mirror of
https://github.com/caddyserver/caddy.git
synced 2025-06-04 22:25:31 -04:00
56 lines
1.4 KiB
Go
56 lines
1.4 KiB
Go
package letsencrypt
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/mholt/caddy/middleware"
|
|
)
|
|
|
|
const challengeBasePath = "/.well-known/acme-challenge"
|
|
|
|
// Handler is a Caddy middleware that can proxy ACME challenge
|
|
// requests to the real ACME client endpoint. This is necessary
|
|
// to renew certificates while the server is running.
|
|
type Handler struct {
|
|
Next middleware.Handler
|
|
//ChallengeActive int32 // (TODO) use sync/atomic to set/get this flag safely and efficiently
|
|
}
|
|
|
|
// ServeHTTP is basically a no-op unless an ACME challenge is active on this host
|
|
// and the request path matches the expected path exactly.
|
|
func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
|
|
// Proxy challenge requests to ACME client
|
|
// TODO: Only do this if a challenge is active?
|
|
if strings.HasPrefix(r.URL.Path, challengeBasePath) {
|
|
scheme := "http"
|
|
if r.TLS != nil {
|
|
scheme = "https"
|
|
}
|
|
|
|
hostname, _, err := net.SplitHostPort(r.URL.Host)
|
|
if err != nil {
|
|
hostname = r.URL.Host
|
|
}
|
|
|
|
upstream, err := url.Parse(scheme + "://" + hostname + ":" + alternatePort)
|
|
if err != nil {
|
|
return http.StatusInternalServerError, err
|
|
}
|
|
|
|
proxy := httputil.NewSingleHostReverseProxy(upstream)
|
|
proxy.Transport = &http.Transport{
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // client would use self-signed cert
|
|
}
|
|
proxy.ServeHTTP(w, r)
|
|
|
|
return 0, nil
|
|
}
|
|
|
|
return h.Next.ServeHTTP(w, r)
|
|
}
|