settings: introduce settings YAML file to complement cmd arguments

2025-04-24 15:25:41 +02:00
parent fc7d67ad70
commit 9541c58eeb
15 changed files with 523 additions and 230 deletions
--- a/lib/challenge/data.go
+++ b/lib/challenge/data.go
@@ -12,8 +12,8 @@ import (
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/traits"
-	"net"
 	"net/http"
+	"net/netip"
 	"net/textproto"
 	"time"
 )
@@ -36,7 +36,7 @@ type RequestData struct {
 	Time            time.Time
 	ChallengeVerify map[Id]VerifyResult
 	ChallengeState  map[Id]VerifyState
-	RemoteAddress   net.IP
+	RemoteAddress   netip.AddrPort
 	State           StateInterface
 	CookiePrefix    string

@@ -57,7 +57,6 @@ func CreateRequestData(r *http.Request, state StateInterface) (*http.Request, *R
 	data.ChallengeState = make(map[Id]VerifyState, len(state.GetChallenges()))
 	data.Time = time.Now().UTC()
 	data.State = state
-	data.r = r

 	data.fp = make(map[string]string, 2)

@@ -85,6 +84,8 @@ func CreateRequestData(r *http.Request, state StateInterface) (*http.Request, *R
 	data.CookiePrefix = utils.CookiePrefix + hex.EncodeToString(sum.Sum(nil)[:4]) + "-"

 	r = r.WithContext(context.WithValue(r.Context(), requestDataContextKey{}, &data))
+	r = utils.SetRemoteAddress(r, data.RemoteAddress)
+	data.r = r

 	return r, &data
 }
@@ -96,7 +97,7 @@ func (d *RequestData) ResolveName(name string) (any, bool) {
 	case "method":
 		return d.r.Method, true
 	case "remoteAddress":
-		return d.RemoteAddress, true
+		return d.RemoteAddress.Addr().AsSlice(), true
 	case "userAgent":
 		return d.r.UserAgent(), true
 	case "path":
--- a/lib/challenge/dnsbl/dnsbl.go
+++ b/lib/challenge/dnsbl/dnsbl.go
@@ -119,9 +119,9 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio

 		data := challenge.RequestDataFromContext(r.Context())

-		result, err := lookup(r.Context(), params.Decay, params.Timeout, dnsbl, decayMap, data.RemoteAddress)
+		result, err := lookup(r.Context(), params.Decay, params.Timeout, dnsbl, decayMap, data.RemoteAddress.Addr().Unmap().AsSlice())
 		if err != nil {
-			data.State.Logger(r).Debug("dnsbl lookup failed", "address", data.RemoteAddress.String(), "result", result, "err", err)
+			data.State.Logger(r).Debug("dnsbl lookup failed", "address", data.RemoteAddress.Addr().String(), "result", result, "err", err)
 		}

 		if result.Bad() {
--- a/lib/challenge/key.go
+++ b/lib/challenge/key.go
@@ -47,7 +47,8 @@ func GetChallengeKeyForRequest(state StateInterface, reg *Registration, until ti
 	hasher.Write([]byte("challenge\x00"))
 	hasher.Write([]byte(reg.Name))
 	hasher.Write([]byte{0})
-	hasher.Write(address.To16())
+	ipBuf := address.Addr().Unmap().As16()
+	hasher.Write(ipBuf[:])
 	hasher.Write([]byte{0})

 	// specific headers
@@ -72,7 +73,7 @@ func GetChallengeKeyForRequest(state StateInterface, reg *Registration, until ti

 	sum[0] = 0

-	if address.To4() != nil {
+	if address.Addr().Unmap().Is4() {
 		// Is IPv4, mark
 		sum.Set(KeyFlagIsIPv4)
 	}
--- a/lib/challenge/types.go
+++ b/lib/challenge/types.go
@@ -3,6 +3,7 @@ package challenge
 import (
 	"crypto/ed25519"
 	"git.gammaspectra.live/git/go-away/lib/policy"
+	"git.gammaspectra.live/git/go-away/lib/settings"
 	"github.com/google/cel-go/cel"
 	"log/slog"
 	"net/http"
@@ -106,7 +107,9 @@ type StateInterface interface {
 	GetChallengeByName(name string) (*Registration, bool)
 	GetChallenges() Register

