140 lines
3.8 KiB
Go
140 lines
3.8 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"os/signal"
|
|
"strings"
|
|
"syscall"
|
|
"time"
|
|
|
|
"github.com/BurntSushi/toml"
|
|
"github.com/gorilla/csrf"
|
|
"github.com/nicksnyder/go-i18n/v2/i18n"
|
|
log "github.com/sirupsen/logrus"
|
|
"golang.org/x/text/language"
|
|
|
|
"git.dittberner.info/jan/browser_csr_generation/handlers"
|
|
)
|
|
|
|
func main() {
|
|
tlsConfig := &tls.Config{
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
|
},
|
|
NextProtos: []string{"h2"},
|
|
PreferServerCipherSuites: true,
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
bundle := loadI18nBundle()
|
|
mux := http.NewServeMux()
|
|
|
|
csrfKey := initCSRFKey()
|
|
|
|
signingRequestRegistry := handlers.NewSigningRequestRegistry(loadCACertificates())
|
|
mux.Handle("/sign/", handlers.NewCertificateSigningHandler(signingRequestRegistry))
|
|
mux.Handle("/", handlers.NewIndexHandler(bundle))
|
|
fileServer := http.FileServer(http.Dir("./public"))
|
|
mux.Handle("/css/", fileServer)
|
|
mux.Handle("/js/", fileServer)
|
|
mux.Handle("/locales/", handlers.NewJSLocalesHandler(bundle))
|
|
mux.Handle("/ws/", handlers.NewWebSocketHandler(signingRequestRegistry))
|
|
server := http.Server{
|
|
Addr: ":8000",
|
|
Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux),
|
|
TLSConfig: tlsConfig,
|
|
ReadTimeout: 20 * time.Second,
|
|
ReadHeaderTimeout: 5 * time.Second,
|
|
WriteTimeout: 30 * time.Second,
|
|
IdleTimeout: 30 * time.Second,
|
|
}
|
|
go func() {
|
|
err := server.ListenAndServeTLS("server.crt.pem", "server.key.pem")
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
}()
|
|
var hostPort string
|
|
if strings.HasPrefix(server.Addr, ":") {
|
|
hostPort = fmt.Sprintf("localhost%s", server.Addr)
|
|
} else {
|
|
hostPort = server.Addr
|
|
}
|
|
log.Infof("started web server on https://%s/", hostPort)
|
|
c := make(chan os.Signal, 1)
|
|
signal.Notify(c, os.Interrupt, syscall.SIGTERM)
|
|
s := <-c
|
|
log.Infof("received %s, shutting down", s)
|
|
_ = server.Close()
|
|
}
|
|
|
|
func loadI18nBundle() *i18n.Bundle {
|
|
bundle := i18n.NewBundle(language.English)
|
|
bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
|
|
for _, lang := range []string{"en-US", "de-DE"} {
|
|
if _, err := bundle.LoadMessageFile(fmt.Sprintf("active.%s.toml", lang)); err != nil {
|
|
log.Panic(err)
|
|
}
|
|
}
|
|
return bundle
|
|
}
|
|
|
|
func initCSRFKey() []byte {
|
|
var csrfKey []byte = nil
|
|
|
|
if csrfB64, exists := os.LookupEnv("CSRF_KEY"); exists {
|
|
csrfKey, _ = base64.RawStdEncoding.DecodeString(csrfB64)
|
|
log.Info("read CSRF key from environment variable")
|
|
}
|
|
if csrfKey == nil {
|
|
csrfKey = generateRandomBytes(32)
|
|
log.Infof(
|
|
"generated new random CSRF key, set environment variable CSRF_KEY to %s to "+
|
|
"keep the same key for new sessions",
|
|
base64.RawStdEncoding.EncodeToString(csrfKey))
|
|
}
|
|
return csrfKey
|
|
}
|
|
|
|
func generateRandomBytes(count int) []byte {
|
|
randomBytes := make([]byte, count)
|
|
|
|
_, err := rand.Read(randomBytes)
|
|
if err != nil {
|
|
log.Fatalf("could not read random bytes: %v", err)
|
|
return nil
|
|
}
|
|
|
|
return randomBytes
|
|
}
|
|
|
|
func loadCACertificates() (caCertificates []*x509.Certificate) {
|
|
var err error
|
|
caCertificates = make([]*x509.Certificate, 2)
|
|
for index, certFile := range []string{"example_ca/sub/ca.crt.pem", "example_ca/root/ca.crt.pem"} {
|
|
var certBytes []byte
|
|
if certBytes, err = ioutil.ReadFile(certFile); err != nil {
|
|
log.Panic(err)
|
|
}
|
|
var block *pem.Block
|
|
if block, _ = pem.Decode(certBytes); block == nil {
|
|
log.Panicf("no PEM data found in %s", certFile)
|
|
return
|
|
}
|
|
if caCertificates[index], err = x509.ParseCertificate(block.Bytes); err != nil {
|
|
log.Panic(err)
|
|
}
|
|
}
|
|
log.Infof("read %d CA certificates", len(caCertificates))
|
|
return
|
|
}
|