mirror of
https://github.com/yusing/godoxy.git
synced 2026-02-03 00:59:30 +01:00
Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
fb96a2a4f1 | ||
|
|
fdfb682e2a | ||
|
|
8d56c61826 | ||
|
|
d1fca7e987 | ||
|
|
95f88a6f3c | ||
|
|
c0e2cf63b5 | ||
|
|
6388d07f64 | ||
|
|
15e50322c9 | ||
|
|
3ad6e98a17 |
2
Makefile
2
Makefile
@@ -92,7 +92,7 @@ docker-build-test:
|
||||
|
||||
go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
|
||||
files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
|
||||
gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
|
||||
gomod_paths := $(shell find . -name go.mod -type f | grep -vE '^./internal/(go-oidc|go-proxmox|gopsutil)/' | xargs dirname)
|
||||
|
||||
update-go:
|
||||
for file in ${files}; do \
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package agentapi
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
@@ -36,6 +37,9 @@ type VerifyNewAgentRequest struct {
|
||||
// @Failure 500 {object} ErrorResponse
|
||||
// @Router /agent/verify [post]
|
||||
func Verify(c *gin.Context) {
|
||||
// avoid timeout waiting for response headers
|
||||
c.Status(http.StatusContinue)
|
||||
|
||||
var request VerifyNewAgentRequest
|
||||
if err := c.ShouldBindJSON(&request); err != nil {
|
||||
c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
|
||||
@@ -60,7 +64,7 @@ func Verify(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
|
||||
nRoutesAdded, err := verifyNewAgent(c.Request.Context(), request.Host, ca, client, request.ContainerRuntime)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
|
||||
return
|
||||
@@ -82,7 +86,7 @@ func Verify(c *gin.Context) {
|
||||
|
||||
var errAgentAlreadyExists = gperr.New("agent already exists")
|
||||
|
||||
func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
|
||||
func verifyNewAgent(ctx context.Context, host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
|
||||
var agentCfg agent.AgentConfig
|
||||
agentCfg.Addr = host
|
||||
agentCfg.Runtime = containerRuntime
|
||||
@@ -99,7 +103,7 @@ func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, contain
|
||||
return 0, errAgentAlreadyExists
|
||||
}
|
||||
|
||||
err := agentCfg.InitWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
|
||||
err := agentCfg.InitWithCerts(ctx, ca.Cert, client.Cert, client.Key)
|
||||
if err != nil {
|
||||
return 0, gperr.Wrap(err, "failed to initialize agent config")
|
||||
}
|
||||
|
||||
@@ -4,10 +4,13 @@ import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
|
||||
"github.com/go-acme/lego/v4/certcrypto"
|
||||
@@ -27,7 +30,7 @@ type Config struct {
|
||||
CertPath string `json:"cert_path,omitempty"`
|
||||
KeyPath string `json:"key_path,omitempty"`
|
||||
Extra []ConfigExtra `json:"extra,omitempty"`
|
||||
ACMEKeyPath string `json:"acme_key_path,omitempty"` // shared by all extra providers
|
||||
ACMEKeyPath string `json:"acme_key_path,omitempty"` // shared by all extra providers with the same CA directory URL
|
||||
Provider string `json:"provider,omitempty"`
|
||||
Options map[string]strutils.Redacted `json:"options,omitempty"`
|
||||
|
||||
@@ -88,7 +91,7 @@ func (cfg *Config) validate(seenPaths map[string]int) gperr.Error {
|
||||
cfg.KeyPath = KeyFileDefault
|
||||
}
|
||||
if cfg.ACMEKeyPath == "" {
|
||||
cfg.ACMEKeyPath = ACMEKeyFileDefault
|
||||
cfg.ACMEKeyPath = acmeKeyPath(cfg.CADirURL)
|
||||
}
|
||||
|
||||
b := gperr.NewBuilder("certificate error")
|
||||
@@ -272,3 +275,16 @@ func (cfg *Config) SaveACMEKey(key *ecdsa.PrivateKey) error {
|
||||
}
|
||||
return os.WriteFile(cfg.ACMEKeyPath, data, 0o600)
|
||||
}
|
||||
|
||||
// acmeKeyPath returns the path to the ACME key file based on the CA directory URL.
