2023-06-19 23:42:47 +02:00
|
|
|
// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2018-11-12 00:32:48 +01:00
|
|
|
|
|
|
|
package httpd // import "miniflux.app/service/httpd"
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
2018-11-12 01:21:57 +01:00
|
|
|
"net"
|
2018-11-12 00:32:48 +01:00
|
|
|
"net/http"
|
2018-11-12 01:21:57 +01:00
|
|
|
"os"
|
2018-11-26 02:41:16 +01:00
|
|
|
"strconv"
|
2018-11-12 01:21:57 +01:00
|
|
|
"strings"
|
2018-11-12 00:32:48 +01:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"miniflux.app/api"
|
|
|
|
"miniflux.app/config"
|
|
|
|
"miniflux.app/fever"
|
2022-01-03 04:45:12 +01:00
|
|
|
"miniflux.app/googlereader"
|
2020-09-28 01:01:06 +02:00
|
|
|
"miniflux.app/http/request"
|
2018-11-12 00:32:48 +01:00
|
|
|
"miniflux.app/logger"
|
|
|
|
"miniflux.app/storage"
|
|
|
|
"miniflux.app/ui"
|
2020-04-11 22:08:17 +02:00
|
|
|
"miniflux.app/version"
|
2018-11-12 00:32:48 +01:00
|
|
|
"miniflux.app/worker"
|
|
|
|
|
|
|
|
"github.com/gorilla/mux"
|
2020-09-28 01:01:06 +02:00
|
|
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
2022-07-02 04:32:28 +02:00
|
|
|
"golang.org/x/crypto/acme"
|
2018-11-12 00:32:48 +01:00
|
|
|
"golang.org/x/crypto/acme/autocert"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Serve starts a new HTTP server.
|
2021-01-03 01:33:41 +01:00
|
|
|
func Serve(store *storage.Storage, pool *worker.Pool) *http.Server {
|
2019-06-02 03:18:09 +02:00
|
|
|
certFile := config.Opts.CertFile()
|
|
|
|
keyFile := config.Opts.CertKeyFile()
|
|
|
|
certDomain := config.Opts.CertDomain()
|
|
|
|
listenAddr := config.Opts.ListenAddr()
|
2018-11-12 00:32:48 +01:00
|
|
|
server := &http.Server{
|
2023-02-25 09:36:19 +01:00
|
|
|
ReadTimeout: time.Duration(config.Opts.HTTPServerTimeout()) * time.Second,
|
|
|
|
WriteTimeout: time.Duration(config.Opts.HTTPServerTimeout()) * time.Second,
|
|
|
|
IdleTimeout: time.Duration(config.Opts.HTTPServerTimeout()) * time.Second,
|
2021-01-03 01:33:41 +01:00
|
|
|
Handler: setupHandler(store, pool),
|
2018-11-12 00:32:48 +01:00
|
|
|
}
|
|
|
|
|
2018-11-12 01:21:57 +01:00
|
|
|
switch {
|
2018-11-26 02:41:16 +01:00
|
|
|
case os.Getenv("LISTEN_PID") == strconv.Itoa(os.Getpid()):
|
|
|
|
startSystemdSocketServer(server)
|
2018-11-12 01:21:57 +01:00
|
|
|
case strings.HasPrefix(listenAddr, "/"):
|
|
|
|
startUnixSocketServer(server, listenAddr)
|
2021-01-30 03:44:40 +01:00
|
|
|
case certDomain != "":
|
2019-06-02 03:18:09 +02:00
|
|
|
config.Opts.HTTPS = true
|
2021-01-30 03:44:40 +01:00
|
|
|
startAutoCertTLSServer(server, certDomain, store)
|
2018-11-12 01:21:57 +01:00
|
|
|
case certFile != "" && keyFile != "":
|
2019-06-02 03:18:09 +02:00
|
|
|
config.Opts.HTTPS = true
|
2018-11-12 01:21:57 +01:00
|
|
|
server.Addr = listenAddr
|
2018-11-12 00:32:48 +01:00
|
|
|
startTLSServer(server, certFile, keyFile)
|
2018-11-12 01:21:57 +01:00
|
|
|
default:
|
|
|
|
server.Addr = listenAddr
|
2018-11-12 00:32:48 +01:00
|
|
|
startHTTPServer(server)
|
|
|
|
}
|
|
|
|
|
|
|
|
return server
|
|
|
|
}
|
|
|
|
|
2018-11-26 02:41:16 +01:00
|
|
|
func startSystemdSocketServer(server *http.Server) {
|
|
|
|
go func() {
|
|
|
|
f := os.NewFile(3, "systemd socket")
|
|
|
|
listener, err := net.FileListener(f)
|
|
|
|
if err != nil {
|
|
|
|
logger.Fatal(`Unable to create listener from systemd socket: %v`, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
logger.Info(`Listening on systemd socket`)
|
|
|
|
if err := server.Serve(listener); err != http.ErrServerClosed {
|
