wildcard certificate support using Autocert (golang) - go

implementing a https go server with wildcard certificate support.
package main
import (
"crypto/tls"
"log"
"net/http"
"golang.org/x/crypto/acme/autocert"
)
func main() {
certManager := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("example.com"), //Your domain here
Cache: autocert.DirCache("certs"), //Folder for storing certificates
}
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Hello world"))
})
server := &http.Server{
Addr: ":https",
TLSConfig: &tls.Config{
GetCertificate: certManager.GetCertificate,
},
}
go http.ListenAndServe(":http", certManager.HTTPHandler(nil))
log.Fatal(server.ListenAndServeTLS("", "")) //Key and cert are coming from Let's Encrypt
}
couldn't figure out how to add a wildcard pattern to the hostwhitelist.
need support for "*.example.com"

The HostWhitelist doesn't support wildcards, but because a HostPolicy is merely a function, you can implement your own HostPolicy, using e.g. a regular expression:
var (
allowedHosts = regexp.MustCompile(`^[^.]+\.example\.com$`)
errPolicyMismatch = errors.New("the host did not match the allowed hosts")
)
func CustomHostPolicy(_ context.Context, host string) error {
if matches := allowedHosts.MatchString(host); !matches {
return errPolicyMismatch
}
return nil
}
See demo on https://go.dev/play/p/8gGIpnl1NLs

Related

Graphql Subscriptions not working with Gin

When I tried to setup a Go web server with GraphQL I used this as template. It is basically a combo of gin and 99designs/gqlgen.
When I create a basic gqlgen server based on net/http package, the declaration of GraphQL subscriptions work as expected.
package main
import (
"log"
"net/http"
"os"
"github.com/99designs/gqlgen/graphql/handler"
"github.com/99designs/gqlgen/graphql/playground"
"github.com/jawil003/gqlgen/graph"
"github.com/jawil003/gqlgen/graph/generated"
)
const defaultPort = "8080"
func main() {
port := os.Getenv("PORT")
if port == "" {
port = defaultPort
}
srv := handler.NewDefaultServer(generated.NewExecutableSchema(generated.Config{Resolvers: &graph.Resolver{}}))
http.Handle("/", playground.Handler("GraphQL playground", "/query"))
http.Handle("/query", srv)
log.Printf("connect to http://localhost:%s/ for GraphQL playground", port)
log.Fatal(http.ListenAndServe(":"+port, nil))
}
But when I add gin, like this:
package main
import (
"github.com/gin-gonic/gin"
"github.com/jawil003/gqlgen-todos/graph"
"github.com/jawil003/gqlgen-todos/graph/generated"
"github.com/99designs/gqlgen/graphql/handler"
"github.com/99designs/gqlgen/graphql/playground"
)
// Defining the Graphql handler
func graphqlHandler() gin.HandlerFunc {
// NewExecutableSchema and Config are in the generated.go file
// Resolver is in the resolver.go file
h := handler.NewDefaultServer(generated.NewExecutableSchema(generated.Config{Resolvers: &graph.Resolver{}}))
return func(c *gin.Context) {
h.ServeHTTP(c.Writer, c.Request)
}
}
// Defining the Playground handler
func playgroundHandler() gin.HandlerFunc {
h := playground.Handler("GraphQL", "/query")
return func(c *gin.Context) {
h.ServeHTTP(c.Writer, c.Request)
}
}
func main() {
// Setting up Gin
r := gin.Default()
r.POST("/query", graphqlHandler())
r.GET("/", playgroundHandler())
r.Run()
}
I get this issue:
{ "error": "Could not connect to websocket endpoint ws://localhost:8080/query. Please check if the endpoint url is correct." }
Is there any known solution to make gin work with graphql subscriptions?
Hello to fix error Could not connect to websocket endpoint.. with Gin change r.POST("/query", graphqlHandler()) to r.Any("/query", graphqlHandler())

