~emersion/public-inbox

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[PATCH tlstunnel] Add support for DNS challenges

Details
Message ID
<20200910165635.3896-1-delthas@dille.cc>
DKIM signature
pass
Download raw message
Patch: +237 -1
DNS challenges require enabling specific build tags for each DNS
provider. DNS providers are community-supported and located in
contrib/dns.
---
 cmd/tlstunnel/main.go       |  2 ++
 contrib/dns/README.md       | 37 +++++++++++++++++++++++++++++++++++++
 contrib/dns/cloudflare.go   | 21 +++++++++++++++++++++
 contrib/dns/digitalocean.go | 21 +++++++++++++++++++++
 contrib/dns/dns.go          | 15 +++++++++++++++
 contrib/dns/dnspod.go       | 21 +++++++++++++++++++++
 contrib/dns/gandi.go        | 21 +++++++++++++++++++++
 contrib/dns/route53.go      | 26 ++++++++++++++++++++++++++
 contrib/dns/transip.go      | 22 ++++++++++++++++++++++
 directives.go               | 18 ++++++++++++++++++
 dns.go                      | 11 +++++++++++
 go.mod                      | 23 ++++++++++++++++++++++-
 12 files changed, 237 insertions(+), 1 deletion(-)
 create mode 100644 contrib/dns/README.md
 create mode 100644 contrib/dns/cloudflare.go
 create mode 100644 contrib/dns/digitalocean.go
 create mode 100644 contrib/dns/dns.go
 create mode 100644 contrib/dns/dnspod.go
 create mode 100644 contrib/dns/gandi.go
 create mode 100644 contrib/dns/route53.go
 create mode 100644 contrib/dns/transip.go
 create mode 100644 dns.go

diff --git a/cmd/tlstunnel/main.go b/cmd/tlstunnel/main.go
index 94cbd0b..8a00579 100644
--- a/cmd/tlstunnel/main.go
+++ b/cmd/tlstunnel/main.go
@@ -5,6 +5,8 @@ import (
	"log"

	"git.sr.ht/~emersion/tlstunnel"

	_ "git.sr.ht/~emersion/tlstunnel/contrib/dns"
)

var configPath = "config"
diff --git a/contrib/dns/README.md b/contrib/dns/README.md
new file mode 100644
index 0000000..39d88e0
--- /dev/null
+++ b/contrib/dns/README.md
@@ -0,0 +1,37 @@
# DNS challenge

DNS challenges are disabled by default. To enable them, you need to:
- enable build-time support for DNS challenges
- enable DNS challenges in your tlstunnel configuration

## Enabling support for DNS challenges

To enable build-time support for a DNS provider, build tlstunnel with the corresponding Go build tag. That's usually `dns_<name>`.

For example, to add support for the Gandi DNS provider, run:
```
go build -tags dns_gandi
```

## Using DNS challenges in the tlstunnel configuration

To use DNS challenges after you've added support for them, add a `tls` block with a `dns` directive in your configuration.

The format of the `dns` directive is: `dns <provider_name> [<parameter>...]`, with each DNS provider having its own specific list of parameters. See the next section for details.

For example, to enable DNS challenges for Gandi, add to your configuration file:
```
tls {
    dns gandi "my-gandi-api-key"
}
```

## DNS providers & configuration parameters

| Provider | Parameter 1 | Parameter 2 |
| --- | --- | --- |
| cloudflare | [Scoped API token](https://github.com/libdns/cloudflare#authenticating) | |
| digitalocean | [Personal access token](https://github.com/digitalocean/godo#authentication) | |
| gandi | [API key](https://github.com/libdns/gandi#authenticating) | |
| [route53](https://github.com/libdns/route53/#authenticating) | | |
| transip | Account name | Private key path |
diff --git a/contrib/dns/cloudflare.go b/contrib/dns/cloudflare.go
new file mode 100644
index 0000000..0a85427
--- /dev/null
+++ b/contrib/dns/cloudflare.go
@@ -0,0 +1,21 @@
// +build dns_cloudflare

