Use secure TLS configuration for autocert server
This change lets Miniflux use the same secure TLS configuration options when using Let's Encrypt / Autocert as when using a manually specified certificate. It raises the server’s SSL Labs score from a B to an A+ with LetsEncrypt.
This commit is contained in:
Dave Marquard
GitHub
parent
086b985383
commit
54602b55bb
1 changed files with 31 additions and 26 deletions
|
|
@ -96,33 +96,10 @@ func startUnixSocketServer(server *http.Server, socketFile string) {
|
||||||
}(socketFile)
|
}(socketFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
|
func tlsConfig() *tls.Config {
|
||||||
server.Addr = ":https"
|
|
||||||
certManager := autocert.Manager{
|
|
||||||
Cache: autocert.DirCache(certCache),
|
|
||||||
Prompt: autocert.AcceptTOS,
|
|
||||||
HostPolicy: autocert.HostWhitelist(certDomain),
|
|
||||||
}
|
|
||||||
|
|
||||||
// Handle http-01 challenge.
|
|
||||||
s := &http.Server{
|
|
||||||
Handler: certManager.HTTPHandler(nil),
|
|
||||||
Addr: ":http",
|
|
||||||
}
|
|
||||||
go s.ListenAndServe()
|
|
||||||
|
|
||||||
go func() {
|
|
||||||
logger.Info(`Listening on %q by using auto-configured certificate for %q`, server.Addr, certDomain)
|
|
||||||
if err := server.Serve(certManager.Listener()); err != http.ErrServerClosed {
|
|
||||||
logger.Fatal(`Server failed to start: %v`, err)
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
}
|
|
||||||
|
|
||||||
func startTLSServer(server *http.Server, certFile, keyFile string) {
|
|
||||||
// See https://blog.cloudflare.com/exposing-go-on-the-internet/
|
// See https://blog.cloudflare.com/exposing-go-on-the-internet/
|
||||||
// And https://wiki.mozilla.org/Security/Server_Side_TLS
|
// And https://wikia.mozilla.org/Security/Server_Side_TLS
|
||||||
server.TLSConfig = &tls.Config{
|
return &tls.Config{
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
PreferServerCipherSuites: true,
|
PreferServerCipherSuites: true,
|
||||||
CurvePreferences: []tls.CurveID{
|
CurvePreferences: []tls.CurveID{
|
||||||
|
|
@ -138,7 +115,35 @@ func startTLSServer(server *http.Server, certFile, keyFile string) {
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
|
||||||
|
server.Addr = ":https"
|
||||||
|
certManager := autocert.Manager{
|
||||||
|
Cache: autocert.DirCache(certCache),
|
||||||
|
Prompt: autocert.AcceptTOS,
|
||||||
|
HostPolicy: autocert.HostWhitelist(certDomain),
|
||||||
|
}
|
||||||
|
server.TLSConfig = tlsConfig()
|
||||||
|
server.TLSConfig.GetCertificate = certManager.GetCertificate
|
||||||
|
|
||||||
|
// Handle http-01 challenge.
|
||||||
|
s := &http.Server{
|
||||||
|
Handler: certManager.HTTPHandler(nil),
|
||||||
|
Addr: ":http",
|
||||||
|
}
|
||||||
|
go s.ListenAndServe()
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
logger.Info(`Listening on %q by using auto-configured certificate for %q`, server.Addr, certDomain)
|
||||||
|
if err := server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
|
||||||
|
logger.Fatal(`Server failed to start: %v`, err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
}
|
||||||
|
|
||||||
|
func startTLSServer(server *http.Server, certFile, keyFile string) {
|
||||||
|
server.TLSConfig = tlsConfig()
|
||||||
go func() {
|
go func() {
|
||||||
logger.Info(`Listening on %q by using certificate %q and key %q`, server.Addr, certFile, keyFile)
|
logger.Info(`Listening on %q by using certificate %q and key %q`, server.Addr, certFile, keyFile)
|
||||||
if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {
|
if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue