Support multiple keypairs

Instead of realying ona simgle key file, we now support multiple keypairs and each one an individual keyfile and certfile.
2024-02-24 20:06:50 +01:00 · 2024-02-24 20:06:50 +01:00 · b62d5edef5
parent 455811066b
commit b62d5edef5
3 changed files with 32 additions and 26 deletions
--- a/cmd/weblug/config.go
+++ b/cmd/weblug/config.go
@ -24,11 +24,17 @@ type ConfigSettings struct {
 }

 type TLSSettings struct {
-	Enabled      bool     `yaml:"enabled"`
-	MinVersion   string   `yaml:"minversion"`
-	MaxVersion   string   `yaml:"maxversion"`
-	Keyfile      string   `yaml:"keyfile"`
-	Certificates []string `yaml:"certificates"`
+	Enabled      bool          `yaml:"enabled"`
+	MinVersion   string        `yaml:"minversion"`
+	MaxVersion   string        `yaml:"maxversion"`
+	Keypairs     []TLSKeypairs `yaml:"keypairs"`
+	Keyfile      string        `yaml:"keyfile"`
+	Certificates []string      `yaml:"certificates"`
+}
+
+type TLSKeypairs struct {
+	Keyfile     string `yaml:"keyfile"`
+	Certificate string `yaml:"certificate"`
 }

 func (cf *Config) SetDefaults() {
--- a/cmd/weblug/weblug.go
+++ b/cmd/weblug/weblug.go
@ -153,37 +153,34 @@ func main() {
 			fmt.Fprintf(os.Stderr, "warning: using of a deprecated TLS version (< 1.2) is not recommended\n")
 		}
 		// Create self-signed certificate, when no keyfile and no certificates are present
-		if cf.Settings.TLS.Keyfile == "" && len(cf.Settings.TLS.Certificates) == 0 {
+		if len(cf.Settings.TLS.Keypairs) == 0 {
 			// TODO
 			fmt.Fprintf(os.Stderr, "error: creating self-signed certificates is not yet implemented")
 			os.Exit(1)
 		} else {
 			var err error
-			// Ensure keyfile AND certificates are present.
-			if cf.Settings.TLS.Keyfile == "" {
-				fmt.Fprintf(os.Stderr, "no keyfile defined\n")
-				os.Exit(1)
-			}
-			if len(cf.Settings.TLS.Certificates) == 0 {
-				fmt.Fprintf(os.Stderr, "no certificates defined\n")
-				os.Exit(1)
-			}
-
 			// Load certificates
-			tlsConfig.Certificates = make([]tls.Certificate, len(cf.Settings.TLS.Certificates))
-			for i, cert := range cf.Settings.TLS.Certificates {
-				tlsConfig.Certificates[i], err = tls.LoadX509KeyPair(cert, cf.Settings.TLS.Keyfile)
+			tlsConfig.Certificates = make([]tls.Certificate, len(cf.Settings.TLS.Keypairs))
+			for i, keypair := range cf.Settings.TLS.Keypairs {
+				tlsConfig.Certificates[i], err = tls.LoadX509KeyPair(keypair.Certificate, keypair.Keyfile)
 				if err != nil {
-					fmt.Fprintf(os.Stderr, "error: certificate '%s' invalid: %s\n", cert, err)
+					fmt.Fprintf(os.Stderr, "error: tls keypair '%s,%s' invalid: %s\n", keypair.Certificate, keypair.Keyfile, err)
 					os.Exit(1)
 				}
 			}
+
+			if len(tlsConfig.Certificates) == 1 {
+				log.Printf("Loaded 1 tls certificate")
+			} else {
+				log.Printf("Loaded %d tls certificates", len(tlsConfig.Certificates))
+			}
 		}
 		listener, err := tls.Listen("tcp", cf.Settings.BindAddress, tlsConfig)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: cannot listen on '%s': %s\n", cf.Settings.BindAddress, err)
 			os.Exit(1)
 		}
+		log.Printf("Serving tls requests now on %s", cf.Settings.BindAddress)
 		err = server.Serve(listener)
 		log.Fatal(err)
 	} else {
@ -194,6 +191,7 @@ func main() {
 			WriteTimeout:   time.Duration(cf.Settings.WriteTimeout) * time.Second,
 			MaxHeaderBytes: cf.Settings.MaxHeaderBytes,
 		}
+		log.Printf("Serving requests now on %s", cf.Settings.BindAddress)
 		err := server.ListenAndServe()
 		log.Fatal(err)
 	}
--- a/weblug.yml
+++ b/weblug.yml
@ -17,10 +17,11 @@ settings:
    # Minimum and maximum requires TLS version. By default TLS1.2 is the minimum
    minversion: '1.2'
    maxversion: ''
-    keyfile: 'weblug.key'
-    certificates:
-      - weblug1.pem
-      - weblug2.pem
+    keypairs:
+      - keyfile: 'weblug.key'
+        certificate: 'weblug1.pem'
+      - keyfile: 'weblug.key'
+        certificate: 'weblug2.pem'

 # hook definitions. A hook needs to define the HTTP endpoint ("route") and the command
 # See the following examples for more possible options.
@ -28,10 +29,11 @@ hooks:
  - name: 'hook one'
    route: "/webhooks/1"

-    # if hosts is present, limit requests to this remote hosts
-    # Currently multiplexing the same routes to different hosts does not work.
+    # if hosts is present, then limit the incoming requests to the given remote host(s)
+    # Currently multiplexing the same route to different hosts does not work
    hosts:
      - example1.local
+      - example2.local
    
    command: "sleep 5"
    background: True         # Terminate http request immediately