diff options
author | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-10-19 13:19:34 +0300 |
---|---|---|
committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2021-10-19 13:21:27 +0300 |
commit | f7b43c585e0fb380e6c7cf6071b83b0d363b4ad1 (patch) | |
tree | 2ff87d7e34f607b21cd3186670539c8ed312a966 | |
parent | 65a13cb5e8f28cb0f658de58e4743f74f51f0479 (diff) |
fix: Let's Encrypt integration with /* redirects649-wildcard-redirects-break-let-s-encrypt-integration
Let's Encrypt integration relies on acme challenges being redirected
to main GitLab server and served there.
We also allow serving ACME challenges from project content
just in case users implemented Let's Encrypt integration manually.
But when user adds `/* -> redirect_url` to .redirects, it treated
as project content and will handles as redirect.
Changelog: fixed
This commit just stop handling redirects for any LE challenges.
-rw-r--r-- | internal/acme/acme.go | 4 | ||||
-rw-r--r-- | internal/redirects/redirects.go | 5 | ||||
-rw-r--r-- | internal/redirects/redirects_test.go | 8 |
3 files changed, 15 insertions, 2 deletions
diff --git a/internal/acme/acme.go b/internal/acme/acme.go index 039be32a..607dcc23 100644 --- a/internal/acme/acme.go +++ b/internal/acme/acme.go @@ -26,7 +26,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request, return false } - if !isAcmeChallenge(r.URL.Path) { + if !IsAcmeChallenge(r.URL.Path) { return false } @@ -37,7 +37,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request, return m.redirectToGitlab(w, r) } -func isAcmeChallenge(path string) bool { +func IsAcmeChallenge(path string) bool { return strings.HasPrefix(filepath.Clean(path), "/.well-known/acme-challenge/") } diff --git a/internal/redirects/redirects.go b/internal/redirects/redirects.go index 24ce8692..a0d0a774 100644 --- a/internal/redirects/redirects.go +++ b/internal/redirects/redirects.go @@ -14,6 +14,7 @@ import ( "gitlab.com/gitlab-org/labkit/log" + "gitlab.com/gitlab-org/gitlab-pages/internal/acme" "gitlab.com/gitlab-org/gitlab-pages/internal/vfs" ) @@ -100,6 +101,10 @@ func (r *Redirects) Status() string { // Rewrite takes in a URL and uses the parsed Netlify rules to rewrite // the URL to the new location if it matches any rule func (r *Redirects) Rewrite(originalURL *url.URL) (*url.URL, int, error) { + if acme.IsAcmeChallenge(originalURL.Path) { + return nil, 0, ErrNoRedirect + } + rule, newPath := r.match(originalURL.Path) if rule == nil { return nil, 0, ErrNoRedirect diff --git a/internal/redirects/redirects_test.go b/internal/redirects/redirects_test.go index 8cad98f8..a15d8413 100644 --- a/internal/redirects/redirects_test.go +++ b/internal/redirects/redirects_test.go @@ -123,6 +123,14 @@ func TestRedirectsRewrite(t *testing.T) { expectedStatus: http.StatusOK, expectedErr: "", }, + { + name: "does_not_redirect_acme_challenges", + url: "/.well-known/acme-challenge/token", + rule: "/* /to/path 200", + expectedURL: "", + expectedStatus: 0, + expectedErr: ErrNoRedirect.Error(), + }, } for _, tt := range tests { |