Merge pull request #44 from suborbital/connor/tls-options

cohix · web-flow · commit ca8142d8af4d · 2021-05-03T08:45:14.000-04:00
Add TLS config and port options
diff --git a/docs/README.md b/docs/README.md
@@ -36,6 +36,8 @@ The included `OptionsModifiers` are:
 Option | Description | ENV key
 --- | --- | ---
 UseDomain(domain string) | Enable LetsEncrypt support with the provided domain name (will serve on :80 and :443 for challenge server and API server). LetsEncrypt is disabled by default. | `VK_DOMAIN`
+UseTLSConfig(config *tls.Config) | Enable TLS and use the provided TLS config to serve HTTPS. This will override the `domain` option. | N/A
+UseTLSPort(port int) | Choose an HTTPS port on which to serve requests. | `VK_TLS_PORT`
 UseHTTPPort(port int) | Choose an HTTP port on which to serve requests. When using TLS, the LetsEncrypt challenge server will run on the configured HTTP port. | `VK_HTTP_PORT`
 UseAppName(name string) | When the application starts, `name` will be logged. Empty by default. | `VK_APP_NAME`
 UseEnvPrefix(prefix string) | Use `prefix` instead of `VK` for environment variables, for example `APP_HTTP_PORT` instead of `VK_HTTP_PORT`. | N/A
diff --git a/vk/optionmodifiers.go b/vk/optionmodifiers.go
@@ -1,6 +1,8 @@
 package vk
 
 import (
+	"crypto/tls"
+
 	"github.com/suborbital/vektor/vlog"
 )
 
@@ -14,6 +16,21 @@ func UseDomain(domain string) OptionsModifier {
 	}
 }
 
+// UseTLSConfig sets a TLS config that will be used for HTTPS
+// This will take precedence over the Domain option in all cases
+func UseTLSConfig(config *tls.Config) OptionsModifier {
+	return func(o *Options) {
+		o.TLSConfig = config
+	}
+}
+
+// UseTLSPort sets the HTTPS port to be used:
+func UseTLSPort(port int) OptionsModifier {
+	return func(o *Options) {
+		o.TLSPort = port
+	}
+}
+
 // UseHTTPPort sets the HTTP port to be used:
 // If domain is set, HTTP port will be used for LetsEncrypt challenge server
 // If domain is NOT set, this option will put VK in insecure HTTP mode
diff --git a/vk/options.go b/vk/options.go
@@ -2,6 +2,7 @@ package vk
 
 import (
 	"context"
+	"crypto/tls"
 
 	"github.com/pkg/errors"
 	"github.com/sethvargo/go-envconfig"
@@ -10,10 +11,12 @@ import (
 
 // Options are the available options for Server
 type Options struct {
-	AppName   string `env:"_APP_NAME"`
-	Domain    string `env:"_DOMAIN"`
-	HTTPPort  int    `env:"_HTTP_PORT"`
-	EnvPrefix string `env:"-"`
+	AppName   string      `env:"_APP_NAME"`
+	Domain    string      `env:"_DOMAIN"`
+	HTTPPort  int         `env:"_HTTP_PORT"`
+	TLSPort   int         `env:"_TLS_PORT"`
+	TLSConfig *tls.Config `env:"-"`
+	EnvPrefix string      `env:"-"`
 	Logger    *vlog.Logger
 }
 
@@ -35,9 +38,9 @@ func newOptsWithModifiers(mods ...OptionsModifier) *Options {
 	return options
 }
 
-// ShouldUseTLS returns true if domain is set and TLS should be used
+// ShouldUseTLS returns true if domain is set and/or TLS is configured
 func (o *Options) ShouldUseTLS() bool {
-	return o.Domain != ""
+	return o.Domain != "" || o.TLSConfig != nil
 }
 
 // HTTPPortSet returns true if the HTTP port is set
@@ -77,4 +80,8 @@ func (o *Options) replaceFieldsIfNeeded(replacement *Options) {
 	if replacement.HTTPPort != 0 {
 		o.HTTPPort = replacement.HTTPPort
 	}
+
+	if replacement.TLSPort != 0 {
+		o.TLSPort = replacement.TLSPort
+	}
 }
diff --git a/vk/server.go b/vk/server.go
@@ -63,28 +63,41 @@ func createGoServer(options *Options, handler http.Handler) *http.Server {
 }
 
 func goTLSServerWithDomain(options *Options, handler http.Handler) *http.Server {
-	if options.Domain != "" {
+	if options.TLSConfig != nil {
+		options.Logger.Info("configured for HTTPS with custom configuration")
+	} else if options.Domain != "" {
 		options.Logger.Info("configured for HTTPS using domain", options.Domain)
 	}
 
-	m := &autocert.Manager{
-		Cache:      autocert.DirCache("~/.autocert"),
-		Prompt:     autocert.AcceptTOS,
-		HostPolicy: autocert.HostWhitelist(options.Domain),
-	}
+	tlsConfig := options.TLSConfig
 
-	addr := fmt.Sprintf(":%d", options.HTTPPort)
-	if options.HTTPPort == 0 {
-		addr = ":8080"
-	}
+	if tlsConfig == nil {
+		m := &autocert.Manager{
+			Cache:      autocert.DirCache("~/.autocert"),
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(options.Domain),
+		}
+
+		addr := fmt.Sprintf(":%d", options.HTTPPort)
+		if options.HTTPPort == 0 {
+			addr = ":8080"
+		}
+
+		options.Logger.Info("serving TLS challenges on", addr)
 
-	options.Logger.Info("serving TLS challenges on", addr)
+		go http.ListenAndServe(addr, m.HTTPHandler(nil))
 
-	go http.ListenAndServe(addr, m.HTTPHandler(nil))
+		tlsConfig = &tls.Config{GetCertificate: m.GetCertificate}
+	}
+
+	addr := fmt.Sprintf(":%d", options.TLSPort)
+	if options.TLSPort == 0 {
+		addr = ":443"
+	}
 
 	s := &http.Server{
-		Addr:      ":443",
-		TLSConfig: &tls.Config{GetCertificate: m.GetCertificate},
+		Addr:      addr,
+		TLSConfig: tlsConfig,
 		Handler:   handler,
 	}
 
