*(home): fix TLS module initialization
Continue to work even when TLS cert-key pair is invalid Closes: https://github.com/AdguardTeam/AdGuardHome/issues/1677
This commit is contained in:
parent
6adf48c938
commit
2fca419c7f
|
@ -85,10 +85,11 @@ type FilteringConfig struct {
|
||||||
|
|
||||||
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
|
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
|
||||||
type TLSConfig struct {
|
type TLSConfig struct {
|
||||||
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
|
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
|
||||||
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
|
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
|
||||||
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
|
|
||||||
PrivateKey string `yaml:"private_key" json:"private_key"` // PEM-encoded private key
|
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
|
||||||
|
PrivateKey string `yaml:"private_key" json:"private_key"` // PEM-encoded private key
|
||||||
|
|
||||||
CertificatePath string `yaml:"certificate_path" json:"certificate_path"` // certificate file name
|
CertificatePath string `yaml:"certificate_path" json:"certificate_path"` // certificate file name
|
||||||
PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` // private key file name
|
PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` // private key file name
|
||||||
|
|
14
home/home.go
14
home/home.go
|
@ -589,28 +589,34 @@ func printHTTPAddresses(proto string) {
|
||||||
if Context.tls != nil {
|
if Context.tls != nil {
|
||||||
Context.tls.WriteDiskConfig(&tlsConf)
|
Context.tls.WriteDiskConfig(&tlsConf)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
port := strconv.Itoa(config.BindPort)
|
||||||
|
if proto == "https" {
|
||||||
|
port = strconv.Itoa(tlsConf.PortHTTPS)
|
||||||
|
}
|
||||||
|
|
||||||
if proto == "https" && tlsConf.ServerName != "" {
|
if proto == "https" && tlsConf.ServerName != "" {
|
||||||
if tlsConf.PortHTTPS == 443 {
|
if tlsConf.PortHTTPS == 443 {
|
||||||
log.Printf("Go to https://%s", tlsConf.ServerName)
|
log.Printf("Go to https://%s", tlsConf.ServerName)
|
||||||
} else {
|
} else {
|
||||||
log.Printf("Go to https://%s:%d", tlsConf.ServerName, tlsConf.PortHTTPS)
|
log.Printf("Go to https://%s:%s", tlsConf.ServerName, port)
|
||||||
}
|
}
|
||||||
} else if config.BindHost == "0.0.0.0" {
|
} else if config.BindHost == "0.0.0.0" {
|
||||||
log.Println("AdGuard Home is available on the following addresses:")
|
log.Println("AdGuard Home is available on the following addresses:")
|
||||||
ifaces, err := util.GetValidNetInterfacesForWeb()
|
ifaces, err := util.GetValidNetInterfacesForWeb()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// That's weird, but we'll ignore it
|
// That's weird, but we'll ignore it
|
||||||
address = net.JoinHostPort(config.BindHost, strconv.Itoa(config.BindPort))
|
address = net.JoinHostPort(config.BindHost, port)
|
||||||
log.Printf("Go to %s://%s", proto, address)
|
log.Printf("Go to %s://%s", proto, address)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, iface := range ifaces {
|
for _, iface := range ifaces {
|
||||||
address = net.JoinHostPort(iface.Addresses[0], strconv.Itoa(config.BindPort))
|
address = net.JoinHostPort(iface.Addresses[0], port)
|
||||||
log.Printf("Go to %s://%s", proto, address)
|
log.Printf("Go to %s://%s", proto, address)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
address = net.JoinHostPort(config.BindHost, strconv.Itoa(config.BindPort))
|
address = net.JoinHostPort(config.BindHost, port)
|
||||||
log.Printf("Go to %s://%s", proto, address)
|
log.Printf("Go to %s://%s", proto, address)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
11
home/tls.go
11
home/tls.go
|
@ -39,7 +39,14 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
|
||||||
t.conf = conf
|
t.conf = conf
|
||||||
if t.conf.Enabled {
|
if t.conf.Enabled {
|
||||||
if !t.load() {
|
if !t.load() {
|
||||||
return nil
|
// Something is not valid - return an empty TLS config
|
||||||
|
return &TLSMod{conf: tlsConfigSettings{
|
||||||
|
Enabled: conf.Enabled,
|
||||||
|
ServerName: conf.ServerName,
|
||||||
|
PortHTTPS: conf.PortHTTPS,
|
||||||
|
PortDNSOverTLS: conf.PortDNSOverTLS,
|
||||||
|
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
|
||||||
|
}}
|
||||||
}
|
}
|
||||||
t.setCertFileTime()
|
t.setCertFileTime()
|
||||||
}
|
}
|
||||||
|
@ -55,7 +62,7 @@ func (t *TLSMod) load() bool {
|
||||||
// validate current TLS config and update warnings (it could have been loaded from file)
|
// validate current TLS config and update warnings (it could have been loaded from file)
|
||||||
data := validateCertificates(string(t.conf.CertificateChainData), string(t.conf.PrivateKeyData), t.conf.ServerName)
|
data := validateCertificates(string(t.conf.CertificateChainData), string(t.conf.PrivateKeyData), t.conf.ServerName)
|
||||||
if !data.ValidPair {
|
if !data.ValidPair {
|
||||||
log.Error(data.WarningValidation)
|
log.Error("failed to validate certificate: %s", data.WarningValidation)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
t.status = data
|
t.status = data
|
||||||
|
|
Loading…
Reference in New Issue