Add Host cert ACME generation
Signed-off-by: Emile Vauge <emile@vauge.com>
This commit is contained in:
parent
f1c3d820f7
commit
5e01c0a7db
6 changed files with 182 additions and 52 deletions
108
acme/acme.go
108
acme/acme.go
|
@ -166,9 +166,12 @@ type ACME struct {
|
||||||
Domains []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
|
Domains []Domain `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
|
||||||
StorageFile string `description:"File used for certificates storage."`
|
StorageFile string `description:"File used for certificates storage."`
|
||||||
OnDemand bool `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."`
|
OnDemand bool `description:"Enable on demand certificate. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."`
|
||||||
|
OnHostRule bool `description:"Enable certificate generation on frontends Host rules."`
|
||||||
CAServer string `description:"CA server to use."`
|
CAServer string `description:"CA server to use."`
|
||||||
EntryPoint string `description:"Entrypoint to proxy acme challenge to."`
|
EntryPoint string `description:"Entrypoint to proxy acme challenge to."`
|
||||||
storageLock sync.RWMutex
|
storageLock sync.RWMutex
|
||||||
|
client *acme.Client
|
||||||
|
account *Account
|
||||||
}
|
}
|
||||||
|
|
||||||
//Domains parse []Domain
|
//Domains parse []Domain
|
||||||
|
@ -229,14 +232,14 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
|
||||||
}
|
}
|
||||||
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
|
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
|
||||||
}
|
}
|
||||||
var account *Account
|
|
||||||
var needRegister bool
|
var needRegister bool
|
||||||
|
var err error
|
||||||
|
|
||||||
// if certificates in storage, load them
|
// if certificates in storage, load them
|
||||||
if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 {
|
if fileInfo, err := os.Stat(a.StorageFile); err == nil && fileInfo.Size() != 0 {
|
||||||
log.Infof("Loading ACME certificates...")
|
log.Infof("Loading ACME certificates...")
|
||||||
// load account
|
// load account
|
||||||
account, err = a.loadAccount(a)
|
a.account, err = a.loadAccount(a)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -247,42 +250,42 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
account = &Account{
|
a.account = &Account{
|
||||||
Email: a.Email,
|
Email: a.Email,
|
||||||
PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
|
PrivateKey: x509.MarshalPKCS1PrivateKey(privateKey),
|
||||||
}
|
}
|
||||||
account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}}
|
a.account.DomainsCertificate = DomainsCertificates{Certs: []*DomainsCertificate{}, lock: &sync.RWMutex{}}
|
||||||
needRegister = true
|
needRegister = true
|
||||||
}
|
}
|
||||||
|
|
||||||
client, err := a.buildACMEClient(account)
|
a.client, err = a.buildACMEClient()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
|
a.client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.DNS01})
|
||||||
wrapperChallengeProvider := newWrapperChallengeProvider()
|
wrapperChallengeProvider := newWrapperChallengeProvider()
|
||||||
client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider)
|
a.client.SetChallengeProvider(acme.TLSSNI01, wrapperChallengeProvider)
|
||||||
|
|
||||||
if needRegister {
|
if needRegister {
|
||||||
// New users will need to register; be sure to save it
|
// New users will need to register; be sure to save it
|
||||||
reg, err := client.Register()
|
reg, err := a.client.Register()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
account.Registration = reg
|
a.account.Registration = reg
|
||||||
}
|
}
|
||||||
|
|
||||||
// The client has a URL to the current Let's Encrypt Subscriber
|
// The client has a URL to the current Let's Encrypt Subscriber
|
||||||
// Agreement. The user will need to agree to it.
|
// Agreement. The user will need to agree to it.
