attempt
# evaluates account routes, domain routes and finally these global routes. The
# transport of the first matching route is used in the delivery attempt. If no