mirror of
https://github.com/sadoyan/aralez.git
synced 2026-05-30 03:44:06 +08:00
Let's Encrypt auto certificate HTTP-01 challenge #16
This commit is contained in:
Ara Sadoyan
@@ -1,3 +1,4 @@
|
||||
use crate::tls::acme::order::refresh_order;
|
||||
use crate::utils::discovery::{APIUpstreamProvider, ConsulProvider, Discovery, FromFileProvider, KubernetesProvider};
|
||||
use crate::utils::parceyaml::load_configuration;
|
||||
use crate::utils::structs::Configuration;
|
||||
@@ -50,10 +51,16 @@ impl BackgroundService for LB {
|
||||
}
|
||||
}
|
||||
|
||||
let confdir = self.config.proxy_configs.clone().unwrap_or_else(|| "/tmp".to_string()) + "/autoconfigs";
|
||||
let certdir = self.config.proxy_configs.clone().unwrap_or_else(|| "/tmp".to_string()) + "/certificates";
|
||||
|
||||
let api_load = APIUpstreamProvider {
|
||||
address: self.config.config_address.clone(),
|
||||
masterkey: self.config.master_key.clone(),
|
||||
config_api_enabled: self.config.config_api_enabled.clone(),
|
||||
// certs_dir: self.config.proxy_certificates.clone().unwrap_or_else(|| "/tmp".to_string()),
|
||||
config_dir: confdir.clone(),
|
||||
certs_dir: certdir.clone(),
|
||||
// tls_address: self.config.config_tls_address.clone(),
|
||||
// tls_certificate: self.config.config_tls_certificate.clone(),
|
||||
// tls_key_file: self.config.config_tls_key_file.clone(),
|
||||
@@ -62,6 +69,7 @@ impl BackgroundService for LB {
|
||||
current_upstreams: self.ump_upst.clone(),
|
||||
full_upstreams: self.ump_full.clone(),
|
||||
};
|
||||
// let crtdir = api_load.certs_dir.clone();
|
||||
// let tx_api = tx.clone();
|
||||
let _ = tokio::spawn(async move { api_load.start(tx_api).await });
|
||||
|
||||
@@ -70,6 +78,7 @@ impl BackgroundService for LB {
|
||||
let im = self.ump_byid.clone();
|
||||
let (hc_method, hc_interval) = (self.config.hc_method.clone(), self.config.hc_interval);
|
||||
let _ = tokio::spawn(async move { healthcheck::hc2(uu, ff, im, (&*hc_method.to_string(), hc_interval.to_string().parse().unwrap())).await });
|
||||
let _ = tokio::spawn(async move { refresh_order(certdir, confdir).await });
|
||||
|
||||
loop {
|
||||
tokio::select! {
|
||||
|
||||
@@ -64,7 +64,8 @@ pub fn run() {
|
||||
Some(bind_address_tls) => {
|
||||
check_priv(bind_address_tls.as_str());
|
||||
let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
|
||||
let certs_path = cfg.proxy_certificates.clone().unwrap();
|
||||
// let certs_path = cfg.proxy_certificates.clone().unwrap();
|
||||
let certs_path = cfg.proxy_configs.clone().unwrap() + "/certificates";
|
||||
thread::spawn(move || {
|
||||
watch_folder(certs_path, tx).unwrap();
|
||||
});
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
use crate::utils::discovery::APIUpstreamProvider;
|
||||
// use std::net::SocketAddr;
|
||||
use crate::tls::acme::order::CHALLENGES;
|
||||
// use axum_server::tls_openssl::OpenSSLConfig;
|
||||
use crate::tls::acme::{account, order};
|
||||
use crate::utils::discovery::APIUpstreamProvider;
|
||||
use crate::utils::jwt::Claims;
|
||||
use crate::utils::structs::{Config, Configuration, UpstreamsDashMap};
|
||||
use crate::utils::tools::{upstreams_liveness_json, upstreams_to_json};
|
||||
@@ -7,9 +10,8 @@ use axum::body::Body;
|
||||
use axum::extract::{Query, State};
|
||||