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
2018-11-12 01:21:57 +01:00
|
|
|
func startUnixSocketServer(server *http.Server, socketFile string) {
|
|
|
|
os.Remove(socketFile)
|
|
|
|
|
|
|
|
go func(sock string) {
|
|
|
|
listener, err := net.Listen("unix", sock)
|
|
|
|
if err != nil {
|
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
defer listener.Close()
|
|
|
|
|
2018-11-26 01:13:52 +01:00
|
|
|
if err := os.Chmod(sock, 0666); err != nil {
|
|
|
|
logger.Fatal(`Unable to change socket permission: %v`, err)
|
|
|
|
}
|
|
|
|
|
2018-11-12 01:21:57 +01:00
|
|
|
logger.Info(`Listening on Unix socket %q`, sock)
|
|
|
|
if err := server.Serve(listener); err != http.ErrServerClosed {
|
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
}(socketFile)
|
|
|
|
}
|
|
|
|
|
2020-03-03 06:30:48 +01:00
|
|
|
func tlsConfig() *tls.Config {
|
|
|
|
// See https://blog.cloudflare.com/exposing-go-on-the-internet/
|
|
|
|
// And https://wikia.mozilla.org/Security/Server_Side_TLS
|
|
|
|
return &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
PreferServerCipherSuites: true,
|
|
|
|
CurvePreferences: []tls.CurveID{
|
|
|
|
tls.CurveP256,
|
|
|
|
tls.X25519,
|
|
|
|
},
|
|
|
|
CipherSuites: []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-30 03:44:40 +01:00
|
|
|
func startAutoCertTLSServer(server *http.Server, certDomain string, store *storage.Storage) {
|
2018-11-12 00:32:48 +01:00
|
|
|
server.Addr = ":https"
|
|
|
|
certManager := autocert.Manager{
|
2021-02-13 23:07:39 +01:00
|
|
|
Cache: storage.NewCertificateCache(store),
|
2018-11-12 00:32:48 +01:00
|
|
|
Prompt: autocert.AcceptTOS,
|
|
|
|
HostPolicy: autocert.HostWhitelist(certDomain),
|
|
|
|
}
|
2020-03-03 06:30:48 +01:00
|
|
|
server.TLSConfig = tlsConfig()
|
|
|
|
server.TLSConfig.GetCertificate = certManager.GetCertificate
|
2022-07-02 04:32:28 +02:00
|
|
|
server.TLSConfig.NextProtos = []string{"h2", "http/1.1", acme.ALPNProto}
|
2018-11-12 00:32:48 +01:00
|
|
|
|
|
|
|
// Handle http-01 challenge.
|
|
|
|
s := &http.Server{
|
|
|
|
Handler: certManager.HTTPHandler(nil),
|
|
|
|
Addr: ":http",
|
|
|
|
}
|
|
|
|
go s.ListenAndServe()
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
logger.Info(`Listening on %q by using auto-configured certificate for %q`, server.Addr, certDomain)
|
2020-03-03 06:30:48 +01:00
|
|
|
if err := server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
|
2018-11-12 00:32:48 +01:00
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
|
|
|
func startTLSServer(server *http.Server, certFile, keyFile string) {
|
2020-03-03 06:30:48 +01:00
|
|
|
server.TLSConfig = tlsConfig()
|
2018-11-12 00:32:48 +01:00
|
|
|
go func() {
|
|
|
|
logger.Info(`Listening on %q by using certificate %q and key %q`, server.Addr, certFile, keyFile)
|
|
|
|
if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {
|
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
|
|
|
func startHTTPServer(server *http.Server) {
|
|
|
|
go func() {
|
|
|
|
logger.Info(`Listening on %q without TLS`, server.Addr)
|
|
|
|
if err := server.ListenAndServe(); err != http.ErrServerClosed {
|
|
|
|
logger.Fatal(`Server failed to start: %v`, err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
|
2021-01-03 01:33:41 +01:00
|
|
|
func setupHandler(store *storage.Storage, pool *worker.Pool) *mux.Router {
|
2018-11-12 00:32:48 +01:00
|
|
|
router := mux.NewRouter()
|
|
|
|
|
2019-06-02 03:18:09 +02:00
|
|
|
if config.Opts.BasePath() != "" {
|
|
|
|
router = router.PathPrefix(config.Opts.BasePath()).Subrouter()
