diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-07 14:30:30 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-07 14:30:30 -0600 |
| commit | 4d27620bf502549008290bf2034fc8b09e1a677a (patch) | |
| tree | f45ec515d547933d373880b14a06061c4dc2862d /pkg | |
| parent | b9111d3d9bde47a6409eadce0e830e75862838b1 (diff) | |
chore: add tls config
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/app/app.go | 6 | ||||
| -rw-r--r-- | pkg/cfg/tls.go | 57 |
2 files changed, 63 insertions, 0 deletions
diff --git a/pkg/app/app.go b/pkg/app/app.go index 861ce59a..89a2bd34 100644 --- a/pkg/app/app.go +++ b/pkg/app/app.go @@ -15,5 +15,11 @@ func Start(bindAddr string) error { return srv.Run(cfg.New( bindAddr, cfg.WithMux(log.HTTP(logger)(mux)), + cfg.WithTLS([]string{ + "api.example.com", + "authzd.example.com", + "idp.example.com", + "ui.example.com", + }), )) } diff --git a/pkg/cfg/tls.go b/pkg/cfg/tls.go index 6441df8f..bce6e186 100644 --- a/pkg/cfg/tls.go +++ b/pkg/cfg/tls.go @@ -1,9 +1,18 @@ package cfg import ( + "context" "crypto/tls" + "crypto/x509" + "encoding/pem" + "io/ioutil" + "net/http" + "os" + "path/filepath" + "github.com/caddyserver/certmagic" "github.com/xlgmokha/x/pkg/x" + "go.uber.org/zap" ) func WithSelfSigned(cert, key string) Option { @@ -16,3 +25,51 @@ func WithSelfSigned(cert, key string) Option { } } } + +func WithTLS(domainNames []string) Option { + directoryURL := "https://localhost:8081/acme/acme/directory" + storage := &certmagic.FileStorage{ + Path: filepath.Join(x.Must(os.Getwd()), "/tmp/cache"), + } + var cache *certmagic.Cache + cache = certmagic.NewCache(certmagic.CacheOptions{ + GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) { + return certmagic.New(cache, certmagic.Config{ + Logger: x.Must(zap.NewProduction()), + OnDemand: new(certmagic.OnDemandConfig), + Storage: storage, + }), nil + }, + }) + roots := x.Must(x509.SystemCertPool()) + roots.AddCert(func() *x509.Certificate { + block, _ := pem.Decode(x.Must(ioutil.ReadFile( + filepath.Join(x.Must(os.Getwd()), "/tmp/step/certs/root_ca.crt"), + ))) + return x.Must(x509.ParseCertificate(block.Bytes)) + }()) + magic := certmagic.New(cache, certmagic.Config{ + Logger: x.Must(zap.NewProduction()), + OnDemand: new(certmagic.OnDemandConfig), + Storage: storage, + }) + issuer := certmagic.NewACMEIssuer(magic, certmagic.ACMEIssuer{ + Agreed: true, + Email: "email@example.com", + CA: directoryURL, + TestCA: directoryURL, + TrustedRoots: roots, + }) + magic.Issuers = []certmagic.Issuer{issuer} + + if err := http.ListenAndServe(":80", issuer.HTTPChallengeHandler(http.DefaultServeMux)); err != nil { + return func(*Config) {} + } + + x.Check(magic.ManageSync(context.Background(), domainNames)) + + return func(config *Config) { + config.TLS = magic.TLSConfig() + config.TLS.NextProtos = append([]string{"h2", "http/1.1"}, config.TLS.NextProtos...) + } +} |