-	Settings() policy.Settings
+	Settings() policy.StateSettings
+
+	Options() settings.Settings

 	GetBackend(host string) http.Handler
 }
--- a/lib/http.go
+++ b/lib/http.go
@@ -10,10 +10,7 @@ import (
 	"html/template"
 	"log/slog"
 	"net/http"
-	"net/http/pprof"
-	"strconv"
 	"strings"
-	"time"
 )

 var templates map[string]*template.Template
@@ -51,17 +48,11 @@ func initTemplate(name, data string) error {
 	return nil
 }

-func (state *State) addTiming(w http.ResponseWriter, name, desc string, duration time.Duration) {
-	if state.Settings().Debug {
-		w.Header().Add("Server-Timing", fmt.Sprintf("%s;desc=%s;dur=%d", name, strconv.Quote(desc), duration.Milliseconds()))
-	}
-}
-
 func GetLoggerForRequest(r *http.Request) *slog.Logger {
 	data := challenge.RequestDataFromContext(r.Context())
 	args := []any{
 		"request_id", data.Id.String(),
-		"remote_address", data.RemoteAddress.String(),
+		"remote_address", data.RemoteAddress.Addr().String(),
 		"user_agent", r.UserAgent(),
 		"host", r.Host,
 		"path", r.URL.Path,
@@ -152,14 +143,6 @@ func (state *State) setupRoutes() error {

 	state.Mux.HandleFunc("/", state.handleRequest)

-	if state.Settings().Debug {
-		//TODO: split this to a different listener, metrics listener
-		http.HandleFunc(state.urlPath+"/debug/pprof/", pprof.Index)
-		http.HandleFunc(state.urlPath+"/debug/pprof/profile", pprof.Profile)
-		http.HandleFunc(state.urlPath+"/debug/pprof/symbol", pprof.Symbol)
-		http.HandleFunc(state.urlPath+"/debug/pprof/trace", pprof.Trace)
-	}
-
 	state.Mux.Handle("GET "+state.urlPath+"/assets/", http.StripPrefix(state.UrlPath()+"/assets/", gzipped.FileServer(gzipped.FS(embed.AssetsFs))))

 	for _, reg := range state.challenges {
--- a/lib/interface.go
+++ b/lib/interface.go
@@ -5,6 +5,7 @@ import (
 	"crypto/ed25519"
 	"git.gammaspectra.live/git/go-away/lib/challenge"
 	"git.gammaspectra.live/git/go-away/lib/policy"
+	"git.gammaspectra.live/git/go-away/lib/settings"
 	"git.gammaspectra.live/git/go-away/utils"
 	"github.com/google/cel-go/cel"
 	"log/slog"
@@ -72,23 +73,30 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 	input := make(map[string]any)
 	input["Id"] = data.Id.String()
 	input["Random"] = utils.CacheBust()
+
+	input["Path"] = state.UrlPath()
+	for k, v := range state.Options().ChallengeTemplateOverrides {
+		input[k] = v
+	}
+	for k, v := range state.Options().Strings {
+		input["str_"+k] = v
+	}
+
 	if reg != nil {
 		input["Challenge"] = reg.Name
-		input["Path"] = state.UrlPath()
 	}
-	input["Theme"] = state.Settings().ChallengeTemplateTheme

 	maps.Copy(input, params)

 	if _, ok := input["Title"]; !ok {
-		input["Title"] = "Checking you are not a bot"
+		input["Title"] = state.Options().Strings.Get("challenge_are_you_bot")
 	}

 	w.Header().Set("Content-Type", "text/html; charset=utf-8")

 	buf := bytes.NewBuffer(make([]byte, 0, 8192))