|
2018-11-12 00:32:48 +01:00
|
|
|
}
|
|
|
|
|
2020-09-13 03:31:45 +02:00
|
|
|
if config.Opts.HasMaintenanceMode() {
|
|
|
|
router.Use(func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Write([]byte(config.Opts.MaintenanceMessage()))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-06-02 03:18:09 +02:00
|
|
|
router.Use(middleware)
|
2018-11-12 00:32:48 +01:00
|
|
|
|
2019-06-02 03:18:09 +02:00
|
|
|
fever.Serve(router, store)
|
2022-01-03 04:45:12 +01:00
|
|
|
googlereader.Serve(router, store)
|
2021-01-03 01:33:41 +01:00
|
|
|
api.Serve(router, store, pool)
|
|
|
|
ui.Serve(router, store, pool)
|
2018-11-12 00:32:48 +01:00
|
|
|
|
2018-12-28 22:41:26 +01:00
|
|
|
router.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
|
2021-02-20 03:47:50 +01:00
|
|
|
if err := store.Ping(); err != nil {
|
|
|
|
http.Error(w, "Database Connection Error", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-12-28 22:41:26 +01:00
|
|
|
w.Write([]byte("OK"))
|
|
|
|
}).Name("healthcheck")
|
2020-09-28 01:01:06 +02:00
|
|
|
|
2020-04-11 22:08:17 +02:00
|
|
|
router.HandleFunc("/version", func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Write([]byte(version.Version))
|
|
|
|
}).Name("version")
|
2018-12-28 22:41:26 +01:00
|
|
|
|
2020-09-28 01:01:06 +02:00
|
|
|
if config.Opts.HasMetricsCollector() {
|
|
|
|
router.Handle("/metrics", promhttp.Handler()).Name("metrics")
|
|
|
|
router.Use(func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
route := mux.CurrentRoute(r)
|
|
|
|
|
|
|
|
// Returns a 404 if the client is not authorized to access the metrics endpoint.
|
|
|
|
if route.GetName() == "metrics" && !isAllowedToAccessMetricsEndpoint(r) {
|
2023-03-12 05:36:52 +01:00
|
|
|
logger.Error(`[Metrics] [ClientIP=%s] Client not allowed (%s)`, request.ClientIP(r), r.RemoteAddr)
|
2020-09-28 01:01:06 +02:00
|
|
|
http.NotFound(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-11-12 00:32:48 +01:00
|
|
|
return router
|
|
|
|
}
|
2020-09-28 01:01:06 +02:00
|
|
|
|
|
|
|
func isAllowedToAccessMetricsEndpoint(r *http.Request) bool {
|
2023-03-12 05:04:27 +01:00
|
|
|
if config.Opts.MetricsUsername() != "" && config.Opts.MetricsPassword() != "" {
|
2023-03-12 05:36:52 +01:00
|
|
|
clientIP := request.ClientIP(r)
|
2023-03-12 05:04:27 +01:00
|
|
|
username, password, authOK := r.BasicAuth()
|
|
|
|
if !authOK {
|
|
|
|
logger.Info("[Metrics] [ClientIP=%s] No authentication header sent", clientIP)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if username == "" || password == "" {
|
|
|
|
logger.Info("[Metrics] [ClientIP=%s] Empty username or password", clientIP)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if username != config.Opts.MetricsUsername() || password != config.Opts.MetricsPassword() {
|
|
|
|
logger.Error("[Metrics] [ClientIP=%s] Invalid username or password", clientIP)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
2020-09-28 01:01:06 +02:00
|
|
|
|
|
|
|
for _, cidr := range config.Opts.MetricsAllowedNetworks() {
|
|
|
|
_, network, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
logger.Fatal(`[Metrics] Unable to parse CIDR %v`, err)
|
|
|
|
}
|
|
|
|
|
2023-03-12 05:36:52 +01:00
|
|
|
// We use r.RemoteAddr in this case because HTTP headers like X-Forwarded-For can be easily spoofed.
|
|
|
|
// The recommendation is to use HTTP Basic authentication.
|
|
|
|
if network.Contains(net.ParseIP(request.FindRemoteIP(r))) {
|
2020-09-28 01:01:06 +02:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|