dalbodeule/hop-gate
1
0
Fork 0
mirror of https://github.com/dalbodeule/hop-gate.git synced 2025-12-08 04:45:43 +09:00
Code Issues Packages Projects Releases Wiki Activity

[feat] add ACME-based certificate management using go-acme/lego

Browse Source 
- Introduced a new `legoManager` for managing per-domain TLS certificates.
- Implemented ACME HTTP-01 challenge handling with a configurable webroot directory.
- Created `NewLegoManagerFromEnv` to initialize ACME settings from environment variables.
- Added `verifyDomainsResolve` to validate domain DNS resolutions.
- Updated `.gitignore` to include ACME cache and webroot directories.
- Updated `go.mod` and `go.sum` with new dependencies, including `go-acme/lego`.
This commit is contained in:
dalbodeule
2025-11-27 01:23:12 +09:00
parent 694b0feaae
commit 0f32593ea5
10 changed files with 1204 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

518
internal/acme/acme.go
View File

@@ -1,15 +1,107 @@
package acme
import "crypto/tls"
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"net"
"os"
"path/filepath"
"strings"
"time"
// Manager 는 ACME 기반 인증서 관리를 추상화합니다.
"github.com/dalbodeule/hop-gate/internal/logging"
webroot2 "github.com/go-acme/lego/v4/providers/http/webroot"
"github.com/go-acme/lego/v4/certcrypto"
"github.com/go-acme/lego/v4/certificate"
"github.com/go-acme/lego/v4/lego"
"github.com/go-acme/lego/v4/registration"
)
// Manager 는 ACME 기반 인증서 관리를 추상화합니다. (ko)
// Manager abstracts ACME-based certificate management. (en)
type Manager interface {
// TLSConfig 는 HTTPS 및 DTLS 서버에 주입할 tls.Config 를 반환합니다.
// TLSConfig 는 HTTPS 및 DTLS 서버에 주입할 tls.Config 를 반환합니다. (ko)
// TLSConfig returns a tls.Config to be used by HTTPS and DTLS servers. (en)
TLSConfig() *tls.Config
}
// NewDummyManager 는 초기 개발 단계를 위한 더미 구현입니다.
// 실제 ACME 연동 전까지 self-signed 등의 임시 인증서를 제공하도록 확장할 수 있습니다.
// legoManager 는 go-acme/lego 를 사용해 도메인별 TLS 인증서를 관리합니다. (ko)
// legoManager manages per-domain TLS certificates using go-acme/lego. (en)
type legoManager struct {
cacheDir string
domains []string
logger logging.Logger
tlsConfig *tls.Config
}
func (m *legoManager) TLSConfig() *tls.Config {
return m.tlsConfig
}
// getCertificate 는 ClientHello 의 SNI 를 기반으로 디스크에서 최신 인증서를 로드합니다. (ko)
// getCertificate loads the latest certificate from disk based on the SNI in ClientHello. (en)
func (m *legoManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
domain := strings.ToLower(strings.TrimSpace(hello.ServerName))
if domain == "" && len(m.domains) > 0 {
// SNI 가 비어있으면 첫 번째 도메인으로 fallback. (ko)
// If SNI is empty, fall back to the first configured domain. (en)
domain = m.domains[0]
}
if domain == "" {
return nil, fmt.Errorf("no server name (SNI) provided and no default domain configured")
}
// 정규화된 도메인을 기준으로 cert/key 경로 구성. (ko)
// Build cert/key paths based on normalized domain. (en)
certPath := filepath.Join(m.cacheDir, domain+".crt")
keyPath := filepath.Join(m.cacheDir, domain+".key")
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
m.logger.Error("failed to load certificate for domain", logging.Fields{
"domain": domain,
"cert_path": certPath,
"key_path": keyPath,
"error": err.Error(),
})
// 도메인이 리스트에 있고, 첫 번째 도메인과 다르면 첫 번째 도메인으로 한 번 더 시도. (ko)
// If this is not the first domain, attempt to fall back to the first domain. (en)
if len(m.domains) > 0 && domain != m.domains[0] {
fallback := m.domains[0]
fCertPath := filepath.Join(m.cacheDir, fallback+".crt")
fKeyPath := filepath.Join(m.cacheDir, fallback+".key")
fCert, fErr := tls.LoadX509KeyPair(fCertPath, fKeyPath)
if fErr == nil {
m.logger.Warn("falling back to default certificate for domain", logging.Fields{
"requested_domain": domain,
"fallback_domain": fallback,
})
return &fCert, nil
}
m.logger.Error("failed to load fallback certificate", logging.Fields{
"fallback_domain": fallback,
"cert_path": fCertPath,
"key_path": fKeyPath,
"error": fErr.Error(),
})
}
return nil, err
}
return &cert, nil
}
// NewDummyManager 는 초기 개발 단계를 위한 더미 구현입니다. (ko)
// NewDummyManager is a placeholder manager for early development. (en)
func NewDummyManager() Manager {
return &dummyManager{}
}
@@ -17,6 +109,420 @@ func NewDummyManager() Manager {
type dummyManager struct{}
func (d *dummyManager) TLSConfig() *tls.Config {
// TODO: 실제 인증서 로딩/ACME 연동 구현
return &tls.Config{}
}
// legoUser implements lego.User.