-	err := templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"].Execute(buf, input)
+	err := templates["challenge-"+state.Options().ChallengeTemplate+".gohtml"].Execute(buf, input)
 	if err != nil {
 		state.ErrorPage(w, r, http.StatusInternalServerError, err, "")
 	} else {
@@ -103,17 +111,25 @@ func (state *State) ErrorPage(w http.ResponseWriter, r *http.Request, status int

 	buf := bytes.NewBuffer(make([]byte, 0, 8192))

-	err2 := templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"].Execute(buf, map[string]any{
+	input := map[string]any{
 		"Id":          data.Id.String(),
 		"Random":      utils.CacheBust(),
 		"Error":       err.Error(),
 		"Path":        state.UrlPath(),
-		"Theme":       state.Settings().ChallengeTemplateTheme,
-		"Title":       "Oh no! " + http.StatusText(status),
+		"Theme":       "",
+		"Title":       state.Options().Strings.Get("error") + " " + http.StatusText(status),
 		"HideSpinner": true,
 		"Challenge":   "",
 		"Redirect":    redirect,
-	})
+	}
+	for k, v := range state.Options().ChallengeTemplateOverrides {
+		input[k] = v
+	}
+	for k, v := range state.Options().Strings {
+		input["str_"+k] = v
+	}
+
+	err2 := templates["challenge-"+state.Options().ChallengeTemplate+".gohtml"].Execute(buf, input)
 	if err2 != nil {
 		// nested errors!
 		panic(err2)
@@ -136,10 +152,14 @@ func (state *State) GetChallengeByName(name string) (*challenge.Registration, bo
 	reg, _, ok := state.challenges.GetByName(name)
 	return reg, ok
 }
-func (state *State) Settings() policy.Settings {
+func (state *State) Settings() policy.StateSettings {
 	return state.settings
 }