Issues creating an HTTPS server to serve binaries and other files

What I want to achieve:
An HTTPS server designed specifically to serve binaries to around 1000 devices, sometimes in the same time (clients will fetch the binaries via wget, curl, browser download, etc).
Key functionality features:
client won't be able to download the binary without a certificate
server will allow the client directory browsing/download via browser(if client has certificate)
server is optimized for stability and security, then for speed
server must use high security ciphers and TLS1.2
What I managed to achieve
package main
import (
"log"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
http.ServeFile(w, req, "/")
})
log.Printf("Server running\nAccess the server via: https://localhost:9900/")
log.Fatal(http.ListenAndServeTLS(":9900", "cert.crt", "priv.key", http.FileServer(http.Dir("/"))))
}
Now, this works fine although it doesn't check all the features and its not very flexible and somehow I wanted to make it more future proof, as I wish to both learn by creating this project and also expand on it in the future as I'm interested in learning more about servers.
After a bit of research I found several code pieces on GitHub and in tutorials, which led me to put together the following piece of code:
package main
import (
"crypto/tls"
"log"
"net/http"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
http.ServeFile(w, req, "/")
})
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_AES_256_GCM_SHA384,
},
}
srv := &http.Server{
Addr: ":9900",
Handler: mux,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Printf("Server running\nAccess the server via: https://localhost:9900/")
log.Fatal(srv.ListenAndServeTLS("cert.crt", "priv.key"), http.FileServer(http.Dir("/")))
}
Problem is that when the server starts and I connect to it via browser, I'm presented with the root directory but every time I click on a folder the URL increments the address but the page just refreshes in the "/" directory.
To be exact:
I connect initially to the server and I'm presented the root directory , I'm shown Dir1, Dir2, Dir3
I click Dir1
The URL modifies from https://localhost:9900 to https://localhost:9900/Dir1
But I'm still in the root directory
From what I'm able to see...I think I'm creating a loop somewhere.
If anyone knows what I need to do to make this functional, help would be much appreciated.
NOTE
The above behavior is on Firefox, on Chrome I get one of the 2 errors in the server error log, depending on changes that I make:
2019/09/29 19:59:37 http: TLS handshake error from [::1]:53287: EOF
2019/09/29 19:15:59 http: TLS handshake error from [::1]:50457: tls: client doesn't support selected certificate
There are several examples elsewhere on how to do this (as has been commented).
Here's a worked example in which the fileserver handler is an enhanced version of that in the standard library that supports more cache headers and locally-compressed files. The standard fileserver handler can be dropped in here instead if that's what you need.
package main
import (
"crypto/tls"
"flag"
"fmt"
"log"
"net/http"
"time"
"github.com/rickb777/servefiles/v3"
)
var path = flag.String("path", "..", "directory for the files tp be served")
var cert = flag.String("cert", "", "file containing the certificate (optional)")
var key = flag.String("key", "", "file containing the private key (optional)")
var port = flag.Int("port", 8080, "TCP port to listen on")
var maxAge = flag.String("maxage", "", "Maximum age of assets sent in response headers - causes client caching")
var verbose = flag.Bool("v", false, "Enable verbose messages")
func main() {
flag.Parse()
if *verbose {
servefiles.Debugf = log.Printf
}
if (*cert != "" && *key == "") ||
(*cert == "" && *key != "") {
log.Fatal("Both certificate file (-cert) and private key file (-key) are required.")
}
h := servefiles.NewAssetHandler(*path)
if *maxAge != "" {
d, err := time.ParseDuration(*maxAge)
log.Printf("MaxAge: %s %v\n", d, err)
h = h.WithMaxAge(d)
}
srv := &http.Server{
Addr: fmt.Sprintf(":%d", *port),
Handler: h,
}
if *cert != "" {
srv.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_AES_256_GCM_SHA384,
},
}
log.Printf("Access the server via: https://localhost:%d/", *port)
log.Fatal(srv.ListenAndServeTLS(*cert, *key))
} else {
log.Printf("Access the server via: http://localhost:%d/", *port)
log.Fatal(srv.ListenAndServe())
}
}
Source code https://github.com/rickb777/servefiles/blob/master/v3/webserver/example.go

What configuration am I missing for httputil.NewSingleHostReverseProxy?

