TLS support

[gocheese.git] / gocheese.go

diff --git a/gocheese.go b/gocheese.go
index 7a6d9ffc85ab9e8d54f99386e30e3b2e6304e743..2245d5cafc5743f6b1a6a73d9464497437c0c5cb 100644 (file)
--- a/gocheese.go
+++ b/gocheese.go
@@ -1,6 +1,7 @@
 /*
 GoCheese -- Python private package repository and caching proxy
 Copyright (C) 2019 Sergey Matveev <stargrave@stargrave.org>
+              2019 Elena Balakhonova <balakhonova_e@riseup.net>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -28,6 +29,7 @@ import (
        "io"
        "io/ioutil"
        "log"
+       "net"
        "net/http"
        "net/url"
        "os"
@@ -38,6 +40,8 @@ import (
        "strings"
        "syscall"
        "time"
+
+       "golang.org/x/net/netutil"
 )
 
 const (
@@ -64,12 +68,15 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.`
 var (
        root             = flag.String("root", "./packages", "Path to packages directory")
        bind             = flag.String("bind", "[::]:8080", "Address to bind to")
+       tlsCert          = flag.String("tls-cert", "", "Path to TLS X.509 certificate")
+       tlsKey           = flag.String("tls-key", "", "Path to TLS X.509 private key")
        norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path")
        refreshURLPath   = flag.String("refresh", "/simple/", "Auto-refreshing URL path")
        pypiURL          = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL")
        passwdPath       = flag.String("passwd", "passwd", "Path to file with authenticators")
        passwdCheck      = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit")
        fsck             = flag.Bool("fsck", false, "Check integrity of all packages")
+       maxClients       = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients")
        version          = flag.Bool("version", false, "Print version information")
        warranty         = flag.Bool("warranty", false, "Print warranty information")
 
@@ -440,18 +447,27 @@ func main() {
                refreshPasswd()
                return
        }
+       if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") {
+               log.Fatalln("Both -tls-cert and -tls-key are required")
+       }
        refreshPasswd()
        log.Println("root:", *root, "bind:", *bind)
+
+       ln, err := net.Listen("tcp", *bind)
+       if err != nil {
+               log.Fatal(err)
+       }
+       ln = netutil.LimitListener(ln, *maxClients)
+       server := &http.Server{
+               ReadTimeout:  time.Minute,
+               WriteTimeout: time.Minute,
+       }
+       http.HandleFunc(*norefreshURLPath, handler)
+       http.HandleFunc(*refreshURLPath, handler)
+
        needsRefreshPasswd := make(chan os.Signal, 0)
        needsShutdown := make(chan os.Signal, 0)
        killed := make(chan error, 0)
-       http.HandleFunc(*norefreshURLPath, handler)
-       http.HandleFunc(*refreshURLPath, handler)
-       s := &http.Server{
-               Addr:           *bind,
-               ReadTimeout:    time.Minute,
-               WriteTimeout:   time.Minute,
-       }
        signal.Notify(needsRefreshPasswd, syscall.SIGHUP)
        signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT)
        go func() {
@@ -466,8 +482,14 @@ func main() {
                ctx, cancel := context.WithTimeout(context.TODO(), time.Minute)
                killed <- s.Shutdown(ctx)
                cancel()
-       }(s)
-       if err := s.ListenAndServe(); err != http.ErrServerClosed {
+       }(server)
+
+       if *tlsCert == "" {
+               err = server.Serve(ln)
+       } else {
+               err = server.ServeTLS(ln, *tlsCert, *tlsKey)
+       }
+       if err != http.ErrServerClosed {
                log.Fatal(err)
        }
        if err := <-killed; err != nil {