|
||||
// Different CA directory URLs will use different key files to avoid key conflicts.
|
||||
func acmeKeyPath(caDirURL string) string {
|
||||
// Use a hash of the CA directory URL to create a unique key filename
|
||||
// Default to "acme" if no custom CA is configured (Let's Encrypt default)
|
||||
filename := "acme"
|
||||
if caDirURL != "" {
|
||||
hash := sha256.Sum256([]byte(caDirURL))
|
||||
filename = "acme_" + hex.EncodeToString(hash[:])[:16]
|
||||
}
|
||||
return filepath.Join(certBasePath, filename+".key")
|
||||
}
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
package autocert
|
||||
|
||||
const (
|
||||
certBasePath = "certs/"
|
||||
CertFileDefault = certBasePath + "cert.crt"
|
||||
KeyFileDefault = certBasePath + "priv.key"
|
||||
ACMEKeyFileDefault = certBasePath + "acme.key"
|
||||
certBasePath = "certs/"
|
||||
CertFileDefault = certBasePath + "cert.crt"
|
||||
KeyFileDefault = certBasePath + "priv.key"
|
||||
)
|
||||
|
||||
@@ -222,13 +222,14 @@ func (p *Provider) ObtainCertIfNotExistsAll() error {
|
||||
})
|
||||
}
|
||||
|
||||
err := errs.Wait().Error()
|
||||
p.rebuildSNIMatcher()
|
||||
return errs.Wait().Error()
|
||||
return err
|
||||
}
|
||||
|
||||
// obtainCertIfNotExists obtains a new certificate for this provider if it does not exist.
|
||||
func (p *Provider) obtainCertIfNotExists() error {
|
||||
err := p.LoadCert()
|
||||
err := p.loadCert()
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
@@ -261,7 +262,10 @@ func (p *Provider) ObtainCertAll() error {
|
||||
return nil
|
||||
})
|
||||
}
|
||||
return errs.Wait().Error()
|
||||
|
||||
err := errs.Wait().Error()
|
||||
p.rebuildSNIMatcher()
|
||||
return err
|
||||
}
|
||||
|
||||
// ObtainCert renews existing certificate or obtains a new certificate for this provider.
|
||||
@@ -346,29 +350,32 @@ func (p *Provider) ObtainCert() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *Provider) LoadCert() error {
|
||||
func (p *Provider) LoadCertAll() error {
|
||||
var errs gperr.Builder
|
||||
for _, provider := range p.allProviders() {
|
||||
if err := provider.loadCert(); err != nil {
|
||||
errs.Add(provider.fmtError(err))
|
||||
}
|
||||
}
|
||||
p.rebuildSNIMatcher()
|
||||
return errs.Error()
|
||||
}
|
||||
|
||||
func (p *Provider) loadCert() error {
|
||||
cert, err := tls.LoadX509KeyPair(p.cfg.CertPath, p.cfg.KeyPath)
|
||||
if err != nil {
|
||||
errs.Addf("load SSL certificate: %w", p.fmtError(err))
|
||||
return err
|
||||
}
|
||||
|
||||
expiries, err := getCertExpiries(&cert)
|
||||
if err != nil {
|
||||
errs.Addf("parse SSL certificate: %w", p.fmtError(err))
|
||||
return err
|
||||
}
|
||||
|
||||
p.tlsCert = &cert
|
||||
p.certExpiries = expiries
|
||||
|
||||
for _, ep := range p.extraProviders {
|
||||
if err := ep.LoadCert(); err != nil {
|
||||
errs.Add(err)
|
||||
}
|
||||
}
|
||||
|
||||
p.rebuildSNIMatcher()
|
||||
return errs.Error()
|
||||
return nil
|
||||
}
|
||||
|
||||
// PrintCertExpiriesAll prints the certificate expiries for this provider and all extra providers.
