httpd.go 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232
  1. // Copyright 2018 Frédéric Guillot. All rights reserved.
  2. // Use of this source code is governed by the Apache 2.0
  3. // license that can be found in the LICENSE file.
  4. package httpd // import "miniflux.app/service/httpd"
  5. import (
  6. "crypto/tls"
  7. "net"
  8. "net/http"
  9. "os"
  10. "strconv"
  11. "strings"
  12. "time"
  13. "miniflux.app/api"
  14. "miniflux.app/config"
  15. "miniflux.app/fever"
  16. "miniflux.app/http/request"
  17. "miniflux.app/logger"
  18. "miniflux.app/reader/feed"
  19. "miniflux.app/storage"
  20. "miniflux.app/ui"
  21. "miniflux.app/version"
  22. "miniflux.app/worker"
  23. "github.com/gorilla/mux"
  24. "github.com/prometheus/client_golang/prometheus/promhttp"
  25. "golang.org/x/crypto/acme/autocert"
  26. )
  27. // Serve starts a new HTTP server.
  28. func Serve(store *storage.Storage, pool *worker.Pool, feedHandler *feed.Handler) *http.Server {
  29. certFile := config.Opts.CertFile()
  30. keyFile := config.Opts.CertKeyFile()
  31. certDomain := config.Opts.CertDomain()
  32. certCache := config.Opts.CertCache()
  33. listenAddr := config.Opts.ListenAddr()
  34. server := &http.Server{
  35. ReadTimeout: 300 * time.Second,
  36. WriteTimeout: 300 * time.Second,
  37. IdleTimeout: 300 * time.Second,
  38. Handler: setupHandler(store, feedHandler, pool),
  39. }
  40. switch {
  41. case os.Getenv("LISTEN_PID") == strconv.Itoa(os.Getpid()):
  42. startSystemdSocketServer(server)
  43. case strings.HasPrefix(listenAddr, "/"):
  44. startUnixSocketServer(server, listenAddr)
  45. case certDomain != "" && certCache != "":
  46. config.Opts.HTTPS = true
  47. startAutoCertTLSServer(server, certDomain, certCache)
  48. case certFile != "" && keyFile != "":
  49. config.Opts.HTTPS = true
  50. server.Addr = listenAddr
  51. startTLSServer(server, certFile, keyFile)
  52. default:
  53. server.Addr = listenAddr
  54. startHTTPServer(server)
  55. }
  56. return server
  57. }
  58. func startSystemdSocketServer(server *http.Server) {
  59. go func() {
  60. f := os.NewFile(3, "systemd socket")
  61. listener, err := net.FileListener(f)
  62. if err != nil {
  63. logger.Fatal(`Unable to create listener from systemd socket: %v`, err)
  64. }
  65. logger.Info(`Listening on systemd socket`)
  66. if err := server.Serve(listener); err != http.ErrServerClosed {
  67. logger.Fatal(`Server failed to start: %v`, err)
  68. }
  69. }()
  70. }
  71. func startUnixSocketServer(server *http.Server, socketFile string) {
  72. os.Remove(socketFile)
  73. go func(sock string) {
  74. listener, err := net.Listen("unix", sock)
  75. if err != nil {
  76. logger.Fatal(`Server failed to start: %v`, err)
  77. }
  78. defer listener.Close()
  79. if err := os.Chmod(sock, 0666); err != nil {
  80. logger.Fatal(`Unable to change socket permission: %v`, err)
  81. }
  82. logger.Info(`Listening on Unix socket %q`, sock)
  83. if err := server.Serve(listener); err != http.ErrServerClosed {
  84. logger.Fatal(`Server failed to start: %v`, err)
  85. }
  86. }(socketFile)
  87. }
  88. func tlsConfig() *tls.Config {
  89. // See https://blog.cloudflare.com/exposing-go-on-the-internet/
  90. // And https://wikia.mozilla.org/Security/Server_Side_TLS
  91. return &tls.Config{
  92. MinVersion: tls.VersionTLS12,
  93. PreferServerCipherSuites: true,
  94. CurvePreferences: []tls.CurveID{
  95. tls.CurveP256,
  96. tls.X25519,
  97. },
  98. CipherSuites: []uint16{
  99. tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  100. tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  101. tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  102. tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  103. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  104. tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  105. },
  106. }
  107. }
  108. func startAutoCertTLSServer(server *http.Server, certDomain, certCache string) {
  109. server.Addr = ":https"
  110. certManager := autocert.Manager{
  111. Cache: autocert.DirCache(certCache),
  112. Prompt: autocert.AcceptTOS,
  113. HostPolicy: autocert.HostWhitelist(certDomain),
  114. }
  115. server.TLSConfig = tlsConfig()
  116. server.TLSConfig.GetCertificate = certManager.GetCertificate
  117. // Handle http-01 challenge.
