feat: reload server keypair every 10 minutes

This commit is contained in:
Toby 2021-11-25 14:53:54 -08:00
parent 71427f23e2
commit d4f5a04865
2 changed files with 60 additions and 3 deletions

57
cmd/kploader.go Normal file
View File

@ -0,0 +1,57 @@
package main
import (
"crypto/tls"
"github.com/sirupsen/logrus"
"sync"
"time"
)
const (
keypairReloadInterval = 10 * time.Minute
)
type keypairLoader struct {
certMu sync.RWMutex
cert *tls.Certificate
certPath string
keyPath string
}
func newKeypairLoader(certPath, keyPath string) (*keypairLoader, error) {
result := &keypairLoader{
certPath: certPath,
keyPath: keyPath,
}
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return nil, err
}
result.cert = &cert
go func() {
for {
time.Sleep(keypairReloadInterval)
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
logrus.WithFields(logrus.Fields{
"error": err,
"cert": certPath,
"key": keyPath,
}).Warning("Failed to reload keypair")
continue
}
result.certMu.Lock()
result.cert = &cert
result.certMu.Unlock()
}
}()
return result, nil
}
func (kpr *keypairLoader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
kpr.certMu.RLock()
defer kpr.certMu.RUnlock()
return kpr.cert, nil
}
}

View File

@ -38,7 +38,7 @@ func server(config *serverConfig) {
tlsConfig = tc tlsConfig = tc
} else { } else {
// Local cert mode // Local cert mode
cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile) kpl, err := newKeypairLoader(config.CertFile, config.KeyFile)
if err != nil { if err != nil {
logrus.WithFields(logrus.Fields{ logrus.WithFields(logrus.Fields{
"error": err, "error": err,
@ -47,7 +47,7 @@ func server(config *serverConfig) {
}).Fatal("Failed to load the certificate") }).Fatal("Failed to load the certificate")
} }
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{
Certificates: []tls.Certificate{cert}, GetCertificate: kpl.GetCertificateFunc(),
MinVersion: tls.VersionTLS13, MinVersion: tls.VersionTLS13,
} }
} }