|
||||||
err = client.AgreeToTOS()
|
err = a.client.AgreeToTOS()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
safe.Go(func() {
|
safe.Go(func() {
|
||||||
a.retrieveCertificates(client, account)
|
a.retrieveCertificates(a.client)
|
||||||
if err := a.renewCertificates(client, account); err != nil {
|
if err := a.renewCertificates(a.client); err != nil {
|
||||||
log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
|
log.Errorf("Error renewing ACME certificate %+v: %s", a.account, err.Error())
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -290,14 +293,14 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
|
||||||
if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok {
|
if challengeCert, ok := wrapperChallengeProvider.getCertificate(clientHello.ServerName); ok {
|
||||||
return challengeCert, nil
|
return challengeCert, nil
|
||||||
}
|
}
|
||||||
if domainCert, ok := account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
|
if domainCert, ok := a.account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
|
||||||
return domainCert.tlsCert, nil
|
return domainCert.tlsCert, nil
|
||||||
}
|
}
|
||||||
if a.OnDemand {
|
if a.OnDemand {
|
||||||
if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) {
|
if CheckOnDemandDomain != nil && !CheckOnDemandDomain(clientHello.ServerName) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
return a.loadCertificateOnDemand(client, account, clientHello)
|
return a.loadCertificateOnDemand(clientHello)
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
@ -307,8 +310,8 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
case <-ticker.C:
|
case <-ticker.C:
|
||||||
if err := a.renewCertificates(client, account); err != nil {
|
if err := a.renewCertificates(a.client); err != nil {
|
||||||
log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
|
log.Errorf("Error renewing ACME certificate %+v: %s", a.account, err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -317,11 +320,11 @@ func (a *ACME) CreateConfig(tlsConfig *tls.Config, CheckOnDemandDomain func(doma
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
|
func (a *ACME) retrieveCertificates(client *acme.Client) {
|
||||||
log.Infof("Retrieving ACME certificates...")
|
log.Infof("Retrieving ACME certificates...")
|
||||||
for _, domain := range a.Domains {
|
for _, domain := range a.Domains {
|
||||||
// check if cert isn't already loaded
|
// check if cert isn't already loaded
|
||||||
if _, exists := account.DomainsCertificate.exists(domain); !exists {
|
if _, exists := a.account.DomainsCertificate.exists(domain); !exists {
|
||||||
domains := []string{}
|
domains := []string{}
|
||||||
domains = append(domains, domain.Main)
|
domains = append(domains, domain.Main)
|
||||||
domains = append(domains, domain.SANs...)
|
domains = append(domains, domain.SANs...)
|
||||||
|
@ -330,13 +333,13 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
|
||||||
log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
|
log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
|
_, err = a.account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
|
log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if err = a.saveAccount(account); err != nil {
|
if err = a.saveAccount(); err != nil {
|
||||||
log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
|
log.Errorf("Error Saving ACME account %+v: %s", a.account, err.Error())
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -344,9 +347,9 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
|
||||||
log.Infof("Retrieved ACME certificates")
|
log.Infof("Retrieved ACME certificates")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
|
func (a *ACME) renewCertificates(client *acme.Client) error {
|
||||||
log.Debugf("Testing certificate renew...")
|
log.Debugf("Testing certificate renew...")