package dns

import (
	"git.sr.ht/~emersion/tlstunnel"
	"github.com/caddyserver/certmagic"
	"github.com/libdns/cloudflare"
)

func init() {
	tlstunnel.RegisterDNS("cloudflare", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var token string
		if err := getParams(params, &token); err != nil {
			return nil, err
		}
		return &cloudflare.Provider{
			APIToken: token,
		}, nil
	})
}
diff --git a/contrib/dns/digitalocean.go b/contrib/dns/digitalocean.go
new file mode 100644
index 0000000..5f8ee9f
--- /dev/null
+++ b/contrib/dns/digitalocean.go
@@ -0,0 +1,21 @@
// +build dns_digitalocean

package dns

import (
	"git.sr.ht/~emersion/tlstunnel"
	"github.com/caddyserver/certmagic"
	"github.com/libdns/digitalocean"
)

func init() {
	tlstunnel.RegisterDNS("digitalocean", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var token string
		if err := getParams(params, &token); err != nil {
			return nil, err
		}
		return &digitalocean.Provider{
			APIToken: token,
		}, nil
	})
}
diff --git a/contrib/dns/dns.go b/contrib/dns/dns.go
new file mode 100644
index 0000000..c71ad0c
--- /dev/null
+++ b/contrib/dns/dns.go
@@ -0,0 +1,15 @@
package dns

import (
	"errors"
)

func getParams(params []string, values ...*string) error {
	if len(params) < len(values) {
		return errors.New("not enough parameters")
	}
	for i, v := range values {
		*v = params[i]
	}
	return nil
}
diff --git a/contrib/dns/dnspod.go b/contrib/dns/dnspod.go
new file mode 100644
index 0000000..64928e7
--- /dev/null
+++ b/contrib/dns/dnspod.go
@@ -0,0 +1,21 @@
// +build dns_dnspod

package dns

import (
	"git.sr.ht/~emersion/tlstunnel"
	"github.com/caddyserver/certmagic"
	"github.com/libdns/dnspod"
)

func init() {
	tlstunnel.RegisterDNS("dnspod", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var token string
		if err := getParams(params, &token); err != nil {
			return nil, err
		}
		return &dnspod.Provider{
			APIToken: token,
		}, nil
	})
}
diff --git a/contrib/dns/gandi.go b/contrib/dns/gandi.go
new file mode 100644
index 0000000..8b428eb
--- /dev/null
+++ b/contrib/dns/gandi.go
@@ -0,0 +1,21 @@
// +build dns_gandi

package dns

import (
	"git.sr.ht/~emersion/tlstunnel"
	"github.com/caddyserver/certmagic"
	"github.com/libdns/gandi"
)

func init() {
	tlstunnel.RegisterDNS("gandi", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var token string
		if err := getParams(params, &token); err != nil {
			return nil, err
		}
		return &gandi.Provider{
			APIToken: token,
		}, nil
	})
}
diff --git a/contrib/dns/route53.go b/contrib/dns/route53.go
new file mode 100644
index 0000000..30625d1
--- /dev/null
+++ b/contrib/dns/route53.go
@@ -0,0 +1,26 @@
// +build dns_route53

package dns

import (
	"fmt"

	"git.sr.ht/~emersion/tlstunnel"

	"github.com/caddyserver/certmagic"
	"github.com/libdns/route53"
)

func init() {
	tlstunnel.RegisterDNS("route53", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var token string
		if err := getParams(params, &token); err != nil {
			return nil, err
		}
		var p route53.Provider
		if err := p.NewSession(); err != nil {
			return nil, fmt.Errorf("initializing Route53 DNS client failed: %v", err)
		}
		return &p, nil
	})
}
diff --git a/contrib/dns/transip.go b/contrib/dns/transip.go
new file mode 100644
index 0000000..a9bb700
--- /dev/null
+++ b/contrib/dns/transip.go
@@ -0,0 +1,22 @@
// +build dns_transip

