From 45ee3c060433c58a0a89de223655381933e7df11 Mon Sep 17 00:00:00 2001 From: Ben Morrison Date: Tue, 11 Jun 2019 18:49:16 -0400 Subject: added support for TLS and hostname resolution --- Makefile | 12 ------------ etc/getwtxt-proxied.service | 15 --------------- getwtxt.yml | 11 +++++++++++ svc/conf.go | 37 ++++++++++++++++++++++++++++++++----- svc/init.go | 1 - svc/svc.go | 9 ++++++++- 6 files changed, 51 insertions(+), 34 deletions(-) delete mode 100644 etc/getwtxt-proxied.service diff --git a/Makefile b/Makefile index eea8cdd..2151717 100644 --- a/Makefile +++ b/Makefile @@ -19,18 +19,6 @@ update: git pull --rebase install: - adduser -home $(BINDIR) --system --group getwtxt - mkdir -p $(BINDIR)/assets/tmpl $(BINDIR)/docs - install -m755 getwtxt $(BINDIR) - install -m644 getwtxt.yml $(BINDIR) - install -m644 assets/style.css $(BINDIR)/assets - install -m644 assets/tmpl/index.html $(BINDIR)/assets/tmpl - install -m644 README.md $(BINDIR)/docs - install -m644 LICENSE $(BINDIR)/docs - install -m644 etc/getwtxt-proxied.service /etc/systemd/system - chown -R getwtxt:getwtxt $(BINDIR) - -install-unproxied: adduser -home $(BINDIR) --system --group getwtxt mkdir -p $(BINDIR)/assets/tmpl $(BINDIR)/docs install -m755 getwtxt $(BINDIR) diff --git a/etc/getwtxt-proxied.service b/etc/getwtxt-proxied.service deleted file mode 100644 index 07ea8cb..0000000 --- a/etc/getwtxt-proxied.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=getwtxt - -[Service] -Type=simple -ExecStart=/usr/local/getwtxt/getwtxt \ - --assets /usr/local/getwtxt/assets \ - --config /usr/local/getwtxt/getwtxt.yml \ - --db /usr/local/getwtxt/getwtxt.db \ - --dbtype leveldb \ - --proxied -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/getwtxt.yml b/getwtxt.yml index 0388651..d9f5c90 100644 --- a/getwtxt.yml +++ b/getwtxt.yml @@ -24,8 +24,19 @@ BehindProxy: true # This is the port that getwtxt will bind to. +# If BehindProxy is false, you should probably +# set this to 80 or 443 ListenPort: 9001 +# Determines whether we're using SSL/TLS. If so, +# you should set the Cert and Key files. +# Don't use TLS if you're setting up getwtxt +# behind a reverse proxy - just let the proxy +# handle the connection. +UseTLS: false +TLSCert: "/etc/ssl/getwtxt.pem" +TLSKey: "/etc/ssl/private/getwtxt.pem" + # The type of database you want to use. Currently, # the following are supported: # leveldb (default) diff --git a/svc/conf.go b/svc/conf.go index f15bd13..538b701 100644 --- a/svc/conf.go +++ b/svc/conf.go @@ -25,6 +25,7 @@ type Configuration struct { CacheInterval time.Duration `yaml:"StatusFetchInterval"` DBInterval time.Duration `yaml:"DatabasePushInterval"` Instance `yaml:"Instance"` + TLS } // Instance refers to meta data about @@ -38,6 +39,14 @@ type Instance struct { Desc string `yaml:"Instance.Description"` } +// TLS holds the tls config from the +// config file +type TLS struct { + Use bool `yaml:"UseTLS"` + Cert string `yaml:"TLSCert"` + Key string `yaml:"TLSKey"` +} + // Called on start-up. Initializes everything // related to configuration values. func initConfig() { @@ -88,6 +97,10 @@ func initLogging() { // Default values should a config file // not be available. func setConfigDefaults() { + viper.SetDefault("BehindProxy", true) + viper.SetDefault("UseTLS", false) + viper.SetDefault("TLSCert", "cert.pem") + viper.SetDefault("TLSKey", "key.pem") viper.SetDefault("ListenPort", 9001) viper.SetDefault("LogFile", "getwtxt.log") viper.SetDefault("DatabasePath", "getwtxt.db") @@ -150,6 +163,12 @@ func bindConfig() { confObj.Instance.Mail = viper.GetString("Instance.Email") confObj.Instance.Desc = viper.GetString("Instance.Description") + confObj.TLS.Use = viper.GetBool("UseTLS") + if confObj.TLS.Use { + confObj.TLS.Cert = viper.GetString("TLSCert") + confObj.TLS.Key = viper.GetString("TLSKey") + } + if *flagDBType != "" { confObj.DBType = *flagDBType } @@ -159,15 +178,24 @@ func bindConfig() { if *flagAssets != "" { confObj.AssetsDir = *flagAssets } - if *flagProxied { - confObj.IsProxied = true - } + confObj.Mu.Unlock() + + announceConfig() +} + +func announceConfig() { + confObj.Mu.RLock() if confObj.IsProxied { log.Printf("Behind reverse proxy, not using host matching\n") } else { log.Printf("Matching host: %v\n", confObj.Instance.URL) } + if confObj.TLS.Use { + log.Printf("Using TLS\n") + log.Printf("Cert: %v\n", confObj.TLS.Cert) + log.Printf("Key: %v\n", confObj.TLS.Key) + } if confObj.StdoutLogging { log.Printf("Logging to: stdout\n") } else { @@ -176,6 +204,5 @@ func bindConfig() { log.Printf("Using %v database: %v\n", confObj.DBType, confObj.DBPath) log.Printf("Database push interval: %v\n", confObj.DBInterval) log.Printf("User status fetch interval: %v\n", confObj.CacheInterval) - - confObj.Mu.Unlock() + confObj.Mu.RUnlock() } diff --git a/svc/init.go b/svc/init.go index 082cef8..fe83145 100644 --- a/svc/init.go +++ b/svc/init.go @@ -22,7 +22,6 @@ var ( flagAssets *string = pflag.StringP("assets", "a", "", "The location of the getwtxt assets directory.") flagDBPath *string = pflag.StringP("db", "d", "", "Path to the getwtxt database.") flagDBType *string = pflag.StringP("dbtype", "t", "", "Type of database being used.") - flagProxied *bool = pflag.BoolP("proxied", "p", false, "Use if getwtxt is behind a reverse proxy.") ) // Holds the global configuration diff --git a/svc/svc.go b/svc/svc.go index e5802d2..1748bf0 100644 --- a/svc/svc.go +++ b/svc/svc.go @@ -25,6 +25,9 @@ func Start() { if !confObj.IsProxied { index.Host(confObj.Instance.URL) } + TLS := confObj.TLS.Use + TLSCert := confObj.TLS.Cert + TLSKey := confObj.TLS.Key confObj.Mu.RUnlock() setIndexRouting(index) @@ -34,7 +37,11 @@ func Start() { server := newServer(portnum, index) log.Printf("*** Listening on %v\n", portnum) log.Printf("*** getwtxt %v Startup finished at %v, took %v\n\n", Vers, time.Now().Format(time.RFC3339), time.Since(before)) - errLog("", server.ListenAndServe()) + if TLS { + errLog("", server.ListenAndServeTLS(TLSCert, TLSKey)) + } else { + errLog("", server.ListenAndServe()) + } closeLog <- true killTickers() -- cgit 1.4.1-2-gfad0