mirror of
https://github.com/dalbodeule/hop-gate.git
synced 2025-12-08 04:45:43 +09:00
0f32593ea5
- Introduced a new `legoManager` for managing per-domain TLS certificates. - Implemented ACME HTTP-01 challenge handling with a configurable webroot directory. - Created `NewLegoManagerFromEnv` to initialize ACME settings from environment variables. - Added `verifyDomainsResolve` to validate domain DNS resolutions. - Updated `.gitignore` to include ACME cache and webroot directories. - Updated `go.mod` and `go.sum` with new dependencies, including `go-acme/lego`.
529 lines
16 KiB
Go
529 lines
16 KiB
Go
package acme
|
|
|
|
import (
|
|
"context"
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/dalbodeule/hop-gate/internal/logging"
|
|
webroot2 "github.com/go-acme/lego/v4/providers/http/webroot"
|
|
|
|
"github.com/go-acme/lego/v4/certcrypto"
|
|
"github.com/go-acme/lego/v4/certificate"
|
|
"github.com/go-acme/lego/v4/lego"
|
|
"github.com/go-acme/lego/v4/registration"
|
|
)
|
|
|
|
// Manager 는 ACME 기반 인증서 관리를 추상화합니다. (ko)
|
|
// Manager abstracts ACME-based certificate management. (en)
|
|
type Manager interface {
|
|
// TLSConfig 는 HTTPS 및 DTLS 서버에 주입할 tls.Config 를 반환합니다. (ko)
|
|
// TLSConfig returns a tls.Config to be used by HTTPS and DTLS servers. (en)
|
|
TLSConfig() *tls.Config
|
|
}
|
|
|
|
// legoManager 는 go-acme/lego 를 사용해 도메인별 TLS 인증서를 관리합니다. (ko)
|
|
// legoManager manages per-domain TLS certificates using go-acme/lego. (en)
|
|
type legoManager struct {
|
|
cacheDir string
|
|
domains []string
|
|
logger logging.Logger
|
|
tlsConfig *tls.Config
|
|
}
|
|
|
|
func (m *legoManager) TLSConfig() *tls.Config {
|
|
return m.tlsConfig
|
|
}
|
|
|
|
// getCertificate 는 ClientHello 의 SNI 를 기반으로 디스크에서 최신 인증서를 로드합니다. (ko)
|
|
// getCertificate loads the latest certificate from disk based on the SNI in ClientHello. (en)
|
|
func (m *legoManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
domain := strings.ToLower(strings.TrimSpace(hello.ServerName))
|
|
if domain == "" && len(m.domains) > 0 {
|
|
// SNI 가 비어있으면 첫 번째 도메인으로 fallback. (ko)
|
|
// If SNI is empty, fall back to the first configured domain. (en)
|
|
domain = m.domains[0]
|
|
}
|
|
if domain == "" {
|
|
return nil, fmt.Errorf("no server name (SNI) provided and no default domain configured")
|
|
}
|
|
|
|
// 정규화된 도메인을 기준으로 cert/key 경로 구성. (ko)
|
|
// Build cert/key paths based on normalized domain. (en)
|
|
certPath := filepath.Join(m.cacheDir, domain+".crt")
|
|
keyPath := filepath.Join(m.cacheDir, domain+".key")
|
|
|
|
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
if err != nil {
|
|
m.logger.Error("failed to load certificate for domain", logging.Fields{
|
|
"domain": domain,
|
|
"cert_path": certPath,
|
|
"key_path": keyPath,
|
|
"error": err.Error(),
|
|
})
|
|
// 도메인이 리스트에 있고, 첫 번째 도메인과 다르면 첫 번째 도메인으로 한 번 더 시도. (ko)
|
|
// If this is not the first domain, attempt to fall back to the first domain. (en)
|
|
if len(m.domains) > 0 && domain != m.domains[0] {
|
|
fallback := m.domains[0]
|
|
fCertPath := filepath.Join(m.cacheDir, fallback+".crt")
|
|
fKeyPath := filepath.Join(m.cacheDir, fallback+".key")
|
|
fCert, fErr := tls.LoadX509KeyPair(fCertPath, fKeyPath)
|
|
if fErr == nil {
|
|
m.logger.Warn("falling back to default certificate for domain", logging.Fields{
|
|
"requested_domain": domain,
|
|
"fallback_domain": fallback,
|
|
})
|
|
return &fCert, nil
|
|
}
|
|
m.logger.Error("failed to load fallback certificate", logging.Fields{
|
|
"fallback_domain": fallback,
|
|
"cert_path": fCertPath,
|
|
"key_path": fKeyPath,
|
|
"error": fErr.Error(),
|
|
})
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
return &cert, nil
|
|
}
|
|
|
|
// NewDummyManager 는 초기 개발 단계를 위한 더미 구현입니다. (ko)
|
|
// NewDummyManager is a placeholder manager for early development. (en)
|
|
func NewDummyManager() Manager {
|
|
return &dummyManager{}
|
|
}
|
|
|
|
type dummyManager struct{}
|
|
|
|
func (d *dummyManager) TLSConfig() *tls.Config {
|
|
return &tls.Config{}
|
|
}
|
|
|
|
// legoUser implements lego.User.