  118. s := &http.Server{
  119. Handler: certManager.HTTPHandler(nil),
  120. Addr: ":http",
  121. }
  122. go s.ListenAndServe()
  123. go func() {
  124. logger.Info(`Listening on %q by using auto-configured certificate for %q`, server.Addr, certDomain)
  125. if err := server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
  126. logger.Fatal(`Server failed to start: %v`, err)
  127. }
  128. }()
  129. }
  130. func startTLSServer(server *http.Server, certFile, keyFile string) {
  131. server.TLSConfig = tlsConfig()
  132. go func() {
  133. logger.Info(`Listening on %q by using certificate %q and key %q`, server.Addr, certFile, keyFile)
  134. if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {
  135. logger.Fatal(`Server failed to start: %v`, err)
  136. }
  137. }()
  138. }
  139. func startHTTPServer(server *http.Server) {
  140. go func() {
  141. logger.Info(`Listening on %q without TLS`, server.Addr)
  142. if err := server.ListenAndServe(); err != http.ErrServerClosed {
  143. logger.Fatal(`Server failed to start: %v`, err)
  144. }
  145. }()
  146. }
  147. func setupHandler(store *storage.Storage, feedHandler *feed.Handler, pool *worker.Pool) *mux.Router {
  148. router := mux.NewRouter()
  149. if config.Opts.BasePath() != "" {
  150. router = router.PathPrefix(config.Opts.BasePath()).Subrouter()
  151. }
  152. if config.Opts.HasMaintenanceMode() {
  153. router.Use(func(next http.Handler) http.Handler {
  154. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  155. w.Write([]byte(config.Opts.MaintenanceMessage()))
  156. })
  157. })
  158. }
  159. router.Use(middleware)
  160. fever.Serve(router, store)
  161. api.Serve(router, store, pool, feedHandler)
  162. ui.Serve(router, store, pool, feedHandler)
  163. router.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
  164. w.Write([]byte("OK"))
  165. }).Name("healthcheck")
  166. router.HandleFunc("/version", func(w http.ResponseWriter, r *http.Request) {
  167. w.Write([]byte(version.Version))
  168. }).Name("version")
  169. if config.Opts.HasMetricsCollector() {
  170. router.Handle("/metrics", promhttp.Handler()).Name("metrics")
  171. router.Use(func(next http.Handler) http.Handler {
  172. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  173. route := mux.CurrentRoute(r)
  174. // Returns a 404 if the client is not authorized to access the metrics endpoint.
  175. if route.GetName() == "metrics" && !isAllowedToAccessMetricsEndpoint(r) {
  176. logger.Error(`[Metrics] Client not allowed: %s`, request.ClientIP(r))
  177. http.NotFound(w, r)
  178. return
  179. }
  180. next.ServeHTTP(w, r)
  181. })
  182. })
  183. }
  184. return router
  185. }
  186. func isAllowedToAccessMetricsEndpoint(r *http.Request) bool {
  187. clientIP := net.ParseIP(request.ClientIP(r))
  188. for _, cidr := range config.Opts.MetricsAllowedNetworks() {
  189. _, network, err := net.ParseCIDR(cidr)
  190. if err != nil {
  191. logger.Fatal(`[Metrics] Unable to parse CIDR %v`, err)
  192. }
  193. if network.Contains(clientIP) {
  194. return true
  195. }
  196. }
  197. return false
  198. }