|
||||||
for _, certificateResource := range account.DomainsCertificate.Certs {
|
for _, certificateResource := range a.account.DomainsCertificate.Certs {
|
||||||
if certificateResource.needRenew() {
|
if certificateResource.needRenew() {
|
||||||
log.Debugf("Renewing certificate %+v", certificateResource.Domains)
|
log.Debugf("Renewing certificate %+v", certificateResource.Domains)
|
||||||
renewedCert, err := client.RenewCertificate(acme.CertificateResource{
|
renewedCert, err := client.RenewCertificate(acme.CertificateResource{
|
||||||
|
@ -368,12 +371,12 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
|
||||||
PrivateKey: renewedCert.PrivateKey,
|
PrivateKey: renewedCert.PrivateKey,
|
||||||
Certificate: renewedCert.Certificate,
|
Certificate: renewedCert.Certificate,
|
||||||
}
|
}
|
||||||
err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
|
err = a.account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Error renewing certificate: %v", err)
|
log.Errorf("Error renewing certificate: %v", err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if err = a.saveAccount(account); err != nil {
|
if err = a.saveAccount(); err != nil {
|
||||||
log.Errorf("Error saving ACME account: %v", err)
|
log.Errorf("Error saving ACME account: %v", err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -382,12 +385,12 @@ func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) {
|
func (a *ACME) buildACMEClient() (*acme.Client, error) {
|
||||||
caServer := "https://acme-v01.api.letsencrypt.org/directory"
|
caServer := "https://acme-v01.api.letsencrypt.org/directory"
|
||||||
if len(a.CAServer) > 0 {
|
if len(a.CAServer) > 0 {
|
||||||
caServer = a.CAServer
|
caServer = a.CAServer
|
||||||
}
|
}
|
||||||
client, err := acme.NewClient(caServer, Account, acme.RSA4096)
|
client, err := acme.NewClient(caServer, a.account, acme.RSA4096)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -395,25 +398,60 @@ func (a *ACME) buildACMEClient(Account *Account) (*acme.Client, error) {
|
||||||
return client, nil
|
return client, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) loadCertificateOnDemand(client *acme.Client, Account *Account, clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
if certificateResource, ok := Account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
|
if certificateResource, ok := a.account.DomainsCertificate.getCertificateForDomain(clientHello.ServerName); ok {
|
||||||
return certificateResource.tlsCert, nil
|
return certificateResource.tlsCert, nil
|
||||||
}
|
}
|
||||||
Certificate, err := a.getDomainsCertificates(client, []string{clientHello.ServerName})
|
certificate, err := a.getDomainsCertificates(a.client, []string{clientHello.ServerName})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName)
|
log.Debugf("Got certificate on demand for domain %s", clientHello.ServerName)
|
||||||
cert, err := Account.DomainsCertificate.addCertificateForDomains(Certificate, Domain{Main: clientHello.ServerName})
|
cert, err := a.account.DomainsCertificate.addCertificateForDomains(certificate, Domain{Main: clientHello.ServerName})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if err = a.saveAccount(Account); err != nil {
|
if err = a.saveAccount(); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return cert.tlsCert, nil
|
return cert.tlsCert, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// LoadCertificateForDomains loads certificates from ACME for given domains
|
||||||
|
func (a *ACME) LoadCertificateForDomains(domains []string) {
|
||||||
|
safe.Go(func() {
|
||||||
|
var domain Domain
|
||||||
|
if len(domains) == 0 {
|
||||||
|
// no domain
|
||||||
|
return
|
||||||
|
|
||||||
|
} else if len(domains) > 1 {
|
||||||
|
domain = Domain{Main: domains[0], SANs: domains[1:]}
|
||||||
|
} else {
|
||||||
|
domain = Domain{Main: domains[0]}
|
||||||
|
}
|
||||||
|
if _, exists := a.account.DomainsCertificate.exists(domain); exists {
|
||||||
|
// domain already exists
|
||||||
|
return
|
||||||
|
}
|
||||||
|
certificate, err := a.getDomainsCertificates(a.client, domains)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Error getting ACME certificates %+v : %v", domains, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Debugf("Got certificate for domains %+v", domains)