|
|
type legoUser struct {
|
|
Email string `json:"email"`
|
|
Registration *registration.Resource `json:"registration,omitempty"`
|
|
KeyPEM []byte `json:"key_pem,omitempty"`
|
|
key crypto.PrivateKey // not marshaled, derived from KeyPEM
|
|
}
|
|
|
|
func (u *legoUser) GetEmail() string {
|
|
return u.Email
|
|
}
|
|
|
|
func (u *legoUser) GetRegistration() *registration.Resource {
|
|
return u.Registration
|
|
}
|
|
|
|
func (u *legoUser) GetPrivateKey() crypto.PrivateKey {
|
|
return u.key
|
|
}
|
|
|
|
// NewLegoManagerFromEnv 는 환경변수와 도메인 목록을 기반으로 lego 기반 ACME 매니저를 생성합니다. (ko)
|
|
// NewLegoManagerFromEnv creates an ACME manager based on environment variables and a list of domains. (en)
|
|
//
|
|
// Required env:
|
|
// - HOP_ACME_EMAIL : account email for Let's Encrypt
|
|
// - HOP_ACME_CACHE_DIR : directory to store certificates and lego account data
|
|
//
|
|
// Optional env:
|
|
// - HOP_ACME_CA_DIR : ACME directory URL (default: Let's Encrypt production)
|
|
// - HOP_ACME_USE_STAGING : if true, use Let's Encrypt staging CA instead of production
|
|
// - HOP_ACME_EXPECT_IPS : comma-separated list of IPs that domains must resolve to (via 1.1.1.1 DNS)
|
|
func NewLegoManagerFromEnv(ctx context.Context, logger logging.Logger, domains []string) (Manager, error) {
|
|
email := strings.TrimSpace(os.Getenv("HOP_ACME_EMAIL"))
|
|
cacheDir := strings.TrimSpace(os.Getenv("HOP_ACME_CACHE_DIR"))
|
|
caDir := strings.TrimSpace(os.Getenv("HOP_ACME_CA_DIR"))
|
|
useStaging := getEnvBool("HOP_ACME_USE_STAGING", false)
|
|
expectedIPs := parseCSVEnv("HOP_ACME_EXPECT_IPS")
|
|
|
|
if email == "" {
|
|
return nil, fmt.Errorf("HOP_ACME_EMAIL is required")
|
|
}
|
|
if cacheDir == "" {
|
|
return nil, fmt.Errorf("HOP_ACME_CACHE_DIR is required")
|
|
}
|
|
if caDir == "" {
|
|
if useStaging {
|
|
caDir = lego.LEDirectoryStaging
|
|
} else {
|
|
caDir = lego.LEDirectoryProduction
|
|
}
|
|
}
|
|
if len(domains) == 0 {
|
|
return nil, fmt.Errorf("at least one domain is required for ACME")
|
|
}
|
|
|
|
// Normalize and deduplicate domain list.