+func (state *State) Options() settings.Settings {
+	return state.opt
+}
+
 func (state *State) GetBackend(host string) http.Handler {
 	return utils.SelectHTTPHandler(state.Settings().Backends, host)
 }
--- a/lib/policy/options.go
+++ b/lib/policy/options.go
@@ -1,22 +0,0 @@
-package policy
-
-import (
-	"git.gammaspectra.live/git/go-away/utils"
-	"net/http"
-)
-
-type Settings struct {
-	Cache                  utils.Cache
-	Backends               map[string]http.Handler
-	PrivateKeySeed         []byte
-	Debug                  bool
-	MainName               string
-	MainVersion            string
-	PackageName            string
-	ChallengeTemplate      string
-	ChallengeTemplateTheme string
-	ClientIpHeader         string
-	BackendIpHeader        string
-
-	ChallengeResponseCode int
-}
--- a/lib/policy/state.go
+++ b/lib/policy/state.go
@@ -0,0 +1,19 @@
+package policy
+
+import (
+	"git.gammaspectra.live/git/go-away/utils"
+	"net/http"
+)
+
+type StateSettings struct {
+	Cache           utils.Cache
+	Backends        map[string]http.Handler
+	PrivateKeySeed  []byte
+	MainName        string
+	MainVersion     string
+	PackageName     string
+	ClientIpHeader  string
+	BackendIpHeader string
+
+	ChallengeResponseCode int
+}
--- a/lib/settings/backend.go
+++ b/lib/settings/backend.go
@@ -0,0 +1,85 @@
+package settings
+
+import (
+	"git.gammaspectra.live/git/go-away/utils"
+	"net/http"
+	"net/http/httputil"
+)
+
+type Backend struct {
+	// URL Target server backend path. Supports http/https/unix protocols.
+	URL string `yaml:"url"`
+
+	// Host Override the Host header and TLS SNI with this value if specified
+	Host string `yaml:"host"`
+
+	//ProxyProtocol uint8 `yaml:"proxy-protocol"`
+
+	// HTTP2Enabled Enable HTTP2 to backend
+	HTTP2Enabled bool `yaml:"http2-enabled"`
+
+	// TLSSkipVerify Disable TLS certificate verification, if any
+	TLSSkipVerify bool `yaml:"tls-skip-verify"`
+}
+
+func (b Backend) Create() (*httputil.ReverseProxy, error) {
+	proxy, err := utils.MakeReverseProxy(b.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	transport := proxy.Transport.(*http.Transport)
+
+	if b.HTTP2Enabled {
+		transport.ForceAttemptHTTP2 = true
+	}
+
+	if b.TLSSkipVerify {
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	}
+
+	if b.Host != "" {
+		transport.TLSClientConfig.ServerName = b.Host
+		director := proxy.Director
+		proxy.Director = func(req *http.Request) {
+			req.Host = b.Host
+			director(req)
+		}
+	}
+
+	/*if b.ProxyProtocol > 0 {
+		dialContext := transport.DialContext
+		if dialContext == nil {
+			dialContext = (&net.Dialer{}).DialContext
+		}
+		transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+			conn, err := dialContext(ctx, network, addr)
+			if err != nil {
+				return nil, err
+			}
+			addrPort := utils.GetRemoteAddress(ctx)
+			if addrPort == nil {
+				// pass as is
+				hdr := proxyproto.HeaderProxyFromAddrs(b.ProxyProtocol, conn.LocalAddr(), conn.RemoteAddr())
+				_, err = hdr.WriteTo(conn)
+				if err != nil {
+					conn.Close()
+					return nil, err
+				}
+			} else {
+				// set proper headers!
+				hdr := proxyproto.HeaderProxyFromAddrs(b.ProxyProtocol, net.TCPAddrFromAddrPort(*addrPort), conn.RemoteAddr())
+				_, err = hdr.WriteTo(conn)
+				if err != nil {
+					conn.Close()
+					return nil, err
+				}
+			}
+			return conn, nil
+		}
+	}*/
+
+	proxy.Transport = transport
+
+	return proxy, nil
+}
--- a/lib/settings/bind.go
+++ b/lib/settings/bind.go
@@ -0,0 +1,169 @@
+package settings
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/pires/go-proxyproto"
+	"golang.org/x/crypto/acme"
+	"golang.org/x/crypto/acme/autocert"
+	"log"
+	"log/slog"
+	"net"
+	"net/http"
+	"os"
+	"strconv"
+	"sync/atomic"
+)
+
+type Bind struct {
+	Address    string `yaml:"address"`
+	Network    string `yaml:"network"`
+	SocketMode string `yaml:"socket-mode"`
+	Proxy      bool   `yaml:"proxy"`
+
+	Passthrough bool `yaml:"passthrough"`
+
+	// TLSAcmeAutoCert URL to ACME directory, or letsencrypt
+	TLSAcmeAutoCert string `yaml:"tls-acme-autocert"`
+
+	// TLSCertificate Alternate to TLSAcmeAutoCert
+	TLSCertificate string `yaml:"tls-certificate"`
+	// TLSPrivateKey Alternate to TLSAcmeAutoCert
+	TLSPrivateKey string `yaml:"tls-key"`
+}
+
+func (b *Bind) Listener() (net.Listener, string) {
+	return setupListener(b.Network, b.Address, b.SocketMode, b.Proxy)
+}
+
+func (b *Bind) Server(backends map[string]http.Handler, acmeCachePath string) (*http.Server, func(http.Handler), error) {
+
+	var tlsConfig *tls.Config
+
+	if b.TLSAcmeAutoCert != "" {
+		switch b.TLSAcmeAutoCert {
+		case "letsencrypt":
+			b.TLSAcmeAutoCert = acme.LetsEncryptURL
+		}
+
+		acmeManager := newACMEManager(b.TLSAcmeAutoCert, backends)
+		if acmeCachePath != "" {
+			err := os.MkdirAll(acmeCachePath, 0755)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to create acme cache directory: %w", err)
+			}
+			acmeManager.Cache = autocert.DirCache(acmeCachePath)
+		}
+		slog.Warn(
+			"acme-autocert enabled",
+			"directory", b.TLSAcmeAutoCert,
+		)
+		tlsConfig = acmeManager.TLSConfig()
+	} else if b.TLSCertificate != "" && b.TLSPrivateKey != "" {
