search

komuw / ong

ong, is a Go http toolkit.
MIT License
16 stars 4 forks source link

acme: ability to specify the exact domains to use for TLS as well as wildcards #400

Closed komuw closed 5 months ago

komuw commented 5 months ago

Maybe we should expand the server configs; https://github.com/komuw/ong/blob/7a7804416d8fcea006bdd65350c8353e3e9bfe4d/config/config.go#L735-L736 so that it takes in an option like;

// HostPolicy specifies which host names the Manager is allowed to respond to.
// It returns a non-nil error if the host should be rejected.
// The returned error is accessible via tls.Conn.Handshake and its callers.
// See Manager's HostPolicy field and GetCertificate method docs for more details.
type HostPolicy func(ctx context.Context, host string) error

Also see; https://github.com/golang/crypto/blob/dbb6ec16ecef7a66638d8514be54b13660551b0a/acme/autocert/autocert.go#L68-L88 which allows you to provide a list of domains and subdomains that you allow certificates for.

komuw commented 5 months ago

Alternatively, a case where we replace the argument domain with domains []string. If any of the domains in the slice has a * then it is interpreted as per; https://github.com/komuw/ong/blob/7a7804416d8fcea006bdd65350c8353e3e9bfe4d/internal/acme/acme.go#L44-L69 We could even ban the mixing of domains with * and any other domains

domains := []string{"*.example.com", "api.example.com"} // would be banned.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
domains := []string{"login.example.com", "api.example.com"} // this is allowed.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
domains := []string{"*.example.com"} // this is allowed.
o := config.LetsEncryptOpts(domains, ...)
_ = server.Run(mux, o)
komuw commented 5 months ago

We could retain the argument called domain but only use it in middlewares. Then create a new argument called tlsHosts for use in the server.