type legoUser struct {
Email string `json:"email"`
Registration *registration.Resource `json:"registration,omitempty"`
KeyPEM []byte `json:"key_pem,omitempty"`
key crypto.PrivateKey // not marshaled, derived from KeyPEM
}
func (u *legoUser) GetEmail() string {
return u.Email
}
func (u *legoUser) GetRegistration() *registration.Resource {
return u.Registration
}
func (u *legoUser) GetPrivateKey() crypto.PrivateKey {
return u.key
}
// NewLegoManagerFromEnv 는 환경변수와 도메인 목록을 기반으로 lego 기반 ACME 매니저를 생성합니다. (ko)
// NewLegoManagerFromEnv creates an ACME manager based on environment variables and a list of domains. (en)
//
// Required env:
// - HOP_ACME_EMAIL : account email for Let's Encrypt
// - HOP_ACME_CACHE_DIR : directory to store certificates and lego account data
//
// Optional env:
// - HOP_ACME_CA_DIR : ACME directory URL (default: Let's Encrypt production)
// - HOP_ACME_USE_STAGING : if true, use Let's Encrypt staging CA instead of production
// - HOP_ACME_EXPECT_IPS : comma-separated list of IPs that domains must resolve to (via 1.1.1.1 DNS)
func NewLegoManagerFromEnv(ctx context.Context, logger logging.Logger, domains []string) (Manager, error) {
email := strings.TrimSpace(os.Getenv("HOP_ACME_EMAIL"))
cacheDir := strings.TrimSpace(os.Getenv("HOP_ACME_CACHE_DIR"))
caDir := strings.TrimSpace(os.Getenv("HOP_ACME_CA_DIR"))
useStaging := getEnvBool("HOP_ACME_USE_STAGING", false)
expectedIPs := parseCSVEnv("HOP_ACME_EXPECT_IPS")
if email == "" {
return nil, fmt.Errorf("HOP_ACME_EMAIL is required")
}
if cacheDir == "" {
return nil, fmt.Errorf("HOP_ACME_CACHE_DIR is required")
}
if caDir == "" {
if useStaging {
caDir = lego.LEDirectoryStaging
} else {
caDir = lego.LEDirectoryProduction
}
}
if len(domains) == 0 {
return nil, fmt.Errorf("at least one domain is required for ACME")
}
// Normalize and deduplicate domain list.
domainSet := make(map[string]struct{})
for _, d := range domains {
d = strings.TrimSpace(strings.ToLower(d))
if d == "" {
continue
}
domainSet[d] = struct{}{}
}
if len(domainSet) == 0 {
return nil, fmt.Errorf("no valid domains after normalization")
}
var uniqDomains []string
for d := range domainSet {
uniqDomains = append(uniqDomains, d)
}
logger.Info("acme lego manager initializing", logging.Fields{
"email": email,
"cache_dir": cacheDir,
"ca_dir": caDir,
"use_staging": useStaging,
"domains": uniqDomains,
})
if err := os.MkdirAll(cacheDir, 0o700); err != nil {
return nil, fmt.Errorf("create acme cache dir: %w", err)
}
// 1. DNS 확인: 1.1.1.1 DNS를 사용해 도메인이 예상 IP에 연결되어 있는지 체크. (ko)
// 1. DNS check: use 1.1.1.1 resolver to ensure domains resolve to expected IPs. (en)
if err := verifyDomainsResolve(ctx, logger, uniqDomains, expectedIPs); err != nil {
return nil, err
}
// 2. lego user 로드/생성. (ko)
// 2. Load or create lego user. (en)
user, err := loadOrCreateUser(cacheDir, email)
if err != nil {
return nil, fmt.Errorf("load/create lego user: %w", err)
}
// 3. lego config & client 생성. (ko)
// 3. Build lego config & client. (en)
cfg := lego.NewConfig(user)
cfg.CADirURL = caDir
cfg.Certificate = lego.CertificateConfig{
KeyType: certKeyType(),
}
client, err := lego.NewClient(cfg)
if err != nil {
return nil, fmt.Errorf("new lego client: %w", err)
}
// Account registration (if not yet registered).
if user.Registration == nil {
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
if err != nil {
return nil, fmt.Errorf("lego registration: %w", err)
}
user.Registration = reg
if err := saveUser(cacheDir, user); err != nil {
return nil, fmt.Errorf("save lego user after registration: %w", err)
}
}
// 4. HTTP-01 챌린지 프로바이더 설정 (webroot 방식). (ko)
// 4. Configure HTTP-01 challenge provider using webroot. (en)
//
// go-acme/lego 가 자체적으로 포트를 바인딩하지 않고,
// 지정된 디렉터리(HOP_ACME_WEBROOT)에 챌린지 파일을 생성하도록 합니다.