|
||||
|
||||
@@ -81,7 +81,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "a.internal.example.com"})
|
||||
@@ -113,7 +113,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
|
||||
@@ -145,7 +145,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "unknown.domain.com"})
|
||||
@@ -171,7 +171,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(nil)
|
||||
@@ -197,7 +197,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: ""})
|
||||
@@ -229,7 +229,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "FOO.EXAMPLE.COM"})
|
||||
@@ -261,7 +261,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: " foo.example.com. "})
|
||||
@@ -293,7 +293,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.a.example.com"})
|
||||
@@ -319,7 +319,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "bar.example.com"})
|
||||
@@ -355,7 +355,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.test.com"})
|
||||
@@ -392,7 +392,7 @@ func TestGetCertBySNI(t *testing.T) {
|
||||
p, err := autocert.NewProvider(cfg, nil, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = p.LoadCert()
|
||||
err = p.LoadCertAll()
|
||||
require.NoError(t, err)
|
||||
|
||||
cert1, err := p.GetCert(&tls.ClientHelloInfo{ServerName: "foo.example.com"})
|
||||
|
||||
@@ -12,6 +12,14 @@ import (
|
||||
)
|
||||
|
||||
func Stream(ctx context.Context, url *url.URL, timeout time.Duration) (types.HealthCheckResult, error) {
|
||||
if port := url.Port(); port == "" || port == "0" {
|
||||
return types.HealthCheckResult{
|
||||
Latency: 0,
|
||||
Healthy: false,
|
||||
Detail: "no port specified",
|
||||
}, nil
|
||||
}
|
||||
|
||||
dialer := net.Dialer{
|
||||
Timeout: timeout,
|
||||
FallbackDelay: -1,
|
||||
|
||||
@@ -254,7 +254,7 @@ func (r *Route) validate() gperr.Error {
|
||||
}
|
||||
|
||||
// return error if route is localhost:<godoxy_port> but route is not agent
|
||||
if !r.IsAgent() {
|
||||
if !r.IsAgent() && !r.ShouldExclude() {
|
||||
switch r.Host {
|
||||
case "localhost", "127.0.0.1":
|
||||
switch r.Port.Proxy {
|
||||
@@ -749,6 +749,7 @@ const (
|
||||
ExcludedReasonNoPortSpecified
|
||||
ExcludedReasonBlacklisted
|
||||
ExcludedReasonBuildx
|
||||
ExcludedReasonYAMLAnchor
|
||||
ExcludedReasonOld
|
||||
)
|
||||
|
||||
@@ -768,6 +769,8 @@ func (re ExcludedReason) String() string {
|
||||
return "Blacklisted (backend service or database)"
|
||||
case ExcludedReasonBuildx:
|
||||
return "Buildx"
|
||||
case ExcludedReasonYAMLAnchor:
|
||||
return "YAML anchor or reference"
|
||||
case ExcludedReasonOld:
|
||||
return "Container renaming intermediate state"
|
||||
default:
|
||||
@@ -802,6 +805,12 @@ func (r *Route) findExcludedReason() ExcludedReason {
|
||||
} else if r.IsZeroPort() && r.Scheme != route.SchemeFileServer {
|
||||
return ExcludedReasonNoPortSpecified
|
||||
}
|
||||
// this should happen on validation API only,
|
||||
// those routes are removed before validation.
|
||||
// see removeXPrefix in provider/file.go
|
||||
if strings.HasPrefix(r.Alias, "x-") { // for YAML anchors and references
|
||||
return ExcludedReasonYAMLAnchor
|
||||
}
|
||||
if strings.HasSuffix(r.Alias, "-old") {
|
||||
return ExcludedReasonOld
|
||||
}
|
||||
|
||||
@@ -49,5 +49,7 @@ COPY --from=builder /app/run /app/run
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
LABEL proxy.#1.healthcheck.disable=true
|
||||
|
||||
ENV LISTEN_ADDR=0.0.0.0:2375
|
||||
CMD ["/app/run"]
|
||||
Reference in New Issue
Block a user