diff --git a/README.md b/README.md index c578c13..ccbfe2a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ For convenience, requests with the trailing `/` and without regex groups expande The host substitution is supported in the destination URL. For example, `/files/${host}` will be replaced with the matched host name. `$host` (without braces) can also be used. -Both HTTP and HTTPS supported. For HTTPS, static certificate can be used as well as automated ACME (Let's Encrypt) certificates. Optional assets server can be used to serve static files. Starting reproxy requires at least one provider defined. The rest of parameters are strictly optional and have sane default. +Both HTTP and HTTPS supported. For HTTPS, static certificate can be used as well as automated ACME (Let's Encrypt or compatible) certificates. Optional assets server can be used to serve static files. Starting reproxy requires at least one provider defined. The rest of parameters are strictly optional and have sane default. Examples: @@ -383,6 +383,7 @@ ssl: --ssl.cert= path to cert.pem file [$SSL_CERT] --ssl.key= path to key.pem file [$SSL_KEY] --ssl.acme-location= dir where certificates will be stored by autocert manager (default: ./var/acme) [$SSL_ACME_LOCATION] + --ssl.acme-directory= acme directory url [$SSL_ACME_DITRCTORY] --ssl.acme-email= admin email for certificate notifications [$SSL_ACME_EMAIL] --ssl.http-port= http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without) [$SSL_HTTP_PORT] --ssl.fqdn= FQDN(s) for ACME certificates [$SSL_ACME_FQDN] diff --git a/app/main.go b/app/main.go index 8b803b9..987d5d5 100644 --- a/app/main.go +++ b/app/main.go @@ -43,6 +43,7 @@ var opts struct { Type string `long:"type" env:"TYPE" description:"ssl (auto) support" choice:"none" choice:"static" choice:"auto" default:"none"` // nolint Cert string `long:"cert" env:"CERT" description:"path to cert.pem file"` Key string `long:"key" env:"KEY" description:"path to key.pem file"` + ACMEDirectoru string `long:"acme-directory" env:"ACME_DITRCTORY" description:"acme directory url"` ACMELocation string `long:"acme-location" env:"ACME_LOCATION" description:"dir where certificates will be stored by autocert manager" default:"./var/acme"` ACMEEmail string `long:"acme-email" env:"ACME_EMAIL" description:"admin email for certificate notifications"` RedirHTTPPort int `long:"http-port" env:"HTTP_PORT" description:"http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without)"` diff --git a/app/proxy/ssl.go b/app/proxy/ssl.go index ecc1304..77b806d 100644 --- a/app/proxy/ssl.go +++ b/app/proxy/ssl.go @@ -6,6 +6,8 @@ import ( "net/http" "strings" + "golang.org/x/crypto/acme" + log "github.com/go-pkgz/lgr" "golang.org/x/crypto/acme/autocert" @@ -31,6 +33,7 @@ type SSLConfig struct { SSLMode sslMode Cert string Key string + ACMEDirectory string ACMELocation string ACMEEmail string FQDNs []string @@ -65,9 +68,19 @@ func (h *Http) redirectHandler() http.Handler { } func (h *Http) makeAutocertManager() *autocert.Manager { - log.Printf("[DEBUG] autocert manager for domains: %+v, location: %s, email: %q", - h.SSLConfig.FQDNs, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail) + acmeDirectory := autocert.DefaultACMEDirectory + if h.SSLConfig.ACMEDirectory != "" { + acmeDirectory = h.SSLConfig.ACMEDirectory + } + + log.Printf("[DEBUG] autocert manager for domains: %+v, acmeDirectory: %s, location: %s, email: %q", + h.SSLConfig.FQDNs, acmeDirectory, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail) + return &autocert.Manager{ + Client: &acme.Client{ + DirectoryURL: acmeDirectory, + }, + Prompt: autocert.AcceptTOS, Cache: autocert.DirCache(h.SSLConfig.ACMELocation), HostPolicy: autocert.HostWhitelist(h.SSLConfig.FQDNs...),