Added -edge_acme_addtl_certs option for gateway

diodechain · Dec 13, 2023 · f720ab8 · f720ab8
1 parent 8b78077
commit f720ab8
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 30 deletions.
diff --git a/cmd/diode/gateway.go b/cmd/diode/gateway.go
@@ -15,12 +15,13 @@ var (
 	gatewayCmd = &command.Command{
 		Name:        "gateway",
 		HelpText:    `  Enable a public gateway server as is used by the "diode.link" website`,
-		ExampleText: `  diode gateway -httpd_port 8080 -httpsd_port 443 -secure -certpath ./cert.pem -privpath ./priv.pem`,
+		ExampleText: `  diode gateway -httpd_port 8080 -httpsd_port 443 -secure -certpath ./fullchain.pem -privpath ./privkey.pem`,
 		Run:         gatewayHandler,
 		Type:        command.DaemonCommand,
 	}
-	edgeACME      = false
-	edgeACMEEmail = ""
+	edgeACME           = false
+	edgeACMEEmail      = ""
+	edgeACMEAddtlCerts = ""
 )
 
 func init() {
@@ -35,12 +36,13 @@ func init() {
 	gatewayCmd.Flag.IntVar(&cfg.SProxyServerPort, "httpsd_port", 443, "port of httpsd server listening to")
 	gatewayCmd.Flag.StringVar(&cfg.SProxyServerPorts, "additional_ports", "", "httpsd secure server ports")
 
-	gatewayCmd.Flag.StringVar(&cfg.SProxyServerCertPath, "certpath", "./priv/cert.pem", "Pem format of certificate file path of httpsd secure server")
-	gatewayCmd.Flag.StringVar(&cfg.SProxyServerPrivPath, "privpath", "./priv/priv.pem", "Pem format of private key file path of httpsd secure server")
+	gatewayCmd.Flag.StringVar(&cfg.SProxyServerCertPath, "certpath", "./priv/fullchain.pem", "Pem format of certificate file path of httpsd secure server")
+	gatewayCmd.Flag.StringVar(&cfg.SProxyServerPrivPath, "privpath", "./priv/privkey.pem", "Pem format of private key file path of httpsd secure server")
 	gatewayCmd.Flag.BoolVar(&cfg.EnableSProxyServer, "secure", false, "enable httpsd server")
 	gatewayCmd.Flag.BoolVar(&cfg.AllowRedirectToSProxy, "allow_redirect", false, "allow redirect all http transmission to httpsd")
-	gatewayCmd.Flag.BoolVar(&edgeACME, "edge_acme", false, "allow to use ACME generate certificates automatically")
+	gatewayCmd.Flag.BoolVar(&edgeACME, "edge_acme", false, "allow to use ACME to generate certificates automatically")
 	gatewayCmd.Flag.StringVar(&edgeACMEEmail, "edge_acme_email", "", "ACME email configuration")
+	gatewayCmd.Flag.StringVar(&edgeACMEAddtlCerts, "edge_acme_addtl_certs", "", "comma separated list of additional directories containing fullchain.pem/privkey.pem pairs of private keys to import")
 }
 
 func gatewayHandler() (err error) {
@@ -82,15 +84,16 @@ func gatewayHandler() (err error) {
 		return
 	}
 	proxyCfg := rpc.ProxyConfig{
-		EnableSProxy:      cfg.EnableSProxyServer,
-		ProxyServerAddr:   cfg.ProxyServerAddr(),
-		SProxyServerAddr:  cfg.SProxyServerAddr(),
-		SProxyServerPorts: cfg.SProxyAdditionalPorts(),
-		CertPath:          cfg.SProxyServerCertPath,
-		PrivPath:          cfg.SProxyServerPrivPath,
-		AllowRedirect:     cfg.AllowRedirectToSProxy,
-		EdgeACME:          edgeACME,
-		EdgeACMEEmail:     edgeACMEEmail,
+		EnableSProxy:       cfg.EnableSProxyServer,
+		ProxyServerAddr:    cfg.ProxyServerAddr(),
+		SProxyServerAddr:   cfg.SProxyServerAddr(),
+		SProxyServerPorts:  cfg.SProxyAdditionalPorts(),
+		CertPath:           cfg.SProxyServerCertPath,
+		PrivPath:           cfg.SProxyServerPrivPath,
+		AllowRedirect:      cfg.AllowRedirectToSProxy,
+		EdgeACME:           edgeACME,
+		EdgeACMEEmail:      edgeACMEEmail,
+		EdgeACMEAddtlCerts: edgeACMEAddtlCerts,
 	}
 	var proxyServer *rpc.ProxyServer
 	proxyServer, err = rpc.NewProxyServer(proxyCfg, socksServer)

