Merge pull request #157 from HyNetwork/wip-kp-reload

Reload server keypair every 10 minutes

cmd/kploader.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"crypto/tls"
+	"github.com/sirupsen/logrus"
+	"sync"
+	"time"
+)
+
+const (
+	keypairReloadInterval = 10 * time.Minute
+)
+
+type keypairLoader struct {
+	certMu   sync.RWMutex
+	cert     *tls.Certificate
+	certPath string
+	keyPath  string
+}
+
+func newKeypairLoader(certPath, keyPath string) (*keypairLoader, error) {
+	result := &keypairLoader{
+		certPath: certPath,
+		keyPath:  keyPath,
+	}
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, err
+	}
+	result.cert = &cert
+	go func() {
+		for {
+			time.Sleep(keypairReloadInterval)
+			cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+			if err != nil {
+				logrus.WithFields(logrus.Fields{
+					"error": err,
+					"cert":  certPath,
+					"key":   keyPath,
+				}).Warning("Failed to reload keypair")
+				continue
+			}
+			result.certMu.Lock()
+			result.cert = &cert
+			result.certMu.Unlock()
+		}
+	}()
+	return result, nil
+}
+
+func (kpr *keypairLoader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		kpr.certMu.RLock()
+		defer kpr.certMu.RUnlock()
+		return kpr.cert, nil
+	}
+}

cmd/server.go

@@ -38,7 +38,7 @@ func server(config *serverConfig) {
 		tlsConfig = tc
 	} else {
 		// Local cert mode
-		cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
+		kpl, err := newKeypairLoader(config.CertFile, config.KeyFile)
 		if err != nil {
 			logrus.WithFields(logrus.Fields{
 				"error": err,
@@ -47,7 +47,7 @@ func server(config *serverConfig) {
 			}).Fatal("Failed to load the certificate")
 		}
 		tlsConfig = &tls.Config{
-			Certificates: []tls.Certificate{cert},
+			GetCertificate: kpl.GetCertificateFunc(),
 			MinVersion:     tls.VersionTLS13,
 		}
 	}