From 19b4821bc9fa3788442a10f39c8080b5ed8ae780 Mon Sep 17 00:00:00 2001 From: Dmitrii Andreev Date: Mon, 9 Sep 2024 22:56:50 +0300 Subject: [PATCH 1/2] Update main.go and ssl.go to add support for ACME directory URL in ACME configuration --- app/main.go | 1 + app/proxy/ssl.go | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/main.go b/app/main.go index 8b803b9..987d5d5 100644 --- a/app/main.go +++ b/app/main.go @@ -43,6 +43,7 @@ var opts struct { Type string `long:"type" env:"TYPE" description:"ssl (auto) support" choice:"none" choice:"static" choice:"auto" default:"none"` // nolint Cert string `long:"cert" env:"CERT" description:"path to cert.pem file"` Key string `long:"key" env:"KEY" description:"path to key.pem file"` + ACMEDirectoru string `long:"acme-directory" env:"ACME_DITRCTORY" description:"acme directory url"` ACMELocation string `long:"acme-location" env:"ACME_LOCATION" description:"dir where certificates will be stored by autocert manager" default:"./var/acme"` ACMEEmail string `long:"acme-email" env:"ACME_EMAIL" description:"admin email for certificate notifications"` RedirHTTPPort int `long:"http-port" env:"HTTP_PORT" description:"http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without)"` diff --git a/app/proxy/ssl.go b/app/proxy/ssl.go index ecc1304..77b806d 100644 --- a/app/proxy/ssl.go +++ b/app/proxy/ssl.go @@ -6,6 +6,8 @@ import ( "net/http" "strings" + "golang.org/x/crypto/acme" + log "github.com/go-pkgz/lgr" "golang.org/x/crypto/acme/autocert" @@ -31,6 +33,7 @@ type SSLConfig struct { SSLMode sslMode Cert string Key string + ACMEDirectory string ACMELocation string ACMEEmail string FQDNs []string @@ -65,9 +68,19 @@ func (h *Http) redirectHandler() http.Handler { } func (h *Http) makeAutocertManager() *autocert.Manager { - log.Printf("[DEBUG] autocert manager for domains: %+v, location: %s, email: %q", - h.SSLConfig.FQDNs, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail) + acmeDirectory := autocert.DefaultACMEDirectory + if h.SSLConfig.ACMEDirectory != "" { + acmeDirectory = h.SSLConfig.ACMEDirectory + } + + log.Printf("[DEBUG] autocert manager for domains: %+v, acmeDirectory: %s, location: %s, email: %q", + h.SSLConfig.FQDNs, acmeDirectory, h.SSLConfig.ACMELocation, h.SSLConfig.ACMEEmail) + return &autocert.Manager{ + Client: &acme.Client{ + DirectoryURL: acmeDirectory, + }, + Prompt: autocert.AcceptTOS, Cache: autocert.DirCache(h.SSLConfig.ACMELocation), HostPolicy: autocert.HostWhitelist(h.SSLConfig.FQDNs...), From fefc6b443f53b11eae883746b9cd37b24e21285a Mon Sep 17 00:00:00 2001 From: Dmitrii Andreev Date: Mon, 9 Sep 2024 23:18:26 +0300 Subject: [PATCH 2/2] updated README.txt --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c578c13..ccbfe2a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ For convenience, requests with the trailing `/` and without regex groups expande The host substitution is supported in the destination URL. For example, `/files/${host}` will be replaced with the matched host name. `$host` (without braces) can also be used. -Both HTTP and HTTPS supported. For HTTPS, static certificate can be used as well as automated ACME (Let's Encrypt) certificates. Optional assets server can be used to serve static files. Starting reproxy requires at least one provider defined. The rest of parameters are strictly optional and have sane default. +Both HTTP and HTTPS supported. For HTTPS, static certificate can be used as well as automated ACME (Let's Encrypt or compatible) certificates. Optional assets server can be used to serve static files. Starting reproxy requires at least one provider defined. The rest of parameters are strictly optional and have sane default. Examples: @@ -383,6 +383,7 @@ ssl: --ssl.cert= path to cert.pem file [$SSL_CERT] --ssl.key= path to key.pem file [$SSL_KEY] --ssl.acme-location= dir where certificates will be stored by autocert manager (default: ./var/acme) [$SSL_ACME_LOCATION] + --ssl.acme-directory= acme directory url [$SSL_ACME_DITRCTORY] --ssl.acme-email= admin email for certificate notifications [$SSL_ACME_EMAIL] --ssl.http-port= http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without) [$SSL_HTTP_PORT] --ssl.fqdn= FQDN(s) for ACME certificates [$SSL_ACME_FQDN]