add support for dual HTTP/HTTPS, rm caddy from complement

complement sends C-S requests over HTTP, and federation over HTTPS. complement without caddy *almost* works. unfortunately i am now dealing with invalid X-Matrix signatures due to non-percent encoded URIs and it does not seem trivial to percent-encode URIs that a reverse proxy would normally do for you. Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-02-24 17:25:43 -05:00 · 2024-02-24 17:25:43 -05:00 · 45ad7b40b3
commit 45ad7b40b3
parent 5344cdbbca
7 changed files with 105 additions and 109 deletions
--- a/complement/Dockerfile
+++ b/complement/Dockerfile
@ -8,31 +8,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 COPY Cargo.toml Cargo.toml
 COPY Cargo.lock Cargo.lock
 COPY src src
-RUN cargo build --release \
+RUN cargo build --release --features=axum_dual_protocol \
    && mv target/release/conduit conduit \
    && rm -rf target

-# Install caddy
-RUN apt-get update \
-    && apt-get install -y \
-    debian-keyring \
-    debian-archive-keyring \
-    apt-transport-https \
-    curl \
-    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/gpg.key' \
-    | gpg --dearmor -o /usr/share/keyrings/caddy-testing-archive-keyring.gpg \
-    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/debian.deb.txt' \
-    | tee /etc/apt/sources.list.d/caddy-testing.list \
-    && apt-get update \
-    && apt-get install -y caddy
-
 COPY conduwuit-example.toml conduit.toml
-COPY complement/caddy.json caddy.json

 ENV SERVER_NAME=localhost
 ENV CONDUIT_CONFIG=/workdir/conduit.toml

-RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml
+RUN sed -i "s/port = 6167/port = [8448, 8008]/g" conduit.toml
 RUN sed -i "s/allow_registration = false/allow_registration = true/g" conduit.toml
 RUN sed -i "s/registration_token/#registration_token/g" conduit.toml
 RUN sed -i "s/allow_guest_registration = false/allow_guest_registration = true/g" conduit.toml
@ -41,22 +26,39 @@ RUN sed -i "s/allow_public_room_directory_without_auth = false/allow_public_room
 RUN sed -i "s/allow_device_name_federation = false/allow_device_name_federation = true/g" conduit.toml
 RUN sed -i "/\"127.0.0.0/d" conduit.toml
 RUN sed -i "/\"10.0.0.0/d" conduit.toml
+RUN sed -i "/\"172.16.0.0/d" conduit.toml
 RUN sed -i "/\"::1/d" conduit.toml
-RUN echo "log = \"warn\"" >> conduit.toml
-RUN echo 'yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true' >> conduit.toml
-RUN echo 'allow_outgoing_presence = true' >> conduit.toml
-RUN echo 'allow_incoming_presence = true' >> conduit.toml
-RUN echo 'allow_local_presence = true' >> conduit.toml
+RUN sed -i "s/#log = \"warn\"/log = \"debug\"/g" conduit.toml
+RUN sed -i 's/#\strusted_servers\s=\s\["matrix.org"\]/trusted_servers = []/g' conduit.toml
+RUN sed -i 's/# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to/yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true/g' conduit.toml
+RUN sed -i "s/allow_outgoing_presence = false/allow_outgoing_presence = true/g" conduit.toml
+RUN sed -i "s/allow_incoming_presence = false/allow_incoming_presence = true/g" conduit.toml
+RUN sed -i "s/allow_local_presence = false/allow_local_presence = true/g" conduit.toml
 RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml
-RUN echo '[global.tls]' >> conduit.toml
-RUN echo 'certs = "/complement/ca/ca.crt"' >> conduit.toml
-RUN echo 'key = "/complement/ca/ca.key"' >> conduit.toml
+
+# https://stackoverflow.com/questions/76049656/unexpected-notvalidforname-with-rusts-tonic-with-tls
+RUN echo "authorityKeyIdentifier=keyid,issuer" >> extensions.ext
+RUN echo "basicConstraints=CA:FALSE" >> extensions.ext
+RUN echo 'subjectAltName = @alt_names' >> extensions.ext
+RUN echo '[alt_names]' >> extensions.ext
+RUN echo "DNS.1 = servername" >> extensions.ext
+RUN echo "IP.1 = ipaddress" >> extensions.ext
+

 EXPOSE 8008 8448

 CMD uname -a && \
+    cp -f -v /complement/ca/ca.crt /usr/local/share/ca-certificates/complement.crt && \
+    update-ca-certificates && \
+    sed -i "s/servername/${SERVER_NAME}/g" extensions.ext && \
+    sed -i "s/ipaddress/`hostname -i`/g" extensions.ext && \
+    openssl req -newkey rsa:2048 -noenc -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=$SERVER_NAME" -keyout $SERVER_NAME.key -out $SERVER_NAME.csr && \
+    openssl x509 -signkey $SERVER_NAME.key -in $SERVER_NAME.csr -req -days 2 -out $SERVER_NAME.crt && \
+    openssl x509 -req -CA /complement/ca/ca.crt -CAkey /complement/ca/ca.key -in $SERVER_NAME.csr -out $SERVER_NAME.crt -days 2 -CAcreateserial -extfile extensions.ext && \
    sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \
-    sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
-    caddy start --config caddy.json > /dev/null && \
+    sed -i 's/#\s\[global.tls\]/\[global.tls\]/g' conduit.toml && \
+    sed -i "s/# certs = \"\/path\/to\/my\/certificate.crt\"/certs = \"${SERVER_NAME}.crt\"/g" conduit.toml && \
+    sed -i "s/# key = \"\/path\/to\/my\/private_key.key\"/key = \"${SERVER_NAME}.key\"/g" conduit.toml && \
+    sed -i "s/#dual_protocol = false/dual_protocol = true/g" conduit.toml && \
    /workdir/conduit

--- a/complement/caddy.json
+++ b/complement/caddy.json
@ -1,72 +0,0 @@
-{
-    "logging": {
-        "logs": {
-            "default": {
-                "level": "WARN"
-            }
-        }
-    },
-    "apps": {
-        "http": {
-            "https_port": 8448,
-            "servers": {
-                "srv0": {
-                    "listen": [":8448"],
-                    "routes": [{
-                        "match": [{
-                            "host": ["your.server.name"]
-                        }],
-                        "handle": [{
-                            "handler": "subroute",
-                            "routes": [{
-                                "handle": [{
-                                    "handler": "reverse_proxy",
-                                    "upstreams": [{
-                                        "dial": "127.0.0.1:8008"
-                                    }]
-                                }]
-                            }]
-                        }],
-                        "terminal": true
-                    }],
-                    "tls_connection_policies": [{
-                        "match": {
-                            "sni": ["your.server.name"]
-                        }
-                    }]
-                }
-            }
-        },
-        "pki": {
-            "certificate_authorities": {
-                "local": {
-                    "name": "Complement CA",
-                    "root": {
-                        "certificate": "/complement/ca/ca.crt",
-                        "private_key": "/complement/ca/ca.key"
-                    },
-                    "intermediate": {
-                        "certificate": "/complement/ca/ca.crt",
-                        "private_key": "/complement/ca/ca.key"
-                    }
-                }
-            }
-        },
-        "tls": {
-            "automation": {
-                "policies": [{
-                    "subjects": ["your.server.name"],
-                    "issuers": [{
-                        "module": "internal"
-                    }],
-                    "on_demand": true
-                }, {
-                    "issuers": [{
-                        "module": "internal",
-                        "ca": "local"
-                    }]
-                }]
-            }
-        }
-    }
-}