The code below produces the error further below. When I type "http://www.cnn.com/favicon.ico" straight into any browser it works without issue. I am guessing that I am missing some critical configuration for the reverse proxy. What is the minimum config needed for getting this to work?
package main
import (
"net/http"
"net/http/httputil"
"net/url"
"log"
)
func main(){
url, _ := url.Parse("http://www.cnn.com/favicon.ico")
proxy := httputil.NewSingleHostReverseProxy(url)
http.HandleFunc("/", proxy.ServeHTTP)
log.Fatal(http.ListenAndServe(":9090", nil))
}
Fastly error: unknown domain: localhost. Please check that this domain
has been added to a service.
Details: cache-lax8625-LAX
Happy 4th of July!
I made the following 2 changes to get it working:
Firstly, point the proxy at www.cnn.com instead of www.cnn.com/favicon.ico. Of course, now we must make our request to localhost:9090/favicon.ico.
Next, set the proxied request's Host field to the target host, not the host of the proxy which is localhost.
The code ends up looking like this:
package main
import (
"log"
"net/http"
"net/http/httputil"
"net/url"
)
type Director func(*http.Request)
func (f Director) Then(g Director) Director {
return func(req *http.Request) {
f(req)
g(req)
}
}
func hostDirector(host string) Director {
return func(req *http.Request) {
req.Host = host
}
}
func main() {
url, _ := url.Parse("http://www.cnn.com")
proxy := httputil.NewSingleHostReverseProxy(url)
d := proxy.Director
// sequence the default director with our host director
proxy.Director = Director(d).Then(hostDirector(url.Hostname()))
http.Handle("/", proxy)
log.Fatal(http.ListenAndServe(":9090", nil))
}

Pass a reference to a Redis instance to a Gorilla/Mux Handler

I'm trying to get my hands dirty while playing with some Gorilla/Mux and Go-Redis but I'm facing a little implementation problem here.
Essentially I have a project structured like the following:
Where redismanager.go handles the initialization of a Redis Client:
package redismanager
import (
"fmt"
"github.com/go-redis/redis"
)
func InitRedisClient() redis.Client {
client := redis.NewClient(&redis.Options{
Addr : "localhost:6379",
Password: "",
DB : 0, //default
})
pong, err := client.Ping().Result()
if( err != nil ){
fmt.Println("Cannot Initialize Redis Client ", err)
}
fmt.Println("Redis Client Successfully Initialized . . .", pong)
return *client
}
Where main.go calls redismanager.InitRedisClient and initializes mux.Handlers:
package main
import (
"github.com/gorilla/mux"
"github.com/go-redis/redis"
"net/http"
"fmt"
"log"
"encoding/json"
"io/ioutil"
"../redismanager"
"../api"
)
type RedisInstance struct {
RInstance *redis.Client
}
func main() {
//Initialize Redis Client
client := redismanager.InitRedisClient()
//Get current redis instance to get passed to different Gorilla-Mux Handlers
redisHandler := &RedisInstance{RInstance:&client}
//Initialize Router Handlers
r := mux.NewRouter()
r.HandleFunc("/todo", redisHandler.AddTodoHandler).
Methods("POST")
fmt.Println("Listening on port :8000 . . .")
// Bind to a port and pass our router in
log.Fatal(http.ListenAndServe(":8000", r))
}
Now, I can easily define and let work properly AddTodoHandler in the same file like:
func (c *RedisInstance) AddTodoHandler(w http.ResponseWriter, r *http.Request) {
. . . doSomething
}
But, to make things a bit more modular, I'm trying to move all of these RouteHandlers inside their respective files in api package. In order to make that, I need to pass a reference to redisHandler but I'm having some difficulties when trying to make that with an Handler inside api package.
For instance, If in the main I add:
r.HandleFunc("/todo/{id}", api.GetTodoHandler(&client)).
Methods("GET")
with gettodo.go
package api
import (
"net/http"
"github.com/gorilla/mux"
"fmt"
"encoding/json"
"github.com/go-redis/redis"
)
func GetTodoHandler(c *RedisInstance) func (w http.ResponseWriter, r *http.Request) {
func (w http.ResponseWriter, r *http.Request) {
. . . doSomething
}
}
It works nicely.
I'm still pretty new to Go and haven't found any cleaner solution to that even after several researches and reads.
Is my approach correct or are there any better ones?
Write a function that converts a function with the Redis instance argument to an HTTP handler:
func redisHandler(c *RedisInstance,
f func(c *RedisInstance, w http.ResponseWriter, r *http.Request)) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { f(c, w, r) })
}
Write your API handlers like this:
func AddTodoHandler(c *RedisInstance, w http.ResponseWriter, r *http.Request) {
...
}
Add to the mux like this:
r.Handler("/todo", redisHandler(client, api.AddTodoHandler)).Methods("POST")
where client is the Redis instance.
I would recommend using an App struct which initializes DB and Routes. And all Redis methods will be called inside.
e.g. type App struct{Routes *mux.Router, DB *DB_TYPE}
And which will have App.initializeRoutes method.
type App struct {
Router *mux.Router
DB *redis.NewClient
}
func (a *App) Run(addr string) {
log.Fatal(http.ListenAndServe(":8000", a.Router))
}
func (a *App) Initialize(addr, password string, db int) error {
// Connect postgres
db, err := redis.NewClient(&redis.Options{
Addr: addr,
Password: password,
DB: db,
})
if err != nil {
return err
}
// Ping to connection
err = db.Ping()
if err != nil {
return err
}
// Set db in Model
a.DB = db
a.Router = mux.NewRouter()
a.initializeRoutes()
return nil
}
func (a *App) initializeRoutes() {
a.Router.HandleFunc("/todo", a.AddTodoHandler).Methods("POST")
a.Router.HandleFunc("/todo/{id}", a.GetTodoHandler).Methods("GET")
}
// AddTodoHandler has access to DB, in your case Redis
// you can replace the steps for Redis.
func (a *App) AddTodoHandler() {
//has access to DB
a.DB
}
Hope you get the point, you can even extract out the Model work into a separate Struct and then pass it inside func's
r.HandleFunc("/todo/{id}", redisHandler.api.GetTodoHandler).Methods("GET")
Your redisHandler, as defined in main, has no api field, so this naturally doesn't compile.
If you re-defined your RedisInstance type in the api package, and you defined the handler methods on that type in the method-specific files, then you can initialize your redisHandler using that api.RedisInstance type and you can delete the main.RedisInstance type definition:
package main
import (
"github.com/gorilla/mux"
"github.com/go-redis/redis"
"net/http"
"fmt"
"log"
"encoding/json"
"io/ioutil"
"../redismanager"
"../api"
)
func main() {
//Initialize Redis Client
client := redismanager.InitRedisClient()
//Get current redis instance to get passed to different Gorilla-Mux Handlers
redisHandler := &api.RedisInstance{RInstance:&client}
//Initialize Router Handlers
r := mux.NewRouter()
r.HandleFunc("/todo", redisHandler.AddTodoHandler).Methods("POST")
r.HandleFunc("/todo/{id}", redisHandler.GetTodoHandler).Methods("GET")
fmt.Println("Listening on port :8000 . . .")
// Bind to a port and pass our router in
log.Fatal(http.ListenAndServe(":8000", r))
}