|
||||||
|
_, err = a.account.DomainsCertificate.addCertificateForDomains(certificate, domain)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Error adding ACME certificates %+v : %v", domains, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err = a.saveAccount(); err != nil {
|
||||||
|
log.Errorf("Error Saving ACME account %+v: %v", a.account, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
|
func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
|
||||||
a.storageLock.RLock()
|
a.storageLock.RLock()
|
||||||
defer a.storageLock.RUnlock()
|
defer a.storageLock.RUnlock()
|
||||||
|
@ -435,11 +473,11 @@ func (a *ACME) loadAccount(acmeConfig *ACME) (*Account, error) {
|
||||||
return &Account, nil
|
return &Account, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *ACME) saveAccount(Account *Account) error {
|
func (a *ACME) saveAccount() error {
|
||||||
a.storageLock.Lock()
|
a.storageLock.Lock()
|
||||||
defer a.storageLock.Unlock()
|
defer a.storageLock.Unlock()
|
||||||
// write account to file
|
// write account to file
|
||||||
data, err := json.MarshalIndent(Account, "", " ")
|
data, err := json.MarshalIndent(a.account, "", " ")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -206,6 +206,13 @@ entryPoint = "https"
|
||||||
#
|
#
|
||||||
# onDemand = true
|
# onDemand = true
|
||||||
|
|
||||||
|
# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
|
||||||
|
# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
#
|
||||||
|
# OnHostRule = true
|
||||||
|
|
||||||
# CA server to use
|
# CA server to use
|
||||||
# Uncomment the line to run on the staging let's encrypt server
|
# Uncomment the line to run on the staging let's encrypt server
|
||||||
# Leave comment to go to prod
|
# Leave comment to go to prod
|
||||||
|
|
65
rules.go
65
rules.go
|
@ -2,6 +2,7 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"github.com/containous/mux"
|
"github.com/containous/mux"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
@ -93,8 +94,7 @@ func (r *Rules) headersRegexp(headers ...string) *mux.Route {
|
||||||
return r.route.route.HeadersRegexp(headers...)
|
return r.route.route.HeadersRegexp(headers...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse parses rules expressions
|
func (r *Rules) parseRules(expression string, onRule func(functionName string, function interface{}, arguments []string) error) error {
|
||||||
func (r *Rules) Parse(expression string) (*mux.Route, error) {
|
|
||||||
functions := map[string]interface{}{
|
functions := map[string]interface{}{
|
||||||
"Host": r.host,
|
"Host": r.host,
|
||||||
"HostRegexp": r.hostRegexp,
|
"HostRegexp": r.hostRegexp,
|
||||||
|
@ -108,7 +108,7 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(expression) == 0 {
|
if len(expression) == 0 {
|
||||||
return nil, errors.New("Empty rule")
|
return errors.New("Empty rule")
|
||||||
}
|
}
|
||||||
|
|
||||||
f := func(c rune) bool {
|
f := func(c rune) bool {
|
||||||
|
@ -122,17 +122,16 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
|
||||||
|
|
||||||
parsedRules := strings.FieldsFunc(expression, splitRule)
|
parsedRules := strings.FieldsFunc(expression, splitRule)
|
||||||
|
|
||||||
var resultRoute *mux.Route
|
|
||||||
|
|
||||||
for _, rule := range parsedRules {
|
for _, rule := range parsedRules {
|
||||||
// get function
|
// get function
|
||||||
parsedFunctions := strings.FieldsFunc(rule, f)
|
parsedFunctions := strings.FieldsFunc(rule, f)
|
||||||
if len(parsedFunctions) == 0 {
|
if len(parsedFunctions) == 0 {
|
||||||
return nil, errors.New("Error parsing rule: '" + rule + "'")
|
return errors.New("Error parsing rule: '" + rule + "'")
|
||||||
}
|
}
|
||||||
parsedFunction, ok := functions[strings.TrimSpace(parsedFunctions[0])]
|
functionName := strings.TrimSpace(parsedFunctions[0])
|
||||||
|
parsedFunction, ok := functions[functionName]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, errors.New("Error parsing rule: '" + rule + "'. Unknown function: '" + parsedFunctions[0] + "'")
|
return errors.New("Error parsing rule: '" + rule + "'. Unknown function: '" + parsedFunctions[0] + "'")
|
||||||
}
|
}
|
||||||
parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
|
parsedFunctions = append(parsedFunctions[:0], parsedFunctions[1:]...)
