Implement HTTP-only mode

This is very useful for reserve proxies
in cases when TLS passthrough is not desired.

cli/flags.go

@@ -150,6 +150,12 @@ var (
 			EnvVars: []string{"PROFILING_ADDRESS"},
 			Value:   "localhost:9999",
 		},
+		&cli.BoolFlag{
+			Name:    "http-only-mode",
+			Usage:   "serve content directly via HTTP using the Host header to identify the repository",
+			EnvVars: []string{"HTTP_ONLY_MODE"},
+			Value:   false,
+		},
 
 		// ############################
 		// ### ACME Client Settings ###

config/assets/test_config.toml

@@ -9,6 +9,7 @@ mainDomain = 'codeberg.page'
 rawDomain = 'raw.codeberg.page'
 allowedCorsDomains = ['fonts.codeberg.org', 'design.codeberg.org']
 blacklistedPaths = ['do/not/use']
+httpOnlyMode = false
 
 [gitea]
 root = 'codeberg.org'

config/config.go

@@ -18,6 +18,7 @@ type ServerConfig struct {
 	PagesBranches      []string
 	AllowedCorsDomains []string
 	BlacklistedPaths   []string
+	HttpOnlyMode       bool   `default:"false"`
 }
 
 type GiteaConfig struct {

config/setup.go

@@ -84,6 +84,9 @@ func mergeServerConfig(ctx *cli.Context, config *ServerConfig) {
 	if ctx.IsSet("blacklisted-paths") {
 		config.BlacklistedPaths = ctx.StringSlice("blacklisted-paths")
 	}
+	if ctx.IsSet("http-only-mode") {
+		config.HttpOnlyMode = ctx.Bool("http-only-mode")
+	}
 
 	// add the paths that should always be blacklisted
 	config.BlacklistedPaths = append(config.BlacklistedPaths, ALWAYS_BLACKLISTED_PATHS...)

example_config.toml

@@ -10,6 +10,7 @@ rawDomain = 'raw.codeberg.page'
 pagesBranches = ["pages"]
 allowedCorsDomains = []
 blacklistedPaths = []
+httpOnlyMode = false
 
 [gitea]
 root = 'https://codeberg.org'

server/startup.go

@@ -82,51 +82,62 @@ func Serve(ctx *cli.Context) error {
 		return fmt.Errorf("could not create new gitea client: %v", err)
 	}
 
-	acmeClient, err := acme.CreateAcmeClient(cfg.ACME, cfg.Server.HttpServerEnabled, challengeCache)
+	var listener net.Listener
-	if err != nil {
+	if cfg.Server.HttpOnlyMode {
-		return err
+		log.Info().Msgf("Create TCP listener on %s", listeningHTTPAddress)
-	}
+		listener_, err := net.Listen("tcp", listeningHTTPAddress)
+		if err != nil {
+			return fmt.Errorf("couldn't create listener: %v", err)
+		}
+		listener = listener_
+	} else {
+		acmeClient, err := acme.CreateAcmeClient(cfg.ACME, cfg.Server.HttpServerEnabled, challengeCache)
+		if err != nil {
+			return err
+		}
 
-	if err := certificates.SetupMainDomainCertificates(cfg.Server.MainDomain, acmeClient, certDB); err != nil {
+		if err := certificates.SetupMainDomainCertificates(cfg.Server.MainDomain, acmeClient, certDB); err != nil {
-		return err
+			return err
-	}
+		}
 
-	// Create listener for SSL connections
+		// Create listener for SSL connections
-	log.Info().Msgf("Create TCP listener for SSL on %s", listeningSSLAddress)
+		log.Info().Msgf("Create TCP listener for SSL on %s", listeningSSLAddress)
-	listener, err := net.Listen("tcp", listeningSSLAddress)
+		listener_, err := net.Listen("tcp", listeningSSLAddress)
-	if err != nil {
+		if err != nil {
-		return fmt.Errorf("couldn't create listener: %v", err)
+			return fmt.Errorf("couldn't create listener: %v", err)
-	}
+		}
+		listener = listener_
 
-	// Setup listener for SSL connections
+		// Setup listener for SSL connections
-	listener = tls.NewListener(listener, certificates.TLSConfig(
+		listener = tls.NewListener(listener, certificates.TLSConfig(
-		cfg.Server.MainDomain,
+			cfg.Server.MainDomain,
-		giteaClient,
+			giteaClient,
-		acmeClient,
+			acmeClient,
-		cfg.Server.PagesBranches[0],
+			cfg.Server.PagesBranches[0],
-		keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
+			keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
-		certDB,
+			certDB,
-		cfg.ACME.NoDNS01,
+			cfg.ACME.NoDNS01,
-		cfg.Server.RawDomain,
+			cfg.Server.RawDomain,
-	))
+		))
 
-	interval := 12 * time.Hour
+		interval := 12 * time.Hour
-	certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background())
+		certMaintainCtx, cancelCertMaintain := context.WithCancel(context.Background())
-	defer cancelCertMaintain()
+		defer cancelCertMaintain()
-	go certificates.MaintainCertDB(certMaintainCtx, interval, acmeClient, cfg.Server.MainDomain, certDB)
+		go certificates.MaintainCertDB(certMaintainCtx, interval, acmeClient, cfg.Server.MainDomain, certDB)
 
-	if cfg.Server.HttpServerEnabled {
+		if cfg.Server.HttpServerEnabled {
-		// Create handler for http->https redirect and http acme challenges
+			// Create handler for http->https redirect and http acme challenges
-		httpHandler := certificates.SetupHTTPACMEChallengeServer(challengeCache, uint(cfg.Server.Port))
+			httpHandler := certificates.SetupHTTPACMEChallengeServer(challengeCache, uint(cfg.Server.Port))
 
-		// Create listener for http and start listening
+			// Create listener for http and start listening
-		go func() {
+			go func() {
-			log.Info().Msgf("Start HTTP server listening on %s", listeningHTTPAddress)
+				log.Info().Msgf("Start HTTP server listening on %s", listeningHTTPAddress)
-			err := http.ListenAndServe(listeningHTTPAddress, httpHandler)
+				err := http.ListenAndServe(listeningHTTPAddress, httpHandler)
-			if err != nil {
+				if err != nil {
-				log.Error().Err(err).Msg("Couldn't start HTTP server")
+					log.Error().Err(err).Msg("Couldn't start HTTP server")
-			}
+				}
-		}()
+			}()
+		}
 	}
 
 	if ctx.IsSet("enable-profiling") {
@@ -137,7 +148,7 @@ func Serve(ctx *cli.Context) error {
 	sslHandler := handler.Handler(cfg.Server, giteaClient, dnsLookupCache, canonicalDomainCache, redirectsCache)
 
 	// Start the ssl listener
-	log.Info().Msgf("Start SSL server using TCP listener on %s", listener.Addr())
+	log.Info().Msgf("Start main server using TCP listener on %s", listener.Addr())
 
 	return http.Serve(listener, sslHandler)
 }