package dns

import (
	"git.sr.ht/~emersion/tlstunnel"
	"github.com/caddyserver/certmagic"
	"github.com/libdns/transip"
)

func init() {
	tlstunnel.RegisterDNS("transip", func(params ...string) (provider certmagic.ACMEDNSProvider, err error) {
		var accountName, privateKeyPath string
		if err := getParams(params, &accountName, &privateKeyPath); err != nil {
			return nil, err
		}
		return &transip.Provider{
			AccountName:    accountName,
			PrivateKeyPath: privateKeyPath,
		}, nil
	})
}
diff --git a/directives.go b/directives.go
index 8f3de54..bf21f09 100644
--- a/directives.go
+++ b/directives.go
@@ -5,6 +5,8 @@ import (
	"net"
	"net/url"
	"strings"

	"github.com/caddyserver/certmagic"
)

func parseConfig(srv *Server, cfg *Directive) error {
@@ -107,6 +109,22 @@ func parseTLS(srv *Server, d *Directive) error {
				return err
			}
			srv.ACMEManager.CA = caURL
		case "dns":
			var providerType string
			if err := child.ParseParams(&providerType); err != nil {
				return err
			}
			provider, ok := Providers[providerType]
			if !ok {
				return fmt.Errorf("unknown dns provider %q", providerType)
			}
			d, err := provider(child.Params[1:]...)
			if err != nil {
				return fmt.Errorf("invalid dns provider %q: %v", providerType, err)
			}
			srv.ACMEManager.DNS01Solver = &certmagic.DNS01Solver{
				DNSProvider: d,
			}
		default:
			return fmt.Errorf("unknown %q directive", child.Name)
		}
diff --git a/dns.go b/dns.go
new file mode 100644
index 0000000..58edcdc
--- /dev/null
+++ b/dns.go
@@ -0,0 +1,11 @@
package tlstunnel

import "github.com/caddyserver/certmagic"

type Provider func(params ...string) (provider certmagic.ACMEDNSProvider, err error)

var Providers = make(map[string]Provider)

func RegisterDNS(name string, provider Provider) {
	Providers[name] = provider
}
diff --git a/go.mod b/go.mod
index 8dfbcea..aca6df2 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,28 @@ module git.sr.ht/~emersion/tlstunnel
go 1.15

require (
	github.com/caddyserver/certmagic v0.11.2
	github.com/caddyserver/certmagic v0.11.3-0.20200909192900-34fc6bf02a12
	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
	github.com/klauspost/cpuid v1.3.1 // indirect
	github.com/libdns/cloudflare v0.0.0-20200528144945-97886e7873b1
	github.com/libdns/digitalocean v0.0.0-20200817185712-f11d70f2506c
	github.com/libdns/dnspod v0.0.1
	github.com/libdns/gandi v1.0.1
	github.com/libdns/route53 v1.0.1
	github.com/libdns/transip v0.0.0-20200817195333-0a08f494afae
	github.com/miekg/dns v1.1.31 // indirect
	github.com/pires/go-proxyproto v0.1.3
	github.com/transip/gotransip v5.8.2+incompatible // indirect
	go.uber.org/zap v1.16.0 // indirect
	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
	golang.org/x/net v0.0.0-20200904194848-62affa334b73 // indirect
	golang.org/x/sys v0.0.0-20200909081042-eff7692f9009 // indirect
	golang.org/x/text v0.3.3 // indirect
	golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb // indirect
	honnef.co/go/tools v0.0.1-2020.1.3 // indirect
)

// temporary workaround for `module declares its path as: github.com/mdbraber/libdns-transip but was required as: github.com/libdns/transip`
// see https://github.com/libdns/transip/pull/2
replace github.com/libdns/transip v0.0.0-20200817195333-0a08f494afae => github.com/mdbraber/libdns-transip v0.0.0-20200522185258-223b218b624a
-- 
2.26.2
Review patch Export thread (mbox)