var (
root = flag.String("root", "./packages", "Path to packages directory")
bind = flag.String("bind", "[::]:8080", "Address to bind to")
+ tlsCert = flag.String("tls-cert", "", "Path to TLS X.509 certificate")
+ tlsKey = flag.String("tls-key", "", "Path to TLS X.509 private key")
norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path")
refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path")
pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL")
refreshPasswd()
return
}
+ if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") {
+ log.Fatalln("Both -tls-cert and -tls-key are required")
+ }
refreshPasswd()
log.Println("root:", *root, "bind:", *bind)
- needsRefreshPasswd := make(chan os.Signal, 0)
- needsShutdown := make(chan os.Signal, 0)
- killed := make(chan error, 0)
- http.HandleFunc(*norefreshURLPath, handler)
- http.HandleFunc(*refreshURLPath, handler)
+
ln, err := net.Listen("tcp", *bind)
if err != nil {
log.Fatal(err)
}
- s := &http.Server{
+ ln = netutil.LimitListener(ln, *maxClients)
+ server := &http.Server{
ReadTimeout: time.Minute,
WriteTimeout: time.Minute,
}
+ http.HandleFunc(*norefreshURLPath, handler)
+ http.HandleFunc(*refreshURLPath, handler)
+
+ needsRefreshPasswd := make(chan os.Signal, 0)
+ needsShutdown := make(chan os.Signal, 0)
+ killed := make(chan error, 0)
signal.Notify(needsRefreshPasswd, syscall.SIGHUP)
signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT)
go func() {
ctx, cancel := context.WithTimeout(context.TODO(), time.Minute)
killed <- s.Shutdown(ctx)
cancel()
- }(s)
- if err := s.Serve(netutil.LimitListener(ln, *maxClients)); err != http.ErrServerClosed {
+ }(server)
+
+ if *tlsCert == "" {
+ err = server.Serve(ln)
+ } else {
+ err = server.ServeTLS(ln, *tlsCert, *tlsKey)
+ }
+ if err != http.ErrServerClosed {
log.Fatal(err)
}
if err := <-killed; err != nil {
@item atomic packages store on filesystem
@item SHA256-checksummed packages (both uploaded and proxied one)
@item graceful HTTP-server shutdown
-@item no TLS support
@item no YAML configuration, just command-line arguments
@item no package overwriting ability (as PyPI does)
@end itemize
GoCheese is free software, licenced under
-@url{https://www.gnu.org/licenses/gpl-3.0.html, GNU GPLv3} conditions:
+@url{https://www.gnu.org/licenses/gpl-3.0.html, GNU GPLv3}:
see the file COPYING for copying conditions.
@menu
* Usage::
* Password authentication: Passwords.
+* TLS support: TLS.
* Storage format: Storage.
@end menu
Before refreshing it's recommended to check @option{-passwd} file with
@option{-passwd-check} option to prevent daemon failure.
+@node TLS
+@unnumbered TLS support
+
+You can enable TLS support by specifying PEM-encoded X.509 certificate
+and private key files. Go's TLS implementation supports TLS 1.3, HTTP/2
+negotiation, Keep-Alives, modern ciphersuites and ECC.
+
+For example generate some self-signed certificate using GnuTLS toolset:
+
+@verbatim
+$ certtool --generate-privkey --ecc --outfile prv.pem
+$ cert_template=`mktemp`
+$ echo cn=gocheese.host > $cert_template
+$ certtool \
+ --generate-self-signed \
+ --load-privkey=prv.pem \
+ --template $cert_template \
+ --outfile=cert.pem
+$ rm $cert_template
+$ gocheese -tls-cert cert.pem -tls-key prv.pem [...]
+@end verbatim
+
@node Storage
@unnumbered Storage format