use axum::http::{header::HeaderMap, Response, StatusCode};
|
||||
use axum::response::IntoResponse;
|
||||
use axum::routing::{get, post};
|
||||
use axum::routing::{any, get, post};
|
||||
use axum::{Json, Router};
|
||||
// use axum_server::tls_openssl::OpenSSLConfig;
|
||||
use futures::channel::mpsc::Sender;
|
||||
use futures::SinkExt;
|
||||
use jsonwebtoken::{encode, EncodingKey, Header};
|
||||
@@ -31,6 +33,8 @@ struct OutToken {
|
||||
#[derive(Clone)]
|
||||
struct AppState {
|
||||
master_key: String,
|
||||
cert_creds: String,
|
||||
certs_dir: String,
|
||||
config_sender: Sender<Configuration>,
|
||||
config_api_enabled: bool,
|
||||
current_upstreams: Arc<UpstreamsDashMap>,
|
||||
@@ -39,8 +43,11 @@ struct AppState {
|
||||
|
||||
#[allow(unused_mut)]
|
||||
pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Configuration>, upstreams_curr: Arc<UpstreamsDashMap>, upstreams_full: Arc<UpstreamsDashMap>) {
|
||||
let credsfile = config.config_dir.clone() + "/acme_credentials.json";
|
||||
let app_state = AppState {
|
||||
master_key: config.masterkey.clone(),
|
||||
cert_creds: credsfile,
|
||||
certs_dir: config.certs_dir.clone(),
|
||||
config_sender: to_return.clone(),
|
||||
config_api_enabled: config.config_api_enabled.clone(),
|
||||
current_upstreams: upstreams_curr,
|
||||
@@ -54,6 +61,9 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
|
||||
// .route("/{*wildcard}", delete(senderror))
|
||||
// .nest_service("/static", static_files)
|
||||
.route("/jwt", post(jwt_gen))
|
||||
.route("/acme_create", any(acme_create))
|
||||
.route("/acme_order/{*domain}", any(acme_order))
|
||||
.route("/.well-known/acme-challenge/{*token}", any(http01_challenge))
|
||||
.route("/conf", post(conf))
|
||||
.route("/metrics", get(metrics))
|
||||
.route("/status", get(status))
|
||||
@@ -87,19 +97,18 @@ async fn conf(State(st): State<AppState>, Query(params): Query<HashMap<String, S
|
||||
if !st.config_api_enabled {
|
||||
return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Config API is disabled !\n")).unwrap();
|
||||
}
|
||||
if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
|
||||
if s.as_bytes().ct_eq(st.master_key.as_bytes()).into() {
|
||||
let strcontent = content.as_str();
|
||||
let parsed = serde_yml::from_str::<Config>(strcontent);
|
||||
match parsed {
|
||||
Ok(_) => {
|
||||
let _ = tokio::spawn(async move { apply_config(content.as_str(), st).await });
|
||||
return Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap();
|
||||
}
|
||||
Err(err) => {
|
||||
error!("Failed to parse upstreams file: {}", err);
|
||||
return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap();
|
||||
}
|
||||
// if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
|
||||
if key_authorization(&headers, ¶ms, &st.master_key) {
|
||||
let strcontent = content.as_str();
|
||||
let parsed = serde_yml::from_str::<Config>(strcontent);
|
||||
match parsed {
|
||||
Ok(_) => {
|
||||
let _ = tokio::spawn(async move { apply_config(content.as_str(), st).await });
|
||||
return Response::builder().status(StatusCode::OK).body(Body::from("Accepted! Applying in background\n")).unwrap();
|
||||
}
|
||||
Err(err) => {
|
||||
error!("Failed to parse upstreams file: {}", err);
|
||||
