clients/autocert: default hostname if none in SNIclients/autocert/v2.1.0

1 files changed, 17 insertions, 0 deletions

diff --git a/clients/autocert/autocert_wrapper.go b/clients/autocert/autocert_wrapper.go
index 567d2c2..c8dd180 100644
--- a/clients/autocert/autocert_wrapper.go
+++ b/clients/autocert/autocert_wrapper.go
@@ -2,6 +2,7 @@ package autocert
 
 import (
         "context"
+        "crypto/tls"
         "sync"
 
         "code.crute.us/mcrute/golib/clients/dns"
@@ -23,6 +24,7 @@ type AutocertWrapper struct {
         *autocert.Manager
         hostList      *glautocert.ACMEHostList
         primingNotify chan string
+        primaryHost   string
 }
 
 func MustNewAutocertWrapper(ctx context.Context, c AutocertConfig) *AutocertWrapper {
@@ -38,6 +40,7 @@ func NewAutocertWrapper(ctx context.Context, c AutocertConfig) (*AutocertWrapper
         return &AutocertWrapper{
                 hostList:      hostList,
                 primingNotify: make(chan string, 10),
+                primaryHost:   c.Hosts[0],
                 Manager: &autocert.Manager{
                         Cache:      autocert.DirCache("ssl/"),
                         Prompt:     autocert.AcceptTOS,
@@ -52,6 +55,20 @@ func NewAutocertWrapper(ctx context.Context, c AutocertConfig) (*AutocertWrapper
         }, nil
 }
 
+func (w *AutocertWrapper) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+        h := *hello
+
+        // Override a blank SNI ServerName with the first host in the allowed
+        // host list rather than erroring out. This allows users to hit the
+        // server by IP and use a Host header while still getting content and
+        // is consistent with nginx behavior.
+        if h.ServerName == "" {
+                h.ServerName = w.primaryHost
+        }
+
+        return w.Manager.GetCertificate(&h)
+}
+
 func (w *AutocertWrapper) PrimeCache() error {
         return w.hostList.PrimeCache(w.Manager, w.primingNotify)
 }