+		tlsConfig = &tls.Config{}
+		var err error
+		tlsConfig.Certificates = make([]tls.Certificate, 1)
+		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(b.TLSCertificate, b.TLSPrivateKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		slog.Warn(
+			"TLS enabled",
+			"certificate", b.TLSCertificate,
+		)
+	}
+
+	var serverHandler atomic.Pointer[http.Handler]
+	server := utils.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if handler := serverHandler.Load(); handler == nil {
+			http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+		} else {
+			(*handler).ServeHTTP(w, r)
+		}
+	}), tlsConfig)
+
+	swap := func(handler http.Handler) {
+		serverHandler.Store(&handler)
+	}
+
+	if b.Passthrough {
+		// setup a passthrough handler temporarily
+		swap(http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			backend := utils.SelectHTTPHandler(backends, r.Host)
+			if backend == nil {
+				http.Error(w, http.StatusText(http.StatusBadGateway), http.StatusBadGateway)
+			} else {
+				backend.ServeHTTP(w, r)
+			}
+		})))
+	}
+
+	return server, swap, nil
+
+}
+
+func setupListener(network, address, socketMode string, proxy bool) (net.Listener, string) {
+	if network == "proxy" {
+		network = "tcp"
+		proxy = true
+	}
+
+	formattedAddress := ""
+	switch network {
+	case "unix":
+		formattedAddress = "unix:" + address
+	case "tcp":
+		formattedAddress = "http://localhost" + address
+	default:
+		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
+	}
+
+	listener, err := net.Listen(network, address)
+	if err != nil {
+		log.Fatal(fmt.Errorf("failed to bind to %s: %w", formattedAddress, err))
+	}
+
+	// additional permission handling for unix sockets
+	if network == "unix" {
+		mode, err := strconv.ParseUint(socketMode, 8, 0)
+		if err != nil {
+			listener.Close()
+			log.Fatal(fmt.Errorf("could not parse socket mode %s: %w", socketMode, err))
+		}
+
+		err = os.Chmod(address, os.FileMode(mode))
+		if err != nil {
+			listener.Close()
+			log.Fatal(fmt.Errorf("could not change socket mode: %w", err))
+		}
+	}
+
+	if proxy {
+		slog.Warn("listener PROXY enabled")
+		formattedAddress += " +PROXY"
+		listener = &proxyproto.Listener{
+			Listener: listener,
+		}
+	}
+
+	return listener, formattedAddress
+}
+
+func newACMEManager(clientDirectory string, backends map[string]http.Handler) *autocert.Manager {
+	manager := &autocert.Manager{
+		Prompt: autocert.AcceptTOS,
+		HostPolicy: autocert.HostPolicy(func(ctx context.Context, host string) error {
+			if utils.SelectHTTPHandler(backends, host) != nil {
+				return nil
+			}
+			return fmt.Errorf("acme/autocert: host %s not configured in backends", host)
+		}),
+		Client: &acme.Client{
+			HTTPClient:   http.DefaultClient,
+			DirectoryURL: clientDirectory,
+		},
+	}
+	return manager
+}
--- a/lib/settings/settings.go
+++ b/lib/settings/settings.go
@@ -0,0 +1,51 @@
+package settings
+
+import "maps"
+
+type Settings struct {
+	Bind Bind `json:"bind"`
+
+	Backends map[string]Backend `json:"backends"`
+
+	BindDebug   string `json:"bind-debug"`
+	BindMetrics string `json:"bind-metrics"`
+
+	Strings Strings `yaml:"strings"`
+
+	// Links to add to challenge/error pages like privacy/impressum.
+	Links []Link `yaml:"links"`
+
+	ChallengeTemplate string `yaml:"challenge-template"`
+
+	// ChallengeTemplateOverrides Key/Value overrides for the current chosen template
+	// Replacements TODO:
+	// Path -> go-away path
+	ChallengeTemplateOverrides map[string]string `yaml:"challenge-template-overrides"`
+}
+
+type Link struct {
+	Name string `yaml:"name"`
+	URL  string `yaml:"url"`
+}
+
+var DefaultSettings = Settings{
+	Strings:           DefaultStrings,
+	ChallengeTemplate: "anubis",
+	ChallengeTemplateOverrides: func() map[string]string {
+		m := make(map[string]string)
+		maps.Copy(m, map[string]string{
+			"Theme": "",
+			"Logo":  "",
+		})
+		return m
+	}(),
+
+	Bind: Bind{
+		Address:         ":8080",
+		Network:         "tcp",
+		SocketMode:      "0770",
+		Proxy:           false,
+		TLSAcmeAutoCert: "",
+	},
+	Backends: make(map[string]Backend),
+}
--- a/lib/settings/strings.go
+++ b/lib/settings/strings.go
@@ -0,0 +1,24 @@
+package settings
+
+import "maps"
+
+type Strings map[string]string
+
+var DefaultStrings = make(Strings).set(map[string]string{
+	"challenge_are_you_bot": "Checking you are not a bot",
+	"error":                 "Oh no!",
+})
+
+func (s Strings) set(v map[string]string) Strings {
+	maps.Copy(s, v)
+	return s
+}
+
+func (s Strings) Get(value string) string {
+	v, ok := (s)[value]
+	if !ok {
+		// fallback
+		return "string:" + value
+	}
+	return v
+}
--- a/lib/state.go
+++ b/lib/state.go
@@ -8,6 +8,7 @@ import (
 	"git.gammaspectra.live/git/go-away/lib/challenge"
 	"git.gammaspectra.live/git/go-away/lib/condition"
 	"git.gammaspectra.live/git/go-away/lib/policy"
+	"git.gammaspectra.live/git/go-away/lib/settings"
 	"git.gammaspectra.live/git/go-away/utils"
 	"github.com/google/cel-go/cel"
 	"github.com/yl2chen/cidranger"
@@ -31,7 +32,8 @@ type State struct {
 	publicKey  ed25519.PublicKey
 	privateKey ed25519.PrivateKey