diff --git a/rpc/proxy.go b/rpc/proxy.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
@@ -22,15 +23,16 @@ import (
 
 // Config is Proxy Server configuration
 type ProxyConfig struct {
-	ProxyServerAddr   string
-	SProxyServerAddr  string
-	SProxyServerPorts []int
-	CertPath          string
-	PrivPath          string
-	EnableSProxy      bool
-	AllowRedirect     bool
-	EdgeACME          bool
-	EdgeACMEEmail     string
+	ProxyServerAddr    string
+	SProxyServerAddr   string
+	SProxyServerPorts  []int
+	CertPath           string
+	PrivPath           string
+	EnableSProxy       bool
+	AllowRedirect      bool
+	EdgeACME           bool
+	EdgeACMEEmail      string
+	EdgeACMEAddtlCerts string
 }
 
 type HttpError struct {
@@ -281,11 +283,14 @@ func (proxyServer *ProxyServer) Start() error {
 		httpsdHandler := http.HandlerFunc(proxyServer.pipeProxy)
 		protos := make(map[string]func(*http.Server, *tls.Conn, http.Handler))
 		httpsServer := &http.Server{Handler: httpsdHandler, TLSNextProto: protos}
-		// load pem format certificate key pair
+
+		// Load pem format certificate key pair, we need at least one existing cert
+		// (preferabbly wildcard for the primary domain) to operate
 		cert, err := tls.LoadX509KeyPair(proxyServer.Config.CertPath, proxyServer.Config.PrivPath)
 		if err != nil {
 			return err
 		}
+
 		var tlsConfig *tls.Config
 		if proxyServer.Config.EdgeACME {
 			// must listen to 443 for ACME
@@ -297,6 +302,11 @@ func (proxyServer *ProxyServer) Start() error {
 			certmagicCfg := certmagic.NewDefault()
 			certmagicCfg.OnDemand = &certmagic.OnDemandConfig{
 				DecisionFunc: func(name string) error {
+					dots := strings.Count(name, ".")
+					if dots > 3 {
+						return fmt.Errorf("rejecting invalid domain %v", name)
+					}
+
 					_, _, deviceID, _, err := parseHost(name)
 					if err != nil {
 						return err
@@ -308,15 +318,21 @@ func (proxyServer *ProxyServer) Start() error {
 					return nil
 				},
 			}
+
 			// cache the certificate
 			certmagicCfg.CacheUnmanagedTLSCertificate(context.Background(), cert, nil)
+			for _, path := range strings.Split(proxyServer.Config.EdgeACMEAddtlCerts, ",") {
+				extraCert, err := tls.LoadX509KeyPair(fmt.Sprintf("%s/fullchain.pem", path), fmt.Sprintf("%s/privkey.pem", path))
+				if err == nil {
+					proxyServer.logger.Info("Loading additional certificate from %s\n", path)
+					certmagicCfg.CacheUnmanagedTLSCertificate(context.Background(), extraCert, nil)
+				} else {
+					proxyServer.logger.Error("Loading additional certificate from %s failed: %v\n", path, err)
+				}
+			}
+
 			tlsConfig = certmagicCfg.TLSConfig()
 			tlsConfig.NextProtos = append([]string{"http/1.1"}, tlsConfig.NextProtos...)
-			// don't have to sync certificates
-			// err := certmagicCfg.ManageSync([]string{})
-			// if err != nil {
-			// 	return err
-			// }
 		} else {
 			httpsdAddr = config.AppConfig.SProxyServerAddr()
 			tlsConfig = &tls.Config{