[tor-commits] [meek/master] Make it non-fatal when using --acme-hostnames without a port-443 binaddr.

dcf at torproject.org dcf at torproject.org
Sun Oct 1 07:41:42 UTC 2017


commit e1475a441a87852de7cb3252062905c76425f979
Author: David Fifield <david at bamsoftware.com>
Date:   Sat Sep 30 23:18:24 2017 -0700

    Make it non-fatal when using --acme-hostnames without a port-443 binaddr.
    
    The user might have set up their own forwarding or reverse proxy that
    doesn't require meek-server itself to listen on 443.
---
 meek-server/meek-server.go | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go
index eceba0c..f0f03b9 100644
--- a/meek-server/meek-server.go
+++ b/meek-server/meek-server.go
@@ -404,8 +404,8 @@ func main() {
 	//   --cert and --key together
 	//   --disable-tls
 	// The outputs of this block of code are the disableTLS,
-	// missing443Listener, and getCertificate variables.
-	var missing443Listener = false
+	// need443Listener, and getCertificate variables.
+	var need443Listener = false
 	var getCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
 	if disableTLS {
 		if acmeEmail != "" || acmeHostnamesCommas != "" || certFilename != "" || keyFilename != "" {
@@ -424,18 +424,9 @@ func main() {
 		acmeHostnames := strings.Split(acmeHostnamesCommas, ",")
 		log.Printf("ACME hostnames: %q", acmeHostnames)
 
-		missing443Listener = true
 		// The ACME responder only works when it is running on port 443.
 		// https://letsencrypt.github.io/acme-spec/#domain-validation-with-server-name-indication-dvsni
-		for _, bindaddr := range ptInfo.Bindaddrs {
-			if port == 443 || bindaddr.Addr.Port == 443 {
-				missing443Listener = false
-				break
-			}
-		}
-		// Don't quit immediately if we need a 443 listener and don't
-		// have it; do it later in the SMETHOD loop so it appears in the
-		// tor log.
+		need443Listener = true
 
 		var cache autocert.Cache
 		cacheDir, err := getCertificateCacheDir()
@@ -459,20 +450,20 @@ func main() {
 
 	log.Printf("starting version %s (%s)", programVersion, runtime.Version())
 	servers := make([]*http.Server, 0)
+	have443Listener := false
 	for _, bindaddr := range ptInfo.Bindaddrs {
 		if port != 0 {
 			bindaddr.Addr.Port = port
 		}
 		switch bindaddr.MethodName {
 		case ptMethodName:
-			if missing443Listener {
-				pt.SmethodError(bindaddr.MethodName, "The --acme-hostnames option requires one of the bindaddrs to be on port 443.")
-				break
-			}
 			var server *http.Server
 			if disableTLS {
 				server, err = startServer(bindaddr.Addr)
 			} else {
+				if bindaddr.Addr.Port == 443 {
+					have443Listener = true
+				}
 				server, err = startServerTLS(bindaddr.Addr, getCertificate)
 			}
 			if err != nil {
@@ -487,6 +478,13 @@ func main() {
 	}
 	pt.SmethodsDone()
 
+	// Emit a warning if we're using ACME certificates and don't have a 443
+	// listener. Don't quit, in case the user has made other provisions for
+	// forwarding port 443.
+	if need443Listener && !have443Listener {
+		log.Printf("warning: the --acme-hostnames option requires one of the bindaddrs to be on port 443.")
+	}
+
 	var numHandlers int = 0
 	var sig os.Signal
 	sigChan := make(chan os.Signal, 1)



More information about the tor-commits mailing list