-	settings policy.Settings
+	opt      settings.Settings
+	settings policy.StateSettings

 	networks map[string]cidranger.Ranger

@@ -44,10 +46,11 @@ type State struct {
 	Mux *http.ServeMux
 }

-func NewState(p policy.Policy, settings policy.Settings) (handler http.Handler, err error) {
+func NewState(p policy.Policy, opt settings.Settings, settings policy.StateSettings) (handler http.Handler, err error) {
 	state := new(State)
 	state.close = make(chan struct{})
 	state.settings = settings
+	state.opt = opt
 	state.client = &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
@@ -89,22 +92,18 @@ func NewState(p policy.Policy, settings policy.Settings) (handler http.Handler,
 		}
 	}

-	if state.Settings().ChallengeTemplate == "" {
-		state.settings.ChallengeTemplate = "anubis"
-	}
+	if templates["challenge-"+state.Options().ChallengeTemplate+".gohtml"] == nil {

-	if templates["challenge-"+state.Settings().ChallengeTemplate+".gohtml"] == nil {
-
-		if data, err := os.ReadFile(state.Settings().ChallengeTemplate); err == nil && len(data) > 0 {
-			name := path.Base(state.Settings().ChallengeTemplate)
+		if data, err := os.ReadFile(state.Options().ChallengeTemplate); err == nil && len(data) > 0 {
+			name := path.Base(state.Options().ChallengeTemplate)
 			err := initTemplate(name, string(data))
 			if err != nil {
-				return nil, fmt.Errorf("error loading template %s: %w", settings.ChallengeTemplate, err)
+				return nil, fmt.Errorf("error loading template %s: %w", state.Options().ChallengeTemplate, err)
 			}
-			state.settings.ChallengeTemplate = name
+			state.opt.ChallengeTemplate = name
 		}

-		return nil, fmt.Errorf("no template defined for %s", settings.ChallengeTemplate)
+		return nil, fmt.Errorf("no template defined for %s", state.Options().ChallengeTemplate)
 	}

 	state.networks = make(map[string]cidranger.Ranger)