Fix autocert HostPolicy
Previously, this would pass in the instance's full (and invalid) URL. Now it passes only the host name. Ref T542
This commit is contained in:
Matt Baer
parent
36fb7ecb2b
commit
42386beabc
14
app.go
14
app.go
@ -393,11 +393,21 @@ func Serve(app *App, r *mux.Router) {
|
|||||||
|
|
||||||
log.Info("Serving on https://%s:443", bindAddress)
|
log.Info("Serving on https://%s:443", bindAddress)
|
||||||
if app.cfg.Server.Autocert {
|
if app.cfg.Server.Autocert {
|
||||||
log.Info("Using autocert")
|
|
||||||
m := &autocert.Manager{
|
m := &autocert.Manager{
|
||||||
Prompt: autocert.AcceptTOS,
|
Prompt: autocert.AcceptTOS,
|
||||||
Cache: autocert.DirCache(app.cfg.Server.TLSCertPath),
|
Cache: autocert.DirCache(app.cfg.Server.TLSCertPath),
|
||||||
HostPolicy: autocert.HostWhitelist(app.cfg.App.Host),
|
}
|
||||||
|
host, err := url.Parse(app.cfg.App.Host)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("[WARNING] Unable to parse configured host! %s", err)
|
||||||
|
log.Error(`[WARNING] ALL hosts are allowed, which can open you to an attack where
|
||||||
|
clients connect to a server by IP address and pretend to be asking for an
|
||||||
|
incorrect host name, and cause you to reach the CA's rate limit for certificate
|
||||||
|
requests. We recommend supplying a valid host name.`)
|
||||||
|
log.Info("Using autocert on ANY host")
|
||||||
|
} else {
|
||||||
|
log.Info("Using autocert on host %s", host.Host)
|
||||||
|
m.HostPolicy = autocert.HostWhitelist(host.Host)
|
||||||
}
|
}
|
||||||
s := &http.Server{
|
s := &http.Server{
|
||||||
Addr: ":https",
|
Addr: ":https",
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user