Closed komuw closed 5 months ago
Alternatively, a case where we replace the argument domain with domains []string
. If any of the domains in the slice has a *
then it is interpreted as per; https://github.com/komuw/ong/blob/7a7804416d8fcea006bdd65350c8353e3e9bfe4d/internal/acme/acme.go#L44-L69
We could even ban the mixing of domains with *
and any other domains
domains := []string{"*.example.com", "api.example.com"} // would be banned.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
domains := []string{"login.example.com", "api.example.com"} // this is allowed.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
domains := []string{"*.example.com"} // this is allowed.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
We could retain the argument called domain
but only use it in middlewares. Then create a new argument called tlsHosts
for use in the server.
Any random bot that makes a request to any subdomain will lead to a certificate for that subdomain been created. From small time experience, within no time; you end up with hundreds of subdomains just because bots are requesting for them.
Maybe we should expand the server configs; https://github.com/komuw/ong/blob/7a7804416d8fcea006bdd65350c8353e3e9bfe4d/config/config.go#L735-L736 so that it takes in an option like;
Also see; https://github.com/golang/crypto/blob/dbb6ec16ecef7a66638d8514be54b13660551b0a/acme/autocert/autocert.go#L68-L88 which allows you to provide a list of domains and subdomains that you allow certificates for.