|
||||||
fargs := func(c rune) bool {
|
fargs := func(c rune) bool {
|
||||||
|
@ -141,26 +140,62 @@ func (r *Rules) Parse(expression string) (*mux.Route, error) {
|
||||||
// get function
|
// get function
|
||||||
parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
|
parsedArgs := strings.FieldsFunc(strings.Join(parsedFunctions, ":"), fargs)
|
||||||
if len(parsedArgs) == 0 {
|
if len(parsedArgs) == 0 {
|
||||||
return nil, errors.New("Error parsing args from rule: '" + rule + "'")
|
return errors.New("Error parsing args from rule: '" + rule + "'")
|
||||||
}
|
}
|
||||||
|
|
||||||
inputs := make([]reflect.Value, len(parsedArgs))
|
|
||||||
for i := range parsedArgs {
|
for i := range parsedArgs {
|
||||||
inputs[i] = reflect.ValueOf(strings.TrimSpace(parsedArgs[i]))
|
parsedArgs[i] = strings.TrimSpace(parsedArgs[i])
|
||||||
}
|
}
|
||||||
method := reflect.ValueOf(parsedFunction)
|
|
||||||
|
err := onRule(functionName, parsedFunction, parsedArgs)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Parsing error on rule:", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse parses rules expressions
|
||||||
|
func (r *Rules) Parse(expression string) (*mux.Route, error) {
|
||||||
|
var resultRoute *mux.Route
|
||||||
|
err := r.parseRules(expression, func(functionName string, function interface{}, arguments []string) error {
|
||||||
|
inputs := make([]reflect.Value, len(arguments))
|
||||||
|
for i := range arguments {
|
||||||
|
inputs[i] = reflect.ValueOf(arguments[i])
|
||||||
|
}
|
||||||
|
method := reflect.ValueOf(function)
|
||||||
if method.IsValid() {
|
if method.IsValid() {
|
||||||
resultRoute = method.Call(inputs)[0].Interface().(*mux.Route)
|
resultRoute = method.Call(inputs)[0].Interface().(*mux.Route)
|
||||||
if r.err != nil {
|
if r.err != nil {
|
||||||
return nil, r.err
|
return r.err
|
||||||
}
|
}
|
||||||
if resultRoute.GetError() != nil {
|
if resultRoute.GetError() != nil {
|
||||||
return nil, resultRoute.GetError()
|
return resultRoute.GetError()
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
return nil, errors.New("Method not found: '" + parsedFunctions[0] + "'")
|
return errors.New("Method not found: '" + functionName + "'")
|
||||||
}
|
}
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error parsing rule:", err)
|
||||||
}
|
}
|
||||||
return resultRoute, nil
|
return resultRoute, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ParseDomains parses rules expressions and returns domains
|
||||||
|
func (r *Rules) ParseDomains(expression string) ([]string, error) {
|
||||||
|
domains := []string{}
|
||||||
|
err := r.parseRules(expression, func(functionName string, function interface{}, arguments []string) error {
|
||||||
|
if functionName == "Host" {
|
||||||
|
domains = append(domains, arguments...)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error parsing domains:", err)
|
||||||
|
}
|
||||||
|
return domains, nil
|
||||||
|
}
|
||||||
|
|
|
@ -4,11 +4,11 @@ import (
|
||||||
"github.com/containous/mux"
|
"github.com/containous/mux"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestParseOneRule(t *testing.T) {
|
func TestParseOneRule(t *testing.T) {
|
||||||
|
|
||||||
router := mux.NewRouter()
|
router := mux.NewRouter()
|
||||||
route := router.NewRoute()
|
route := router.NewRoute()
|
||||||
serverRoute := &serverRoute{route: route}
|
serverRoute := &serverRoute{route: route}
|
||||||
|
@ -31,7 +31,6 @@ func TestParseOneRule(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestParseTwoRules(t *testing.T) {
|
func TestParseTwoRules(t *testing.T) {
|
||||||
|
|
||||||
router := mux.NewRouter()
|
router := mux.NewRouter()
|
||||||
route := router.NewRoute()
|
route := router.NewRoute()
|
