-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.go
113 lines (96 loc) · 2.95 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"log/slog"
"net/http"
"net/http/httputil"
"net/url"
"os"
"os/signal"
"github.com/RealImage/bifrost/internal/cafiles"
"github.com/RealImage/bifrost/internal/config"
"github.com/RealImage/bifrost/internal/middleware"
"github.com/RealImage/bifrost/internal/sundry"
"github.com/RealImage/bifrost/internal/webapp"
"github.com/kelseyhightower/envconfig"
)
func main() {
envconfig.MustProcess(config.EnvPrefix, &config.HallPass)
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
defer cancel()
slog.InfoContext(
ctx, "build info",
slog.String("rev", config.BuildRevision),
slog.Time("timestamp", config.BuildTime),
)
if u := config.HallPass.MetricsUrl; u != "" {
slog.DebugContext(ctx, "metrics enabled", slog.String("url", u))
http.HandleFunc("/", webapp.MetricsHandler)
go func() {
if err := http.ListenAndServe(u, nil); err != nil {
panic(err)
}
}()
}
backendUrl, err := url.Parse(config.HallPass.BackendUrl)
sundry.OnErrorExit(ctx, err, "error parsing backend url")
cert, key, err := cafiles.GetCertKey(ctx, config.HallPass.CrtUri, config.HallPass.KeyUri)
sundry.OnErrorExit(ctx, err, "error getting cert and key")
clientCertPool := x509.NewCertPool()
clientCertPool.AddCert(cert.Certificate)
reverseProxy := &httputil.ReverseProxy{
Rewrite: func(r *httputil.ProxyRequest) {
r.SetURL(backendUrl)
r.SetXForwarded()
},
}
var ssllog *os.File
if config.HallPass.SSLKeyLogFile != "" {
ssllog, err = os.OpenFile(
config.HallPass.SSLKeyLogFile,
os.O_WRONLY|os.O_CREATE|os.O_APPEND,
0o600,
)
sundry.OnErrorExit(ctx, err, "error opening ssl key log file")
defer ssllog.Close()
}
ti := middleware.TLSIdentifier(cert.Namespace)
hdlr := sundry.RequestLogHandler(ti(reverseProxy))
addr := fmt.Sprintf("%s:%d", config.HallPass.Host, config.HallPass.Port)
serverCert, serverKey, err := cafiles.CreateServerCertificate(cert, key, 0)
sundry.OnErrorExit(ctx, err, "error creating server certificate")
tlsCert, err := serverCert.ToTLSCertificate(serverKey)
sundry.OnErrorExit(ctx, err, "error creating tls certificate")
server := http.Server{
Handler: hdlr,
Addr: addr,
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{*tlsCert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCertPool,
KeyLogWriter: ssllog,
},
}
go func() {
<-ctx.Done()
ctx, cancel := context.WithTimeout(context.Background(), config.HallPass.ShutdownTimeout)
defer cancel()
if err := server.Shutdown(ctx); err != nil {
panic(err)
}
slog.InfoContext(ctx, "shutting down server")
}()
slog.InfoContext(ctx, "proxying requests",
"from", "https://"+addr,
"to", config.HallPass.BackendUrl,
"namespace", cert.Namespace.String(),
)
if err := server.ListenAndServeTLS("", ""); err != nil &&
!errors.Is(err, http.ErrServerClosed) {
sundry.OnErrorExit(ctx, err, "error serving requests")
}
}