Enforce handling of ACME-TLS/1 challenges

Co-authored-by: Baptiste Mayelle <baptiste.mayelle@traefik.io> Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2024-03-29 11:36:05 +01:00 · 2024-03-29 11:36:05 +01:00 · c31f5df854
commit c31f5df854
parent 167bdb0d53
2 changed files with 87 additions and 2 deletions
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@ -8,8 +8,10 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"slices"
 	"time"

+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
 	"github.com/traefik/traefik/v2/pkg/log"
 	tcpmuxer "github.com/traefik/traefik/v2/pkg/muxer/tcp"
 	"github.com/traefik/traefik/v2/pkg/tcp"
@ -146,6 +148,12 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) {
 		return
 	}

+	// Handling ACME-TLS/1 challenges.
+	if slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
+		r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))
+		return
+	}
+
 	// For real, the handler eventually used for HTTPS is (almost) always the same:
 	// it is the httpsForwarder that is used for all HTTPS connections that match
 	// (which is also incidentally the same used in the last block below for 404s).
@ -190,6 +198,17 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) {
 	conn.Close()
 }

+// acmeTLSALPNHandler returns a special handler to solve ACME-TLS/1 challenges.
+func (r *Router) acmeTLSALPNHandler() tcp.Handler {
+	if r.httpsTLSConfig == nil {
+		return &brokenTLSRouter{}
+	}
+
+	return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
+		_ = tls.Server(conn, r.httpsTLSConfig).Handshake()
+	})
+}
+
 // AddRoute defines a handler for the given rule.
 func (r *Router) AddRoute(rule string, priority int, target tcp.Handler) error {
 	return r.muxerTCP.AddRoute(rule, priority, target)