||||||
serverRoute := &serverRoute{route: route}
|
serverRoute := &serverRoute{route: route}
|
||||||
|
@ -53,6 +52,29 @@ func TestParseTwoRules(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestParseDomains(t *testing.T) {
|
||||||
|
rules := &Rules{}
|
||||||
|
expressionsSlice := []string{
|
||||||
|
"Host:foo.bar,test.bar",
|
||||||
|
"Path:/test",
|
||||||
|
"Host:foo.bar;Path:/test",
|
||||||
|
}
|
||||||
|
domainsSlice := [][]string{
|
||||||
|
{"foo.bar", "test.bar"},
|
||||||
|
{},
|
||||||
|
{"foo.bar"},
|
||||||
|
}
|
||||||
|
for i, expression := range expressionsSlice {
|
||||||
|
domains, err := rules.ParseDomains(expression)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error while parsing domains: %v", err)
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(domains, domainsSlice[i]) {
|
||||||
|
t.Fatalf("Error parsing domains: expected %+v, got %+v", domainsSlice[i], domains)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestPriorites(t *testing.T) {
|
func TestPriorites(t *testing.T) {
|
||||||
router := mux.NewRouter()
|
router := mux.NewRouter()
|
||||||
router.StrictSlash(true)
|
router.StrictSlash(true)
|
||||||
|
|
21
server.go
21
server.go
|
@ -244,6 +244,7 @@ func (server *Server) listenConfigurations(stop chan bool) {
|
||||||
log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
|
log.Infof("Server configuration reloaded on %s", server.serverEntryPoints[newServerEntryPointName].httpServer.Addr)
|
||||||
}
|
}
|
||||||
server.currentConfigurations.Set(newConfigurations)
|
server.currentConfigurations.Set(newConfigurations)
|
||||||
|
server.postLoadConfig()
|
||||||
} else {
|
} else {
|
||||||
log.Error("Error loading new configuration, aborted ", err)
|
log.Error("Error loading new configuration, aborted ", err)
|
||||||
}
|
}
|
||||||
|
@ -251,6 +252,26 @@ func (server *Server) listenConfigurations(stop chan bool) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (server *Server) postLoadConfig() {
|
||||||
|
if server.globalConfiguration.ACME != nil && server.globalConfiguration.ACME.OnHostRule {
|
||||||
|
currentConfigurations := server.currentConfigurations.Get().(configs)
|
||||||
|
for _, configuration := range currentConfigurations {
|
||||||
|
for _, frontend := range configuration.Frontends {
|
||||||
|
for _, route := range frontend.Routes {
|
||||||
|
rules := Rules{}
|
||||||
|
domains, err := rules.ParseDomains(route.Rule)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("Error parsing domains: %v", err)
|
||||||
|
} else {
|
||||||
|
server.globalConfiguration.ACME.LoadCertificateForDomains(domains)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (server *Server) configureProviders() {
|
func (server *Server) configureProviders() {
|
||||||
// configure providers
|
// configure providers
|
||||||
if server.globalConfiguration.Docker != nil {
|
if server.globalConfiguration.Docker != nil {
|
||||||
|
|
|
@ -96,6 +96,13 @@
|
||||||
#
|
#
|
||||||
# onDemand = true
|
# onDemand = true
|
||||||
|
|
||||||
|
# Enable certificate generation on frontends Host rules. This will request a certificate from Let's Encrypt for each frontend with a Host rule.
|
||||||
|
# For example, a rule Host:test1.traefik.io,test2.traefik.io will request a certificate with main domain test1.traefik.io and SAN test2.traefik.io.
|
||||||
|
#
|
||||||
|
# Optional
|
||||||
|
#
|
||||||
|
# OnHostRule = true
|
||||||
|
|
||||||
# CA server to use
|
# CA server to use
|
||||||
# Uncomment the line to run on the staging let's encrypt server
|
# Uncomment the line to run on the staging let's encrypt server
|
||||||
# Leave comment to go to prod
|
# Leave comment to go to prod
|
||||||
|
|
Loading…
Reference in a new issue