Inicio Explorar Axuda
Iniciar sesión
LBP
/
miniflux_v2
réplica de https://github.com/miniflux/v2.git
4
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Use secure TLS configuration for autocert server

This change lets Miniflux use the same secure TLS configuration options when using Let's Encrypt / Autocert as when using a manually specified certificate. It raises the server’s SSL Labs score from a B to an A+ with LetsEncrypt.
Dave Marquard %!s(int64=6) %!d(string=hai) anos
pai
086b985383
achega
54602b55bb
Modificáronse 1 ficheiros con 25 adicións e 20 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 25 20
      service/httpd/httpd.go

+ 25 - 20
service/httpd/httpd.go
Ver ficheiro 

@@ -96,6 +96,27 @@ func startUnixSocketServer(server *http.Server, socketFile string) {
 
 	}(socketFile)
 
 }
 
 
+func tlsConfig() *tls.Config {
 
+	// See https://blog.cloudflare.com/exposing-go-on-the-internet/
 
+	// And https://wikia.mozilla.org/Security/Server_Side_TLS
 
+	return &tls.Config{
 
+		MinVersion:               tls.VersionTLS12,
 
+		PreferServerCipherSuites: true,
 
+		CurvePreferences: []tls.CurveID{
 
+			tls.CurveP256,
 
+			tls.X25519,
 
+		},
 
+		CipherSuites: []uint16{
 
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+		},
 
+	}
 
+}
 
+
 
 func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
 
 	server.Addr = ":https"
 
 	certManager := autocert.Manager{
 
@@ -103,6 +124,8 @@ func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
 
 		Prompt:     autocert.AcceptTOS,
 
 		HostPolicy: autocert.HostWhitelist(certDomain),
 
 	}
 
+	server.TLSConfig = tlsConfig()
 
+	server.TLSConfig.GetCertificate = certManager.GetCertificate
 
 
 	// Handle http-01 challenge.
 
 	s := &http.Server{
 
@@ -113,32 +136,14 @@ func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
 
 
 	go func() {
 
 		logger.Info(`Listening on %q by using auto-configured certificate for %q`, server.Addr, certDomain)
 
-		if err := server.Serve(certManager.Listener()); err != http.ErrServerClosed {
 
+		if err := server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
 
 			logger.Fatal(`Server failed to start: %v`, err)
 
 		}
 
 	}()
 
 }
 
 
 func startTLSServer(server *http.Server, certFile, keyFile string) {
 
-	// See https://blog.cloudflare.com/exposing-go-on-the-internet/
 
-	// And https://wiki.mozilla.org/Security/Server_Side_TLS
 
-	server.TLSConfig = &tls.Config{
 
-		MinVersion:               tls.VersionTLS12,
 
-		PreferServerCipherSuites: true,
 
-		CurvePreferences: []tls.CurveID{
 
-			tls.CurveP256,
 
-			tls.X25519,
 
-		},
 
-		CipherSuites: []uint16{
 
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
-		},
 
-	}
 
-
 
+	server.TLSConfig = tlsConfig()
 
 	go func() {
 
 		logger.Info(`Listening on %q by using certificate %q and key %q`, server.Addr, certFile, keyFile)
 
 		if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {