devapp/devappserver: support TLS for local dev and prod via autocert

andybons · andybons · commit 225b18be82fe · 2017-06-26T22:24:21.000Z
Updates golang/go#20691 Change-Id: If0f160713496b1c9ebceacb4975e9afa44539e5a Reviewed-on: https://go-review.googlesource.com/46720 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
diff --git a/devapp/devappserver/Dockerfile.0 b/devapp/devappserver/Dockerfile.0
@@ -20,6 +20,7 @@ RUN go get -d github.com/kylelemons/godebug/pretty && \
     cd /go/src/github.com/kylelemons/godebug && git reset --hard a616ab194758ae0a11290d87ca46ee8c440117b0
 
 RUN go get -d golang.org/x/net/context && \
+    go get -d golang.org/x/net/http2 && \
     cd /go/src/golang.org/x/net && git reset --hard fe686d45ea04bc1bd4eff6a52865ce8757320325
 
 RUN go get -d golang.org/x/oauth2 && \
@@ -29,8 +30,12 @@ RUN go get -d golang.org/x/sync/errgroup && \
     cd /go/src/golang.org/x/sync && git reset --hard f52d1811a62927559de87708c8913c1650ce4f26
 
 RUN go get -d cloud.google.com/go/compute/metadata && \
+    go get -d cloud.google.com/go/storage && \
     cd /go/src/cloud.google.com/go && git reset --hard 23179f286bc31e07fba2eddaa540fb999b1b1fd9
 
+RUN go get -d golang.org/x/crypto/acme/autocert && \
+    cd /go/src/golang.org/x/crypto && git reset --hard adbae1b6b6fb4b02448a0fc0dbbc9ba2b95b294d
+
 # Optimization to speed COPY+go install steps later. This go install
 # isn't required for correctness.
 RUN go install github.com/aclements/go-gg/generic/slice \
diff --git a/devapp/devappserver/deployment-dev.yaml b/devapp/devappserver/deployment-dev.yaml
@@ -13,6 +13,7 @@ spec:
       - name: devappserver
         image: gcr.io/go-dashboard-dev/devappserver:latest
         imagePullPolicy: Always
+        command: ["/devappserver", "-listen=:80"]
         ports:
         - containerPort: 80
         - containerPort: 443
diff --git a/devapp/devappserver/deployment-prod.yaml b/devapp/devappserver/deployment-prod.yaml
@@ -13,6 +13,7 @@ spec:
       - name: devappserver
         image: gcr.io/symbolic-datum-552/devappserver:latest
         imagePullPolicy: Always
+        command: ["/devappserver", "-listen=:80", "-autocert-bucket=golang-devapp-autocert"]
         ports:
         - containerPort: 80
         - containerPort: 443
diff --git a/devapp/devappserver/main.go b/devapp/devappserver/main.go
@@ -2,50 +2,134 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Devapp generates the dashboard that powers dev.golang.org. This binary is
-// designed to be run outside of an App Engine context.
-//
-// Usage:
-//
-//	devappserver --http=:8081
-//
-// By default devappserver listens on port 80.
-//
-// For the moment, Github issues and Gerrit CL's are stored in memory
-// in the running process. To trigger an initial download, visit
-// http://localhost:8081/update and/or http://localhost:8081/update/stats in
-// your browser.
+// Devapp generates the dashboard that powers dev.golang.org.
 
 package main
 
 import (
+	"context"
+	"crypto/tls"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
+	"net/http/httptest"
 	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"cloud.google.com/go/storage"
+	"golang.org/x/build/autocertcache"
+	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/http2"
 
 	_ "golang.org/x/build/devapp" // registers HTTP handlers
 )
 
 func init() {
 	flag.Usage = func() {
-		os.Stderr.WriteString(`usage: devappserver [-http=addr]
-
-devappserver generates the dashboard that powers dev.golang.org.
-	`)
+		os.Stderr.WriteString("devappserver generates the dashboard that powers dev.golang.org.\n")
+		flag.PrintDefaults()
 	}
 }
 
 func main() {
-	httpAddr := flag.String("http", ":80", "HTTP service address (e.g., ':8080')")
+	var (
+		listen         = flag.String("listen", "localhost:6343", "listen address")
+		devTLSPort     = flag.Int("dev-tls-port", 0, "if non-zero, port number to run localhost self-signed TLS server")
+		autocertBucket = flag.String("autocert-bucket", "", "if non-empty, listen on port 443 and serve a LetsEncrypt TLS cert using this Google Cloud Storage bucket as a cache")
+	)
 	flag.Parse()
-	ln, err := net.Listen("tcp", *httpAddr)
+
+	ln, err := net.Listen("tcp", *listen)
+	if err != nil {
+		log.Fatalf("Error listening on %s: %v\n", *listen, err)
+	}
+	log.Printf("Listening on %s\n", ln.Addr())
+
+	errc := make(chan error)
+	if ln != nil {
+		go func() { errc <- fmt.Errorf("http.Serve = %v", http.Serve(ln, nil)) }()
+	}
+	if *autocertBucket != "" {
+		go func() { errc <- serveAutocertTLS(*autocertBucket) }()
+	}
+	if *devTLSPort != 0 {
+		go func() { errc <- serveDevTLS(*devTLSPort) }()
+	}
+
+	log.Fatal(<-errc)
+}
+
+func serveDevTLS(port int) error {
+	ln, err := net.Listen("tcp", "localhost:"+strconv.Itoa(port))
+	if err != nil {
+		return err
+	}
+	defer ln.Close()
+	log.Printf("Serving self-signed TLS at https://%s", ln.Addr())
+	// Abuse httptest for its localhost TLS setup code:
+	ts := httptest.NewUnstartedServer(http.DefaultServeMux)
+	// Ditch the provided listener, replace with our own:
+	ts.Listener.Close()
+	ts.Listener = ln
+	ts.TLS = &tls.Config{
+		NextProtos:         []string{"h2", "http/1.1"},
+		InsecureSkipVerify: true,
+	}
+	ts.StartTLS()
+
+	select {}
+}
+
+func serveAutocertTLS(bucket string) error {
+	ln, err := net.Listen("tcp", ":443")
+	if err != nil {
+		return err
+	}
+	defer ln.Close()
+	sc, err := storage.NewClient(context.Background())
+	if err != nil {
+		return fmt.Errorf("storage.NewClient: %v", err)
+	}
+	m := autocert.Manager{
+		Prompt: autocert.AcceptTOS,
+		HostPolicy: func(ctx context.Context, host string) error {
+			if !strings.HasSuffix(host, ".golang.org") {
+				return errors.New("refusing to serve autocert on provided domain")
+			}
+			return nil
+		},
+		Cache: autocertcache.NewGoogleCloudStorageCache(sc, bucket),
+	}
+	config := &tls.Config{
+		GetCertificate: m.GetCertificate,
+		NextProtos:     []string{"h2", "http/1.1"},
+	}
+	tlsLn := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config)
+	server := &http.Server{
+		Addr: ln.Addr().String(),
+	}
+	if err := http2.ConfigureServer(server, nil); err != nil {
+		log.Fatalf("http2.ConfigureServer: %v", err)
+	}
+	log.Printf("Serving TLS at %s", tlsLn.Addr())
+	return server.Serve(tlsLn)
+}
+
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "Error listening on %s: %v\n", *httpAddr, err)
-		os.Exit(2)
+		return
 	}
-	fmt.Fprintf(os.Stderr, "Serving at %s\n", ln.Addr().String())
-	log.Fatal(http.Serve(ln, nil))
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(3 * time.Minute)
+	return tc, nil
 }