// 메인 HTTP 서버는 /.well-known/acme-challenge/* 요청을 이 디렉터리에서 서빙해야 합니다.
//
// Using webroot avoids lego binding its own HTTP server; instead, it writes the
// challenge files into HOP_ACME_WEBROOT and the main HTTP server must serve
// /.well-known/acme-challenge/* from that directory.
webroot := strings.TrimSpace(os.Getenv("HOP_ACME_WEBROOT"))
if webroot == "" {
return nil, fmt.Errorf("HOP_ACME_WEBROOT is required when using ACME webroot mode")
}
if err := os.MkdirAll(webroot, 0o755); err != nil {
return nil, fmt.Errorf("create acme webroot dir: %w", err)
}
provider, err := webroot2.NewHTTPProvider(webroot)
if err := client.Challenge.SetHTTP01Provider(provider); err != nil {
return nil, fmt.Errorf("set http-01 filesystem provider: %w", err)
}
// 5. 도메인별 인증서 확보/갱신 및 캐시 디렉터리에 저장. (ko)
// 5. Ensure certificates per domain and store them in cache directory. (en)
for _, domain := range uniqDomains {
if _, err := ensureCertForDomain(ctx, logger, client, cacheDir, domain); err != nil {
return nil, fmt.Errorf("ensure cert for domain %s: %w", domain, err)
}
}
// 6. tls.Config 생성 (GetCertificate 기반). (ko)
// 6. Build tls.Config using GetCertificate callback. (en)
mgr := &legoManager{
cacheDir: cacheDir,
domains: uniqDomains,
logger: logger.With(logging.Fields{"component": "acme_lego_manager"}),
}
tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
// 각 핸드셰이크마다 최신 인증서를 디스크에서 읽어오도록 합니다.
// Load from disk on each handshake so newly issued certificates are picked up
// without restarting the server.
GetCertificate: mgr.getCertificate,
}
mgr.tlsConfig = tlsCfg
return mgr, nil
}
// verifyDomainsResolve checks that each domain resolves via 1.1.1.1 and,
// if expectedIPs is non-empty, that at least one of the resolved IPs matches.
func verifyDomainsResolve(ctx context.Context, logger logging.Logger, domains, expectedIPs []string) error {
if ctx == nil {
ctx = context.Background()
}
resolver := &net.Resolver{
PreferGo: true,
Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
d := net.Dialer{Timeout: 2 * time.Second}
return d.DialContext(ctx, "udp", "1.1.1.1:53")
},
}
expectedSet := make(map[string]struct{})
for _, ip := range expectedIPs {
ip = strings.TrimSpace(ip)
if ip == "" {
continue
}
expectedSet[ip] = struct{}{}
}
for _, domain := range domains {
ips, err := resolver.LookupHost(ctx, domain)
if err != nil {
logger.Error("acme dns resolution failed", logging.Fields{
"domain": domain,
"error": err.Error(),
})
return fmt.Errorf("dns resolution failed for %s: %w", domain, err)
}
logger.Info("acme dns resolution", logging.Fields{
"domain": domain,
"ips": ips,
})
if len(expectedSet) == 0 {
// No expected IPs configured; DNS resolution success is enough.
continue
}
match := false
for _, ip := range ips {
if _, ok := expectedSet[ip]; ok {
match = true
break
}
}
if !match {
return fmt.Errorf("dns resolution for %s did not match any expected IPs", domain)
}
}
return nil
}
// ensureCertForDomain loads an existing certificate for the domain from cacheDir,
// checks its expiration, and renews or obtains a new certificate via lego if needed.
func ensureCertForDomain(ctx context.Context, logger logging.Logger, client *lego.Client, cacheDir, domain string) (tls.Certificate, error) {
certPath := filepath.Join(cacheDir, domain+".crt")
keyPath := filepath.Join(cacheDir, domain+".key")
// Try to load an existing certificate.
if _, err := os.Stat(certPath); err == nil {
if _, err := os.Stat(keyPath); err == nil {
existing, err := tls.LoadX509KeyPair(certPath, keyPath)
if err == nil {
// Check expiration.
leaf, err := parseLeaf(&existing)
if err == nil {
// If the cert is valid for more than 30 days, reuse.
