Switch to HTTPS using a self-signed certificate

This commit is contained in:
Moritz Marquardt 2021-07-09 01:15:42 +02:00
parent 373c13baee
commit 13b386d442
No known key found for this signature in database
GPG key ID: D5788327BEE388B6
2 changed files with 35 additions and 6 deletions

View file

@ -1,15 +1,46 @@
package main package main
import ( import (
"crypto/rand"
"crypto/rsa"
"crypto/tls" "crypto/tls"
"fmt" "crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"strings"
"time"
) )
var fallbackCertKey, _ = rsa.GenerateKey(rand.Reader, 1024)
var fallbackCertSpecification = &x509.Certificate{
Subject: pkix.Name{
CommonName: strings.TrimPrefix(string(MainDomainSuffix), "."),
},
SerialNumber: big.NewInt(0),
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(100, 0, 0),
}
var fallbackCertBytes, _ = x509.CreateCertificate(
rand.Reader,
fallbackCertSpecification,
fallbackCertSpecification,
fallbackCertKey.Public(),
fallbackCertKey,
)
var fallbackCert, _ = tls.X509KeyPair(pem.EncodeToMemory(&pem.Block{
Bytes: fallbackCertBytes,
Type: "CERTIFICATE",
}), pem.EncodeToMemory(&pem.Block{
Bytes: x509.MarshalPKCS1PrivateKey(fallbackCertKey),
Type: "RSA PRIVATE KEY",
}))
// tlsConfig contains the configuration for generating, serving and cleaning up Let's Encrypt certificates. // tlsConfig contains the configuration for generating, serving and cleaning up Let's Encrypt certificates.
var tlsConfig = &tls.Config{ var tlsConfig = &tls.Config{
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
// TODO: check DNS name & get certificate from Let's Encrypt // TODO: check DNS name & get certificate from Let's Encrypt
return nil, fmt.Errorf("NYI") return &fallbackCert, nil
}, },
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
// TODO: optimize cipher suites, minimum TLS version, etc. // TODO: optimize cipher suites, minimum TLS version, etc.

View file

@ -80,7 +80,7 @@ func main() {
// Use HOST and PORT environment variables to determine listening address // Use HOST and PORT environment variables to determine listening address
address := fmt.Sprintf("%s:%s", envOr("HOST", "[::]"), envOr("PORT", "80")) address := fmt.Sprintf("%s:%s", envOr("HOST", "[::]"), envOr("PORT", "80"))
fmt.Printf("Listening on http://%s\n", address) fmt.Printf("Listening on https://%s\n", address)
// Enable compression by wrapping the handler() method with the compression function provided by FastHTTP // Enable compression by wrapping the handler() method with the compression function provided by FastHTTP
compressedHandler := fasthttp.CompressHandlerBrotliLevel(handler, fasthttp.CompressBrotliBestSpeed, fasthttp.CompressBestSpeed) compressedHandler := fasthttp.CompressHandlerBrotliLevel(handler, fasthttp.CompressBrotliBestSpeed, fasthttp.CompressBestSpeed)
@ -91,9 +91,7 @@ func main() {
fmt.Printf("Couldn't create listener: %s\n", err) fmt.Printf("Couldn't create listener: %s\n", err)
os.Exit(1) os.Exit(1)
} }
if envOr("LETS_ENCRYPT", "0") == "1" { listener = tls.NewListener(listener, tlsConfig)
tls.NewListener(listener, tlsConfig)
}
// Start the web server // Start the web server
err = (&fasthttp.Server{ err = (&fasthttp.Server{