|
|
domainSet := make(map[string]struct{})
|
|
for _, d := range domains {
|
|
d = strings.TrimSpace(strings.ToLower(d))
|
|
if d == "" {
|
|
continue
|
|
}
|
|
domainSet[d] = struct{}{}
|
|
}
|
|
if len(domainSet) == 0 {
|
|
return nil, fmt.Errorf("no valid domains after normalization")
|
|
}
|
|
var uniqDomains []string
|
|
for d := range domainSet {
|
|
uniqDomains = append(uniqDomains, d)
|
|
}
|
|
|
|
logger.Info("acme lego manager initializing", logging.Fields{
|
|
"email": email,
|
|
"cache_dir": cacheDir,
|
|
"ca_dir": caDir,
|
|
"use_staging": useStaging,
|
|
"domains": uniqDomains,
|
|
})
|
|
|
|
if err := os.MkdirAll(cacheDir, 0o700); err != nil {
|
|
return nil, fmt.Errorf("create acme cache dir: %w", err)
|
|
}
|
|
|
|
// 1. DNS 확인: 1.1.1.1 DNS를 사용해 도메인이 예상 IP에 연결되어 있는지 체크. (ko)
|
|
// 1. DNS check: use 1.1.1.1 resolver to ensure domains resolve to expected IPs. (en)
|
|
if err := verifyDomainsResolve(ctx, logger, uniqDomains, expectedIPs); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// 2. lego user 로드/생성. (ko)
|
|
// 2. Load or create lego user. (en)
|
|
user, err := loadOrCreateUser(cacheDir, email)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("load/create lego user: %w", err)
|
|
}
|
|
|
|
// 3. lego config & client 생성. (ko)
|
|
// 3. Build lego config & client. (en)
|
|
cfg := lego.NewConfig(user)
|
|
cfg.CADirURL = caDir
|
|
cfg.Certificate = lego.CertificateConfig{
|
|
KeyType: certKeyType(),
|
|
}
|
|
|
|
client, err := lego.NewClient(cfg)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("new lego client: %w", err)
|
|
}
|
|
|
|
// Account registration (if not yet registered).
|
|
if user.Registration == nil {
|
|
reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("lego registration: %w", err)
|
|
}
|
|
user.Registration = reg
|
|
if err := saveUser(cacheDir, user); err != nil {
|
|
return nil, fmt.Errorf("save lego user after registration: %w", err)
|
|
}
|
|
}
|
|
|
|
// 4. HTTP-01 챌린지 프로바이더 설정 (webroot 방식). (ko)
|
|
// 4. Configure HTTP-01 challenge provider using webroot. (en)
|
|
//
|
|
// go-acme/lego 가 자체적으로 포트를 바인딩하지 않고,
|
|
// 지정된 디렉터리(HOP_ACME_WEBROOT)에 챌린지 파일을 생성하도록 합니다.
|
|
// 메인 HTTP 서버는 /.well-known/acme-challenge/* 요청을 이 디렉터리에서 서빙해야 합니다.
|
|
//
|
|
// Using webroot avoids lego binding its own HTTP server; instead, it writes the
|
|
// challenge files into HOP_ACME_WEBROOT and the main HTTP server must serve
|
|
// /.well-known/acme-challenge/* from that directory.
|
|
webroot := strings.TrimSpace(os.Getenv("HOP_ACME_WEBROOT"))
|
|
if webroot == "" {
|
|
return nil, fmt.Errorf("HOP_ACME_WEBROOT is required when using ACME webroot mode")
|
|
}
|
|
if err := os.MkdirAll(webroot, 0o755); err != nil {
|
|
return nil, fmt.Errorf("create acme webroot dir: %w", err)
|
|
}
|
|
|
|
provider, err := webroot2.NewHTTPProvider(webroot)
|
|
if err := client.Challenge.SetHTTP01Provider(provider); err != nil {
|
|
return nil, fmt.Errorf("set http-01 filesystem provider: %w", err)
|
|
}
|
|
|
|
// 5. 도메인별 인증서 확보/갱신 및 캐시 디렉터리에 저장. (ko)
|
|
// 5. Ensure certificates per domain and store them in cache directory. (en)
|
|
for _, domain := range uniqDomains {
|
|
if _, err := ensureCertForDomain(ctx, logger, client, cacheDir, domain); err != nil {
|
|
return nil, fmt.Errorf("ensure cert for domain %s: %w", domain, err)
|
|
}
|
|
}
|
|
|
|
// 6. tls.Config 생성 (GetCertificate 기반). (ko)
|
|
// 6. Build tls.Config using GetCertificate callback. (en)
|
|
mgr := &legoManager{
|
|
cacheDir: cacheDir,
|
|
domains: uniqDomains,
|
|
logger: logger.With(logging.Fields{"component": "acme_lego_manager"}),
|
|
}
|
|
tlsCfg := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
// 각 핸드셰이크마다 최신 인증서를 디스크에서 읽어오도록 합니다.
|
|
// Load from disk on each handshake so newly issued certificates are picked up
|
|
// without restarting the server.
