Fix autocert HostPolicy

Previously, this would pass in the instance's full (and invalid) URL.
Now it passes only the host name.

Ref T542
This commit is contained in:
Matt Baer 2019-07-20 21:34:58 -04:00
parent 36fb7ecb2b
commit 42386beabc
1 changed files with 14 additions and 4 deletions

18
app.go
View File

@ -393,11 +393,21 @@ func Serve(app *App, r *mux.Router) {
log.Info("Serving on https://%s:443", bindAddress)
if app.cfg.Server.Autocert {
log.Info("Using autocert")
m := &autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(app.cfg.Server.TLSCertPath),
HostPolicy: autocert.HostWhitelist(app.cfg.App.Host),
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(app.cfg.Server.TLSCertPath),
}
host, err := url.Parse(app.cfg.App.Host)
if err != nil {
log.Error("[WARNING] Unable to parse configured host! %s", err)
log.Error(`[WARNING] ALL hosts are allowed, which can open you to an attack where
clients connect to a server by IP address and pretend to be asking for an
incorrect host name, and cause you to reach the CA's rate limit for certificate
requests. We recommend supplying a valid host name.`)
log.Info("Using autocert on ANY host")
} else {
log.Info("Using autocert on host %s", host.Host)
m.HostPolicy = autocert.HostWhitelist(host.Host)
}
s := &http.Server{
Addr: ":https",