one common http handler instead of several

Is it possible to not copy paste expression commonHanlder(handler1), commonHanlder(handler2) ... commonHanlder(handlerN) in this code:
rtr.HandleFunc("/", commonHanlder(handler1)).Methods("GET")
rtr.HandleFunc("/page2", commonHanlder(handler2)).Methods("GET")
and set it in one place like
http.ListenAndServe(":3000", commonHanlder(http.DefaultServeMux))
But this variant is not working and gives two errors on compile:
./goRelicAndMux.go:20: cannot use http.DefaultServeMux (type *http.ServeMux) as type gorelic.tHTTPHandlerFunc in argument to commonHanlder
./goRelicAndMux.go:20: cannot use commonHanlder(http.DefaultServeMux) (type gorelic.tHTTPHandlerFunc) as type http.Handler in argument to http.ListenAndServe:
gorelic.tHTTPHandlerFunc does not implement http.Handler (missing ServeHTTP method)
The full code:
package main
import (
"github.com/gorilla/mux"
"github.com/yvasiyarov/gorelic"
"log"
"net/http"
)
func main() {
initNewRelic()
rtr := mux.NewRouter()
var commonHanlder = agent.WrapHTTPHandlerFunc
rtr.HandleFunc("/", commonHanlder(handler1)).Methods("GET")
rtr.HandleFunc("/page2", commonHanlder(handler2)).Methods("GET")
http.Handle("/", rtr)
log.Println("Listening...")
http.ListenAndServe(":3000", http.DefaultServeMux)
}
func handler1(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("mainPage"))
}
func handler2(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("page 2"))
}
var agent *gorelic.Agent
func initNewRelic() {
agent = gorelic.NewAgent()
agent.Verbose = true
agent.NewrelicName = "test"
agent.NewrelicLicense = "new relic key"
agent.Run()
}
It seems like you want to call commonHandler on the root of your application and have it work for all. Since you are using mux, just wrap the mux router once.
func main() {
initNewRelic()
rtr := mux.NewRouter()
var commonHandler = agent.WrapHTTPHandler
rtr.HandleFunc("/", handler1).Methods("GET")
rtr.HandleFunc("/page2", handler2).Methods("GET")
http.Handle("/", commonHandler(rtr))
log.Println("Listening...")
http.ListenAndServe(":3000", nil)
}
I also removed the http.DefaultServeMux reference in ListenAndServe since passing nil will automatically use the default.

Resources