Fix autocert HostPolicy

Previously, this would pass in the instance's full (and invalid) URL. Now it passes only the host name. Ref T542
2024-11-10 19:34:19 +00:00 · 2019-07-20 21:34:58 -04:00 · 2019-07-20 21:34:58 -04:00 · 42386beabc
commit 42386beabc
parent 36fb7ecb2b
1 changed files with 14 additions and 4 deletions
--- a/app.go
+++ b/app.go
@ -393,11 +393,21 @@ func Serve(app *App, r *mux.Router) {

 		log.Info("Serving on https://%s:443", bindAddress)
 		if app.cfg.Server.Autocert {
-			log.Info("Using autocert")
 			m := &autocert.Manager{
-				Prompt:     autocert.AcceptTOS,
-				Cache:      autocert.DirCache(app.cfg.Server.TLSCertPath),
-				HostPolicy: autocert.HostWhitelist(app.cfg.App.Host),
+				Prompt: autocert.AcceptTOS,
+				Cache:  autocert.DirCache(app.cfg.Server.TLSCertPath),
+			}
+			host, err := url.Parse(app.cfg.App.Host)
+			if err != nil {
+				log.Error("[WARNING] Unable to parse configured host! %s", err)
+				log.Error(`[WARNING] ALL hosts are allowed, which can open you to an attack where
+clients connect to a server by IP address and pretend to be asking for an
+incorrect host name, and cause you to reach the CA's rate limit for certificate
+requests. We recommend supplying a valid host name.`)
+				log.Info("Using autocert on ANY host")
+			} else {
+				log.Info("Using autocert on host %s", host.Host)
+				m.HostPolicy = autocert.HostWhitelist(host.Host)
 			}
 			s := &http.Server{
 				Addr:    ":https",