|
|
GetCertificate: mgr.getCertificate,
|
|
}
|
|
mgr.tlsConfig = tlsCfg
|
|
|
|
return mgr, nil
|
|
}
|
|
|
|
// verifyDomainsResolve checks that each domain resolves via 1.1.1.1 and,
|
|
// if expectedIPs is non-empty, that at least one of the resolved IPs matches.
|
|
func verifyDomainsResolve(ctx context.Context, logger logging.Logger, domains, expectedIPs []string) error {
|
|
if ctx == nil {
|
|
ctx = context.Background()
|
|
}
|
|
resolver := &net.Resolver{
|
|
PreferGo: true,
|
|
Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
|
|
d := net.Dialer{Timeout: 2 * time.Second}
|
|
return d.DialContext(ctx, "udp", "1.1.1.1:53")
|
|
},
|
|
}
|
|
|
|
expectedSet := make(map[string]struct{})
|
|
for _, ip := range expectedIPs {
|
|
ip = strings.TrimSpace(ip)
|
|
if ip == "" {
|
|
continue
|
|
}
|
|
expectedSet[ip] = struct{}{}
|
|
}
|
|
|
|
for _, domain := range domains {
|
|
ips, err := resolver.LookupHost(ctx, domain)
|
|
if err != nil {
|
|
logger.Error("acme dns resolution failed", logging.Fields{
|
|
"domain": domain,
|
|
"error": err.Error(),
|
|
})
|
|
return fmt.Errorf("dns resolution failed for %s: %w", domain, err)
|
|
}
|
|
logger.Info("acme dns resolution", logging.Fields{
|
|
"domain": domain,
|
|
"ips": ips,
|
|
})
|
|
|
|
if len(expectedSet) == 0 {
|
|
// No expected IPs configured; DNS resolution success is enough.
|
|
continue
|
|
}
|
|
|
|
match := false
|
|
for _, ip := range ips {
|
|
if _, ok := expectedSet[ip]; ok {
|
|
match = true
|
|
break
|
|
}
|
|
}
|
|
if !match {
|
|
return fmt.Errorf("dns resolution for %s did not match any expected IPs", domain)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ensureCertForDomain loads an existing certificate for the domain from cacheDir,
|
|
// checks its expiration, and renews or obtains a new certificate via lego if needed.
|
|
func ensureCertForDomain(ctx context.Context, logger logging.Logger, client *lego.Client, cacheDir, domain string) (tls.Certificate, error) {
|
|
certPath := filepath.Join(cacheDir, domain+".crt")
|
|
keyPath := filepath.Join(cacheDir, domain+".key")
|
|
|
|
// Try to load an existing certificate.
|
|
if _, err := os.Stat(certPath); err == nil {
|
|
if _, err := os.Stat(keyPath); err == nil {
|
|
existing, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
if err == nil {
|
|
// Check expiration.
|
|
leaf, err := parseLeaf(&existing)
|
|
if err == nil {
|
|
// If the cert is valid for more than 30 days, reuse.
|
|
if time.Until(leaf.NotAfter) > 30*24*time.Hour {
|
|
logger.Info("using existing certificate from cache", logging.Fields{
|
|
"domain": domain,
|
|
"not_after": leaf.NotAfter,
|
|
"cache_path": certPath,
|
|
})
|
|
return existing, nil
|
|
}
|
|
logger.Info("existing certificate is close to expiry, will renew", logging.Fields{
|
|
"domain": domain,
|
|
"not_after": leaf.NotAfter,
|
|
})
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// No valid certificate found; obtain a new one via ACME.
|
|
logger.Info("requesting new certificate via ACME", logging.Fields{
|
|
"domain": domain,
|
|
})
|
|
|
|
req := certificate.ObtainRequest{
|
|
Domains: []string{domain},
|
|
Bundle: true,
|
|
}
|
|
certRes, err := client.Certificate.Obtain(req)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("obtain certificate: %w", err)
|
|
}
|
|
|
|
if err := os.WriteFile(certPath, certRes.Certificate, 0o600); err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("write cert file: %w", err)
|
|
}
|
|
if err := os.WriteFile(keyPath, certRes.PrivateKey, 0o600); err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("write key file: %w", err)
|
|
}
|
|
|
|
logger.Info("stored new certificate", logging.Fields{
|
|
"domain": domain,
|
|
"cert_path": certPath,
|
|
"key_path": keyPath,
|
|
"not_after": time.Now().Add(90 * 24 * time.Hour), // approximate
|
|
})
|
|
|
|
return tls.LoadX509KeyPair(certPath, keyPath)
|
|
}
|
|
|
|
func parseLeaf(cert *tls.Certificate) (*x509.Certificate, error) {
|
|
if cert == nil || len(cert.Certificate) == 0 {
|
|
return nil, errors.New("empty certificate")
|
|
}
|
|
return x509.ParseCertificate(cert.Certificate[0])
|
|
}
|
|
|
|
// uniqueNamesFromCert returns a list of DNS names / CN from the certificate.
