+6

slingshot/src/main.rs

reviewed

··· 80 80 /// you must also configure the relevant DNS records for this to work 81 81 #[arg(long, action, requires("tls_domain"), env = "SLINGSHOT_TLS_IPV6")] 82 82 tls_ipv6: bool, 83 83 + /// with tls configured on 443, say "please use https" on port 80 84 84 + /// 85 85 + /// note: configuring tls always binds port 80 as well, 443-only is TODO 86 86 + #[arg(long, action, requires("tls_domain"), env = "SLINGSHOT_WARN_INSECURE")] 87 87 + warn_insecure: bool, 83 88 /// redirect acme http-01 challenges to this url 84 89 /// 85 90 /// useful if you're setting up a second instance that synchronizes its ··· 201 206 args.tls_domain, 202 207 args.tls_certs, 203 208 args.tls_ipv6, 209 209 + args.warn_insecure, 204 210 args.acme_challenge_redirect, 205 211 args.acme_contact, 206 212 args.acme_staging,

+48 -22

slingshot/src/server.rs

reviewed

··· 1304 1304 make_sync(move |_| doc.clone()) 1305 1305 } 1306 1306 1307 1307 + #[poem::handler] 1308 1308 + async fn https_plz() -> (poem::http::StatusCode, &'static str) { 1309 1309 + ( 1310 1310 + poem::http::StatusCode::MISDIRECTED_REQUEST, 1311 1311 + "this service must be accessed with https (port 443).", 1312 1312 + ) 1313 1313 + } 1314 1314 + 1307 1315 #[allow(clippy::too_many_arguments)] 1308 1316 pub async fn serve( 1309 1317 cache: HybridCache<String, CachedRecord>, ··· 1314 1322 tls_domain: Option<String>, 1315 1323 tls_certs: Option<PathBuf>, 1316 1324 tls_ipv6: bool, 1325 1325 + warn_insecure: bool, 1317 1326 acme_challenge_redirect: Option<String>, 1318 1327 acme_contact: Option<String>, 1319 1328 acme_staging: bool, ··· 1369 1378 .with(cors); 1370 1379 1371 1380 if let Some(contact) = acme_contact { 1372 1372 - let (listener, app) = acmify(app, domain, tls_certs, tls_ipv6, contact, acme_staging)?; 1381 1381 + let (listener, app) = acmify( 1382 1382 + app, 1383 1383 + domain, 1384 1384 + tls_certs, 1385 1385 + tls_ipv6, 1386 1386 + contact, 1387 1387 + acme_staging, 1388 1388 + warn_insecure, 1389 1389 + )?; 1373 1390 run(listener, app, shutdown).await 1374 1391 } else { 1375 1392 let certs = tls_certs.expect("certs path must be set for non-acme tls"); 1376 1376 - let (listener, app) = tlsify(app, domain, certs, tls_ipv6, acme_challenge_redirect)?; 1393 1393 + let (listener, app) = tlsify( 1394 1394 + app, 1395 1395 + domain, 1396 1396 + certs, 1397 1397 + tls_ipv6, 1398 1398 + acme_challenge_redirect, 1399 1399 + warn_insecure, 1400 1400 + )?; 1377 1401 run(listener, app, shutdown).await 1378 1402 } 1379 1403 } else { ··· 1388 1412 tls_ipv6: bool, 1389 1413 acme_contact: String, 1390 1414 acme_staging: bool, 1415 1415 + warn_insecure: bool, 1391 1416 ) -> Result<(impl Listener + 'static, impl Endpoint + 'static), ServerError> { 1392 1417 let mut auto_cert = AutoCert::builder() 1393 1418 .contact(acme_contact) ··· 1409 1434 1410 1435 let auto_cert = auto_cert.build().map_err(ServerError::AcmeBuildError)?; 1411 1436 1412 1412 - let app = RouteScheme::new() 1413 1413 - .https(app) 1414 1414 - .http(auto_cert.http_01_endpoint()); 1437 1437 + let mut insecure_app = Route::new().at( 1438 1438 + "/.well-known/acme-challenge/:token", 1439 1439 + auto_cert.http_01_endpoint(), 1440 1440 + ); 1441 1441 + 1442 1442 + if warn_insecure { 1443 1443 + insecure_app = insecure_app.at("/*any", https_plz).at("/", https_plz); 1444 1444 + } 1445 1445 + 1446 1446 + let app = RouteScheme::new().https(app).http(insecure_app); 1415 1447 1416 1448 let listener = TcpListener::bind(if tls_ipv6 { "[::]:443" } else { "0.0.0.0:443" }) 1417 1449 .acme(auto_cert) ··· 1430 1462 tls_certs: PathBuf, 1431 1463 tls_ipv6: bool, 1432 1464 acme_challenge_redirect: Option<String>, 1465 1465 + warn_insecure: bool, 1433 1466 ) -> Result<(impl Listener + 'static, impl Endpoint + 'static), ServerError> { 1434 1467 use poem::listener::{RustlsCertificate, RustlsConfig}; 1435 1468 use std::path::Path; ··· 1466 1499 "0.0.0.0:80" 1467 1500 })); 1468 1501 1469 1469 - #[poem::handler] 1470 1470 - async fn https_plz() -> (poem::http::StatusCode, &'static str) { 1471 1471 - ( 1472 1472 - poem::http::StatusCode::MISDIRECTED_REQUEST, 1473 1473 - "this service must be accessed with https (port 443).", 1474 1474 - ) 1475 1475 - } 1476 1476 - 1477 1502 let app = if let Some(redir) = acme_challenge_redirect { 1478 1503 use poem::web; 1479 1504 ··· 1483 1508 web::Redirect::temporary(format!("{redir}{token}")) 1484 1509 }); 1485 1510 1486 1486 - RouteScheme::new().https(app).http( 1487 1487 - Route::new() 1488 1488 - .at("/.well-known/acme-challenge/:token", redirect) 1489 1489 - .at("/*any", https_plz) 1490 1490 - .at("/", https_plz), 1491 1491 - ) 1511 1511 + let mut insecure_app = Route::new().at("/.well-known/acme-challenge/:token", redirect); 1512 1512 + 1513 1513 + if warn_insecure { 1514 1514 + insecure_app = insecure_app.at("/*any", https_plz).at("/", https_plz); 1515 1515 + } 1516 1516 + 1517 1517 + RouteScheme::new().https(app).http(insecure_app) 1518 1518 + } else if warn_insecure { 1519 1519 + RouteScheme::new().https(app).http(https_plz) 1492 1520 } else { 1493 1493 - RouteScheme::new() 1494 1494 - .https(app) 1495 1495 - .http(Route::new().at("/*any", https_plz).at("/", https_plz)) 1521 1521 + RouteScheme::new().https(app) 1496 1522 }; 1497 1523 1498 1524 Ok((listener, app))