feat(autocert): add DNS resolver options to Config and update provider initialization

compose.example.yml

@@ -28,6 +28,8 @@ services:
     env_file: .env
     user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
     read_only: true
+    tmpfs:
+      - /app/.next/cache # next image caching
     security_opt:
       - no-new-privileges:true
     cap_drop:

dev.compose.yml

@@ -11,11 +11,10 @@ services:
     env_file: dev.env
     environment:
       TZ: Asia/Hong_Kong
-      API_ADDR: :8999
+      API_ADDR: 127.0.0.1:8999
       API_USER: dev
       API_PASSWORD: 1234
       API_SKIP_ORIGIN_CHECK: true
-      API_JWT_SECURE: false
       API_JWT_TTL: 24h
       DEBUG: true
       API_SECRET: 1234567891234567

internal/api/types/error_code.go

@@ -1,17 +0,0 @@
-package apitypes
-
-type ErrorCode int
-
-const (
-	ErrorCodeUnauthorized ErrorCode = iota + 1
-	ErrorCodeNotFound
-	ErrorCodeInternalServerError
-)
-
-func (e ErrorCode) String() string {
-	return []string{
-		"Unauthorized",
-		"Not Found",
-		"Internal Server Error",
-	}[e]
-}

internal/api/v1/auth/check.go

@@ -5,14 +5,14 @@ import (
 	"github.com/yusing/go-proxy/internal/auth"
 )
 
-// @x-id				"check"
+// @x-id	  	"check"
 // @Base			/api/v1
 // @Summary		Check authentication status
 // @Description	Checks if the user is authenticated by validating their token
 // @Tags			auth
 // @Produce		plain
 // @Success		200	{string}	string	"OK"
-// @Failure		403	{string}	string	"Forbidden: use X-Redirect-To header to redirect to login page"
+// @Failure		302	{string}	string	"Redirects to login page or IdP"
 // @Router			/auth/check [head]
 func Check(c *gin.Context) {
 	auth.AuthCheckHandler(c.Writer, c.Request)

internal/api/v1/auth/login.go

@@ -12,7 +12,6 @@ import (
 // @Tags       auth
 // @Produce    plain
 // @Success    302 {string} string "Redirects to login page or IdP"
-// @Failure    403 {string} string "Forbidden(webui): follow X-Redirect-To header"
 // @Failure    429 {string} string "Too Many Requests"
 // @Router     /auth/login [post]
 func Login(c *gin.Context) {

internal/api/v1/docs/swagger.json

@@ -239,8 +239,8 @@
               "type": "string"
             }
           },
-          "403": {
-            "description": "Forbidden: use X-Redirect-To header to redirect to login page",
+          "302": {
+            "description": "Redirects to login page or IdP",
             "schema": {
               "type": "string"
             }
@@ -267,12 +267,6 @@
               "type": "string"
             }
           },
-          "403": {
-            "description": "Forbidden(webui): follow X-Redirect-To header",
-            "schema": {
-              "type": "string"
-            }
-          },
           "429": {
             "description": "Too Many Requests",
             "schema": {

internal/api/v1/docs/swagger.yaml

@@ -1581,8 +1581,8 @@ paths:
           description: OK
           schema:
             type: string
-        "403":
-          description: 'Forbidden: use X-Redirect-To header to redirect to login page'
+        "302":
+          description: Redirects to login page or IdP
           schema:
             type: string
       summary: Check authentication status
@@ -1600,10 +1600,6 @@ paths:
           description: Redirects to login page or IdP
           schema:
             type: string
-        "403":
-          description: 'Forbidden(webui): follow X-Redirect-To header'
-          schema:
-            type: string
         "429":
           description: Too Many Requests
           schema:

internal/auth/userpass.go

@@ -129,8 +129,7 @@ func (auth *UserPassAuth) PostAuthCallbackHandler(w http.ResponseWriter, r *http
 }
 
 func (auth *UserPassAuth) LoginHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-Redirect-To", "/login")
-	w.WriteHeader(http.StatusForbidden)
+	http.Redirect(w, r, "/login", http.StatusFound)
 }
 
 func (auth *UserPassAuth) LogoutHandler(w http.ResponseWriter, r *http.Request) {

internal/autocert/config.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/lego"
 	"github.com/rs/zerolog/log"
 	"github.com/yusing/go-proxy/internal/common"
@@ -27,6 +28,8 @@ type Config struct {
 	Provider    string         `json:"provider,omitempty"`
 	Options     map[string]any `json:"options,omitempty"`
 
+	Resolvers []string `json:"resolvers,omitempty"`
+
 	// Custom ACME CA
 	CADirURL string   `json:"ca_dir_url,omitempty"`
 	CACerts  []string `json:"ca_certs,omitempty"`
@@ -111,6 +114,12 @@ func (cfg *Config) Validate() gperr.Error {
 	return b.Error()
 }
 
+func (cfg *Config) dns01Options() []dns01.ChallengeOption {
+	return []dns01.ChallengeOption{
+		dns01.CondOption(len(cfg.Resolvers) > 0, dns01.AddRecursiveNameservers(cfg.Resolvers)),
+	}
+}
+
 func (cfg *Config) GetLegoConfig() (*User, *lego.Config, gperr.Error) {
 	if err := cfg.Validate(); err != nil {
 		return nil, nil, err

internal/autocert/provider.go

@@ -286,7 +286,7 @@ func (p *Provider) initClient() error {
 		return err
 	}
 
-	err = legoClient.Challenge.SetDNS01Provider(p.cfg.challengeProvider)
+	err = legoClient.Challenge.SetDNS01Provider(p.cfg.challengeProvider, p.cfg.dns01Options()...)
 	if err != nil {
 		return err
 	}

rootless-compose.example.yml

@@ -26,6 +26,8 @@ services:
     restart: unless-stopped
     env_file: .env
     read_only: true
+    tmpfs:
+      - /app/.next/cache # next image caching
     security_opt:
       - no-new-privileges:true
     cap_drop: