feat: autocert integrated (#132)

Author: tanmoysrt

config.example.yml

@@ -2,6 +2,9 @@ version: 1.0
 mode: standalone # standalone or cluster
 service:
   auto_tls: true # true or false
+  tls_cache_dir: /var/www/.cache
+  whitelisted_domains: # domains that can be used to access the service and generate certificates
+    - *
   bind_address: 0.0.0.0
   bind_port: 3333 # choose any other ports except 80 and 443
   network_name: swiftwave_network # docker swarm overflow network name

go.mod

@@ -85,7 +85,7 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/crypto v0.14.0
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect

main.go

@@ -1,8 +1,6 @@
 package main
 
 import (
-	"github.com/labstack/echo/v4"
-	"github.com/labstack/echo/v4/middleware"
 	swiftwave "github.com/swiftwave-org/swiftwave/swiftwave_service"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/core"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/cronjob"
@@ -43,14 +41,8 @@ func main() {
 	// create a channel to block the main thread
 	var waitForever chan struct{}
 
-	// Create Echo Server
-	echoServer := echo.New()
-	echoServer.Pre(middleware.RemoveTrailingSlash())
-	echoServer.Use(middleware.Recover())
-	echoServer.Use(middleware.CORS())
-
 	// Start the swift wave server
-	go swiftwave.StartServer(config, &manager, echoServer, workerManager, true)
+	go swiftwave.StartServer(config, &manager, workerManager, true)
 	// Wait for consumers
 	go workerManager.WaitForConsumers()
 	// Wait for cronjobs

swiftwave_service/start_server.go

@@ -3,14 +3,30 @@ package swiftwave
 import (
 	"fmt"
 	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/core"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/graphql"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/rest"
 	"github.com/swiftwave-org/swiftwave/swiftwave_service/worker"
 	"github.com/swiftwave-org/swiftwave/system_config"
+	"golang.org/x/crypto/acme/autocert"
 )
 
-func StartServer(config *system_config.Config, manager *core.ServiceManager, echoServer *echo.Echo, workerManager *worker.Manager, migrateDatabase bool) {
+func StartServer(config *system_config.Config, manager *core.ServiceManager, workerManager *worker.Manager, migrateDatabase bool) {
+	// Create Echo Server
+	echoServer := echo.New()
+	echoServer.Pre(middleware.RemoveTrailingSlash())
+	echoServer.Use(middleware.Recover())
+	echoServer.Use(middleware.Logger())
+	echoServer.Use(middleware.CORS())
+	// enable host whitelist if not all domains are allowed
+	if !config.ServiceConfig.IsAllDomainsAllowed() {
+		echoServer.AutoTLSManager.HostPolicy = autocert.HostWhitelist(config.ServiceConfig.WhiteListedDomains...)
+	}
+	// Configure Auto TLS
+	if config.ServiceConfig.AutoTLS {
+		echoServer.AutoTLSManager.HostPolicy = autocert.HostWhitelist(config.ServiceConfig.NetworkName)
+	}
 	// Create Rest Server
 	restServer := rest.Server{
 		EchoServer:     echoServer,
@@ -35,5 +51,9 @@ func StartServer(config *system_config.Config, manager *core.ServiceManager, ech
 	}
 	// Start the server
 	address := fmt.Sprintf("%s:%d", config.ServiceConfig.BindAddress, config.ServiceConfig.BindPort)
-	echoServer.Logger.Fatal(echoServer.Start(address))
+	if config.ServiceConfig.AutoTLS {
+		echoServer.Logger.Fatal(echoServer.StartAutoTLS(address))
+	} else {
+		echoServer.Logger.Fatal(echoServer.Start(address))
+	}
 }

system_config/types.go

@@ -12,13 +12,15 @@ type Config struct {
 }
 
 type ServiceConfig struct {
-	AutoTLS              bool   `yaml:"auto_tls"`
-	BindAddress          string `yaml:"bind_address"`
-	BindPort             int    `yaml:"bind_port"`
-	NetworkName          string `yaml:"network_name"`
-	DataDir              string `yaml:"data_dir"`
-	DockerUnixSocketPath string `yaml:"docker_unix_socket_path"`
-	RestrictedPorts      []int  `yaml:"restricted_ports"`
+	AutoTLS              bool     `yaml:"auto_tls"`
+	TLSCacheDir          string   `yaml:"tls_cache_dir"`
+	WhiteListedDomains   []string `yaml:"whitelisted_domains"`
+	BindAddress          string   `yaml:"bind_address"`
+	BindPort             int      `yaml:"bind_port"`
+	NetworkName          string   `yaml:"network_name"`
+	DataDir              string   `yaml:"data_dir"`
+	DockerUnixSocketPath string   `yaml:"docker_unix_socket_path"`
+	RestrictedPorts      []int    `yaml:"restricted_ports"`
 }
 
 type PostgresqlConfig struct {

system_config/utils.go

@@ -1,6 +1,9 @@
 package system_config
 
-import "fmt"
+import (
+	"fmt"
+	"strings"
+)
 
 func (p PostgresqlConfig) DSN() string {
 	return fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s TimeZone=%s sslmode=disable", p.Host, p.Port, p.User, p.Password, p.Database, p.TimeZone)
@@ -9,3 +12,15 @@ func (p PostgresqlConfig) DSN() string {
 func (a AMQPConfig) URI() string {
 	return fmt.Sprintf("%s://%s:%s@%s:%d", a.Protocol, a.User, a.Password, a.Host)
 }
+
+func (c ServiceConfig) IsAllDomainsAllowed() bool {
+	if len(c.WhiteListedDomains) == 0 {
+		return true
+	}
+	for _, domain := range c.WhiteListedDomains {
+		if strings.Trim(domain, " ") == "*" {
+			return true
+		}
+	}
+	return false
+}