*(home): fix TLS module initialization

Continue to work even when TLS cert-key pair is invalid

Closes: https://github.com/AdguardTeam/AdGuardHome/issues/1677
This commit is contained in:
Andrey Meshkov 2020-05-16 02:02:50 +03:00
parent 6adf48c938
commit 2fca419c7f
3 changed files with 24 additions and 10 deletions

View File

@ -85,10 +85,11 @@ type FilteringConfig struct {
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS // TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
type TLSConfig struct { type TLSConfig struct {
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"` TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
PrivateKey string `yaml:"private_key" json:"private_key"` // PEM-encoded private key CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
PrivateKey string `yaml:"private_key" json:"private_key"` // PEM-encoded private key
CertificatePath string `yaml:"certificate_path" json:"certificate_path"` // certificate file name CertificatePath string `yaml:"certificate_path" json:"certificate_path"` // certificate file name
PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` // private key file name PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` // private key file name

View File

@ -589,28 +589,34 @@ func printHTTPAddresses(proto string) {
if Context.tls != nil { if Context.tls != nil {
Context.tls.WriteDiskConfig(&tlsConf) Context.tls.WriteDiskConfig(&tlsConf)
} }
port := strconv.Itoa(config.BindPort)
if proto == "https" {
port = strconv.Itoa(tlsConf.PortHTTPS)
}
if proto == "https" && tlsConf.ServerName != "" { if proto == "https" && tlsConf.ServerName != "" {
if tlsConf.PortHTTPS == 443 { if tlsConf.PortHTTPS == 443 {
log.Printf("Go to https://%s", tlsConf.ServerName) log.Printf("Go to https://%s", tlsConf.ServerName)
} else { } else {
log.Printf("Go to https://%s:%d", tlsConf.ServerName, tlsConf.PortHTTPS) log.Printf("Go to https://%s:%s", tlsConf.ServerName, port)
} }
} else if config.BindHost == "0.0.0.0" { } else if config.BindHost == "0.0.0.0" {
log.Println("AdGuard Home is available on the following addresses:") log.Println("AdGuard Home is available on the following addresses:")
ifaces, err := util.GetValidNetInterfacesForWeb() ifaces, err := util.GetValidNetInterfacesForWeb()
if err != nil { if err != nil {
// That's weird, but we'll ignore it // That's weird, but we'll ignore it
address = net.JoinHostPort(config.BindHost, strconv.Itoa(config.BindPort)) address = net.JoinHostPort(config.BindHost, port)
log.Printf("Go to %s://%s", proto, address) log.Printf("Go to %s://%s", proto, address)
return return
} }
for _, iface := range ifaces { for _, iface := range ifaces {
address = net.JoinHostPort(iface.Addresses[0], strconv.Itoa(config.BindPort)) address = net.JoinHostPort(iface.Addresses[0], port)
log.Printf("Go to %s://%s", proto, address) log.Printf("Go to %s://%s", proto, address)
} }
} else { } else {
address = net.JoinHostPort(config.BindHost, strconv.Itoa(config.BindPort)) address = net.JoinHostPort(config.BindHost, port)
log.Printf("Go to %s://%s", proto, address) log.Printf("Go to %s://%s", proto, address)
} }
} }

View File

@ -39,7 +39,14 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
t.conf = conf t.conf = conf
if t.conf.Enabled { if t.conf.Enabled {
if !t.load() { if !t.load() {
return nil // Something is not valid - return an empty TLS config
return &TLSMod{conf: tlsConfigSettings{
Enabled: conf.Enabled,
ServerName: conf.ServerName,
PortHTTPS: conf.PortHTTPS,
PortDNSOverTLS: conf.PortDNSOverTLS,
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
}}
} }
t.setCertFileTime() t.setCertFileTime()
} }
@ -55,7 +62,7 @@ func (t *TLSMod) load() bool {
// validate current TLS config and update warnings (it could have been loaded from file) // validate current TLS config and update warnings (it could have been loaded from file)
data := validateCertificates(string(t.conf.CertificateChainData), string(t.conf.PrivateKeyData), t.conf.ServerName) data := validateCertificates(string(t.conf.CertificateChainData), string(t.conf.PrivateKeyData), t.conf.ServerName)
if !data.ValidPair { if !data.ValidPair {
log.Error(data.WarningValidation) log.Error("failed to validate certificate: %s", data.WarningValidation)
return false return false
} }
t.status = data t.status = data