return Response::builder().status(StatusCode::BAD_GATEWAY).body(Body::from(format!("Failed: {}\n", err))).unwrap();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -192,6 +201,85 @@ async fn status(State(st): State<AppState>, Query(params): Query<HashMap<String,
|
||||
}
|
||||
Response::builder()
|
||||
.status(StatusCode::INTERNAL_SERVER_ERROR)
|
||||
.body(Body::from(format!("Parameter mismatch")))
|
||||
.body(Body::from(format!("{}", "Parameter mismatch")))
|
||||
.unwrap()
|
||||
}
|
||||
|
||||
async fn acme_create(State(state): State<AppState>, Query(params): Query<HashMap<String, String>>, headers: HeaderMap) -> impl IntoResponse {
|
||||
if !key_authorization(&headers, ¶ms, &state.master_key) {
|
||||
return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
|
||||
}
|
||||
|
||||
let _ = match account::load_or_create(state.cert_creds.as_str()).await {
|
||||
Ok(txt) => {
|
||||
return Response::builder()
|
||||
.status(StatusCode::OK)
|
||||
.header("Content-Type", "text/plain")
|
||||
.body(Body::from(txt))
|
||||
.unwrap()
|
||||
}
|
||||
Err(e) => {
|
||||
return Response::builder()
|
||||
.status(StatusCode::INTERNAL_SERVER_ERROR)
|
||||
.body(Body::from(format!("Failed to create account: {}", e)))
|
||||
.unwrap()
|
||||
}
|
||||
};
|
||||
}
|
||||
async fn acme_order(
|
||||
State(state): State<AppState>,
|
||||
axum::extract::Path(domain): axum::extract::Path<String>,
|
||||
Query(params): Query<HashMap<String, String>>,
|
||||
headers: HeaderMap,
|
||||
) -> impl IntoResponse {
|
||||
if !key_authorization(&headers, ¶ms, &state.master_key) {
|
||||
return Response::builder().status(StatusCode::FORBIDDEN).body(Body::from("Access Denied !\n")).unwrap();
|
||||
}
|
||||
|
||||
let domain_clean = domain.trim_matches('/');
|
||||
let _ = match order::order(domain_clean, state.cert_creds.as_str(), state.certs_dir).await {
|
||||
Ok(txt) => {
|
||||
return Response::builder()
|
||||
.status(StatusCode::OK)
|
||||
.header("Content-Type", "text/plain")
|
||||
.body(Body::from(txt))
|
||||
.unwrap()
|
||||
}
|
||||
Err(e) => {
|
||||
return Response::builder()
|
||||
.status(StatusCode::INTERNAL_SERVER_ERROR)
|
||||
.body(Body::from(format!("Failed to order a certificate: {}", e)))
|
||||
.unwrap()
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
pub async fn http01_challenge(axum::extract::Path(token): axum::extract::Path<String>) -> impl IntoResponse {
|
||||
if let Ok(challenges) = CHALLENGES.read() {
|
||||
// for k in challenges.iter() {
|
||||
// println!(" ==> {} : {}", k.0, k.1);
|
||||
// }
|
||||
|
||||
if let Some(key_authorization) = challenges.get(&token) {
|
||||
return Response::builder()
|
||||
.status(StatusCode::OK)
|
||||
.header("Content-Type", "text/plain")
|
||||
.body(Body::from(key_authorization.clone()))
|
||||
.unwrap();
|
||||
}
|
||||
}
|
||||
Response::builder()
|
||||
.status(StatusCode::NOT_FOUND)
|
||||
.header("Content-Type", "text/plain")
|
||||
.body(Body::from("Not found"))
|
||||
.unwrap()
|
||||
}
|
||||
|
||||
fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, masterkey: &str) -> bool {
|
||||
if let Some(s) = headers.get("x-api-key").and_then(|v| v.to_str().ok()).or(params.get("key").map(|s| s.as_str())) {
|
||||
if s.as_bytes().ct_eq(masterkey.as_bytes()).into() {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user