if time.Until(leaf.NotAfter) > 30*24*time.Hour {
logger.Info("using existing certificate from cache", logging.Fields{
"domain": domain,
"not_after": leaf.NotAfter,
"cache_path": certPath,
})
return existing, nil
}
logger.Info("existing certificate is close to expiry, will renew", logging.Fields{
"domain": domain,
"not_after": leaf.NotAfter,
})
}
}
}
}
// No valid certificate found; obtain a new one via ACME.
logger.Info("requesting new certificate via ACME", logging.Fields{
"domain": domain,
})
req := certificate.ObtainRequest{
Domains: []string{domain},
Bundle: true,
}
certRes, err := client.Certificate.Obtain(req)
if err != nil {
return tls.Certificate{}, fmt.Errorf("obtain certificate: %w", err)
}
if err := os.WriteFile(certPath, certRes.Certificate, 0o600); err != nil {
return tls.Certificate{}, fmt.Errorf("write cert file: %w", err)
}
if err := os.WriteFile(keyPath, certRes.PrivateKey, 0o600); err != nil {
return tls.Certificate{}, fmt.Errorf("write key file: %w", err)
}
logger.Info("stored new certificate", logging.Fields{
"domain": domain,
"cert_path": certPath,
"key_path": keyPath,
"not_after": time.Now().Add(90 * 24 * time.Hour), // approximate
})
return tls.LoadX509KeyPair(certPath, keyPath)
}
func parseLeaf(cert *tls.Certificate) (*x509.Certificate, error) {
if cert == nil || len(cert.Certificate) == 0 {
return nil, errors.New("empty certificate")
}
return x509.ParseCertificate(cert.Certificate[0])
}
// uniqueNamesFromCert returns a list of DNS names / CN from the certificate.
func uniqueNamesFromCert(cert *tls.Certificate) []string {
leaf, err := parseLeaf(cert)
if err != nil {
return nil
}
names := make(map[string]struct{})
if leaf.Subject.CommonName != "" {
names[strings.ToLower(leaf.Subject.CommonName)] = struct{}{}
}
for _, n := range leaf.DNSNames {
names[strings.ToLower(n)] = struct{}{}
}
var out []string
for n := range names {
out = append(out, n)
}
return out
}
// loadOrCreateUser loads an existing lego user from cacheDir or creates a new one.
func loadOrCreateUser(cacheDir, email string) (*legoUser, error) {
userPath := filepath.Join(cacheDir, "lego_user.json")
if data, err := os.ReadFile(userPath); err == nil {
var u legoUser
if err := json.Unmarshal(data, &u); err == nil && u.Email == email && len(u.KeyPEM) > 0 {
key, err := x509.ParseECPrivateKey(u.KeyPEM)
if err == nil {
u.key = key
return &u, nil
}
}
}
// Create new user with a new key.
priv, err := ecdsa.GenerateKey(elliptic.P256(), randReader)
if err != nil {
return nil, fmt.Errorf("generate ecdsa key: %w", err)
}
keyBytes, err := x509.MarshalECPrivateKey(priv)
if err != nil {
return nil, fmt.Errorf("marshal ecdsa key: %w", err)
}
u := &legoUser{
Email: email,
KeyPEM: keyBytes,
key: priv,
}
if err := saveUser(cacheDir, u); err != nil {
return nil, err
}
return u, nil
}
// saveUser persists the lego user to disk.
func saveUser(cacheDir string, u *legoUser) error {
userPath := filepath.Join(cacheDir, "lego_user.json")
data, err := json.MarshalIndent(u, "", " ")
if err != nil {
return fmt.Errorf("marshal lego user: %w", err)
}
if err := os.WriteFile(userPath, data, 0o600); err != nil {
return fmt.Errorf("write lego user file: %w", err)
}
return nil
}
// certKeyType returns the preferred key type for new certificates.
func certKeyType() certcrypto.KeyType {
return certcrypto.EC256
}
// randReader wraps crypto/rand.Reader so it can be swapped in tests if needed.
type randReaderType struct{}
func (randReaderType) Read(p []byte) (n int, err error) {
return rand.Read(p)
}
var randReader = randReaderType{}
// getEnvBool is a local helper to read boolean env vars.
func getEnvBool(key string, def bool) bool {
v := strings.ToLower(strings.TrimSpace(os.Getenv(key)))
if v == "" {
return def
}
switch v {
case "1", "true", "yes", "y", "on":
return true
case "0", "false", "no", "n", "off":
return false
default:
return def
}
}
// parseCSVEnv is a local helper to parse comma-separated env vars into []string.
func parseCSVEnv(key string) []string {
raw := os.Getenv(key)
if raw == "" {
return nil
}
parts := strings.Split(raw, ",")
out := make([]string, 0, len(parts))
for _, p := range parts {
p = strings.TrimSpace(p)
if p != "" {
out = append(out, p)
}
}
return out
}