|
|
func uniqueNamesFromCert(cert *tls.Certificate) []string {
|
|
leaf, err := parseLeaf(cert)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
names := make(map[string]struct{})
|
|
if leaf.Subject.CommonName != "" {
|
|
names[strings.ToLower(leaf.Subject.CommonName)] = struct{}{}
|
|
}
|
|
for _, n := range leaf.DNSNames {
|
|
names[strings.ToLower(n)] = struct{}{}
|
|
}
|
|
var out []string
|
|
for n := range names {
|
|
out = append(out, n)
|
|
}
|
|
return out
|
|
}
|
|
|
|
// loadOrCreateUser loads an existing lego user from cacheDir or creates a new one.
|
|
func loadOrCreateUser(cacheDir, email string) (*legoUser, error) {
|
|
userPath := filepath.Join(cacheDir, "lego_user.json")
|
|
|
|
if data, err := os.ReadFile(userPath); err == nil {
|
|
var u legoUser
|
|
if err := json.Unmarshal(data, &u); err == nil && u.Email == email && len(u.KeyPEM) > 0 {
|
|
key, err := x509.ParseECPrivateKey(u.KeyPEM)
|
|
if err == nil {
|
|
u.key = key
|
|
return &u, nil
|
|
}
|
|
}
|
|
}
|
|
|
|
// Create new user with a new key.
|
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), randReader)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("generate ecdsa key: %w", err)
|
|
}
|
|
keyBytes, err := x509.MarshalECPrivateKey(priv)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("marshal ecdsa key: %w", err)
|
|
}
|
|
|
|
u := &legoUser{
|
|
Email: email,
|
|
KeyPEM: keyBytes,
|
|
key: priv,
|
|
}
|
|
if err := saveUser(cacheDir, u); err != nil {
|
|
return nil, err
|
|
}
|
|
return u, nil
|
|
}
|
|
|
|
// saveUser persists the lego user to disk.
|
|
func saveUser(cacheDir string, u *legoUser) error {
|
|
userPath := filepath.Join(cacheDir, "lego_user.json")
|
|
data, err := json.MarshalIndent(u, "", " ")
|
|
if err != nil {
|
|
return fmt.Errorf("marshal lego user: %w", err)
|
|
}
|
|
if err := os.WriteFile(userPath, data, 0o600); err != nil {
|
|
return fmt.Errorf("write lego user file: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// certKeyType returns the preferred key type for new certificates.
|
|
func certKeyType() certcrypto.KeyType {
|
|
return certcrypto.EC256
|
|
}
|
|
|
|
// randReader wraps crypto/rand.Reader so it can be swapped in tests if needed.
|
|
type randReaderType struct{}
|
|
|
|
func (randReaderType) Read(p []byte) (n int, err error) {
|
|
return rand.Read(p)
|
|
}
|
|
|
|
var randReader = randReaderType{}
|
|
|
|
// getEnvBool is a local helper to read boolean env vars.
|
|
func getEnvBool(key string, def bool) bool {
|
|
v := strings.ToLower(strings.TrimSpace(os.Getenv(key)))
|
|
if v == "" {
|
|
return def
|
|
}
|
|
switch v {
|
|
case "1", "true", "yes", "y", "on":
|
|
return true
|
|
case "0", "false", "no", "n", "off":
|
|
return false
|
|
default:
|
|
return def
|
|
}
|
|
}
|
|
|
|
// parseCSVEnv is a local helper to parse comma-separated env vars into []string.
|
|
func parseCSVEnv(key string) []string {
|
|
raw := os.Getenv(key)
|
|
if raw == "" {
|
|
return nil
|
|
}
|
|
parts := strings.Split(raw, ",")
|
|
out := make([]string, 0, len(parts))
|
|
for _, p := range parts {
|
|
p = strings.TrimSpace(p)
|
|
if p != "" {
|
|
out = append(out, p)
|
|
}
|
|
}
|
|
return out
|
|
}
|