6525cb1a41
internal/handlers/acme.go: GET /.well-known/acme-challenge/:token serviert Token-Files aus /var/lib/edgeguard/acme/.well-known/ acme-challenge/ (default; override via EDGEGUARD_ACME_WEBROOT). Validiert Token-Charset gegen RFC 8555 §8.3 (base64url, 1..128 chars) und prüft mit filepath.Abs+HasPrefix gegen path-traversal. Mounted auf der bare gin Engine vor SetupGate/RequireAuth — ACME muss unmittelbar nach HAProxy-Start funktionieren, lange bevor ein Admin Setup abgeschlossen hat. 4 Unit-Tests (valid/missing/dir/invalid-charset). Live-Smoke gegen /tmp/eg-acme bestanden. Test gegen 89.163.205.6 mit echtem certbot wird Teil von (d) — unnötig Let's-Encrypt-Rate-Limits zu verbrennen ohne stehendes HAProxy-Frontend auf dem Server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
92 lines
2.5 KiB
Go
92 lines
2.5 KiB
Go
package handlers
|
|
|
|
import (
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// ACMEHandler serves HTTP-01 challenge tokens that certbot dropped
|
|
// into a webroot directory. HAProxy proxies all
|
|
// /.well-known/acme-challenge/* requests to edgeguard-api on
|
|
// 127.0.0.1:9443; this handler is what they hit.
|
|
//
|
|
// Layout on disk (matching certbot --webroot's default):
|
|
//
|
|
// <root>/.well-known/acme-challenge/<token>
|
|
//
|
|
// where <root> defaults to /var/lib/edgeguard/acme. Files are
|
|
// short-lived plaintext (~64 ASCII chars); the handler reads them
|
|
// directly off disk on every request.
|
|
type ACMEHandler struct {
|
|
WebrootDir string
|
|
}
|
|
|
|
func NewACMEHandler(webrootDir string) *ACMEHandler {
|
|
if webrootDir == "" {
|
|
webrootDir = "/var/lib/edgeguard/acme"
|
|
}
|
|
return &ACMEHandler{WebrootDir: webrootDir}
|
|
}
|
|
|
|
// Register mounts /.well-known/acme-challenge/:token on the bare
|
|
// engine (NOT under /api/v1) and stays outside SetupGate / RequireAuth
|
|
// — ACME runs as soon as HAProxy is up, often before the operator
|
|
// has even completed setup.
|
|
func (h *ACMEHandler) Register(r *gin.Engine) {
|
|
r.GET("/.well-known/acme-challenge/:token", h.serveToken)
|
|
}
|
|
|
|
func (h *ACMEHandler) serveToken(c *gin.Context) {
|
|
token := c.Param("token")
|
|
if !validToken(token) {
|
|
c.Status(http.StatusBadRequest)
|
|
return
|
|
}
|
|
full := filepath.Join(h.WebrootDir, ".well-known", "acme-challenge", token)
|
|
// Defense in depth: refuse paths that escape the webroot even
|
|
// after the validToken check (symlink / path-resolution edge
|
|
// cases).
|
|
abs, err := filepath.Abs(full)
|
|
if err != nil {
|
|
c.Status(http.StatusBadRequest)
|
|
return
|
|
}
|
|
rootAbs, err := filepath.Abs(h.WebrootDir)
|
|
if err != nil || !strings.HasPrefix(abs, rootAbs+string(os.PathSeparator)) {
|
|
c.Status(http.StatusBadRequest)
|
|
return
|
|
}
|
|
if info, err := os.Stat(abs); err != nil || info.IsDir() {
|
|
c.Status(http.StatusNotFound)
|
|
return
|
|
}
|
|
// Use c.File so client gets correct Content-Length, ETag, etc.
|
|
// Content-Type defaults to application/octet-stream which is fine
|
|
// for ACME — the spec doesn't pin a type.
|
|
c.File(abs)
|
|
}
|
|
|
|
// validToken accepts the RFC 8555 §8.3 charset for HTTP-01
|
|
// challenges: base64url alphabet [A-Za-z0-9-_], length 1..128. We
|
|
// reject everything else so the URL parser can never let a `..` or
|
|
// path separator through.
|
|
func validToken(s string) bool {
|
|
if len(s) == 0 || len(s) > 128 {
|
|
return false
|
|
}
|
|
for _, r := range s {
|
|
ok := (r >= 'a' && r <= 'z') ||
|
|
(r >= 'A' && r <= 'Z') ||
|
|
(r >= '0' && r <= '9') ||
|
|
r == '-' || r == '_'
|
|
if !ok {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|