阶段性提交

internal/configs/serverconfigs/sslconfigs/ssl.go

@@ -0,0 +1,207 @@
+package sslconfigs
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"github.com/iwind/TeaGo/types"
+	"io/ioutil"
+	"net"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// TLS Version
+type TLSVersion = string
+
+// Cipher Suites
+type TLSCipherSuite = string
+
+// SSL配置
+type SSLConfig struct {
+	IsOn bool `yaml:"isOn" json:"isOn"` // 是否开启
+
+	Certs           []*SSLCertConfig  `yaml:"certs" json:"certs"`
+	ClientAuthType  SSLClientAuthType `yaml:"clientAuthType" json:"clientAuthType"`   // 客户端认证类型
+	ClientCACertIds []string          `yaml:"clientCACertIds" json:"clientCACertIds"` // 客户端认证CA
+
+	Listen       []string         `yaml:"listen" json:"listen"`             // 网络地址
+	MinVersion   TLSVersion       `yaml:"minVersion" json:"minVersion"`     // 支持的最小版本
+	CipherSuites []TLSCipherSuite `yaml:"cipherSuites" json:"cipherSuites"` // 加密算法套件
+
+	HSTS          *HSTSConfig `yaml:"hsts2" json:"hsts"`                  // HSTS配置，yaml之所以使用hsts2，是因为要和以前的版本分开
+	HTTP2Disabled bool        `yaml:"http2Disabled" json:"http2Disabled"` // 是否禁用HTTP2
+
+	nameMapping map[string]*tls.Certificate // dnsName => cert
+
+	minVersion   uint16
+	cipherSuites []uint16
+
+	clientCAPool *x509.CertPool
+}
+
+// 获取新对象
+func NewSSLConfig() *SSLConfig {
+	return &SSLConfig{}
+}
+
+// 校验配置
+func (this *SSLConfig) Init() error {
+	if !this.IsOn {
+		return nil
+	}
+
+	if len(this.Certs) == 0 {
+		return errors.New("no certificates in https config")
+	}
+
+	for _, cert := range this.Certs {
+		err := cert.Init()
+		if err != nil {
+			return err
+		}
+	}
+
+	if this.Listen == nil {
+		this.Listen = []string{}
+	} else {
+		for index, addr := range this.Listen {
+			_, _, err := net.SplitHostPort(addr)
+			if err != nil {
+				this.Listen[index] = strings.TrimSuffix(addr, ":") + ":443"
+			}
+		}
+	}
+
+	// min version
+	this.convertMinVersion()
+
+	// cipher suite categories
+	this.initCipherSuites()
+
+	// hsts
+	if this.HSTS != nil {
+		err := this.HSTS.Init()
+		if err != nil {
+			return err
+		}
+	}
+
+	// CA证书
+	if len(this.ClientCACertIds) > 0 && this.ClientAuthType != SSLClientAuthTypeNoClientCert {
+		this.clientCAPool = x509.NewCertPool()
+		list := SharedSSLCertList()
+		for _, certId := range this.ClientCACertIds {
+			cert := list.FindCert(certId)
+			if cert == nil {
+				continue
+			}
+			if !cert.On {
+				continue
+			}
+			data, err := ioutil.ReadFile(cert.FullCertPath())
+			if err != nil {
+				return err
+			}
+			this.clientCAPool.AppendCertsFromPEM(data)
+		}
+	}
+
+	return nil
+}
+
+// 取得最小版本
+func (this *SSLConfig) TLSMinVersion() uint16 {
+	return this.minVersion
+}
+
+// 套件
+func (this *SSLConfig) TLSCipherSuites() []uint16 {
+	return this.cipherSuites
+}
+
+// 校验是否匹配某个域名
+func (this *SSLConfig) MatchDomain(domain string) (cert *tls.Certificate, ok bool) {
+	for _, cert := range this.Certs {
+		if cert.MatchDomain(domain) {
+			return cert.CertObject(), true
+		}
+	}
+	return nil, false
+}
+
+// 取得第一个证书
+func (this *SSLConfig) FirstCert() *tls.Certificate {
+	for _, cert := range this.Certs {
+		return cert.CertObject()
+	}
+	return nil
+}
+
+// 是否包含某个证书或密钥路径
+func (this *SSLConfig) ContainsFile(file string) bool {
+	for _, cert := range this.Certs {
+		if cert.CertFile == file || cert.KeyFile == file {
+			return true
+		}
+	}
+	return false
+}
+
+// 删除证书文件
+func (this *SSLConfig) DeleteFiles() error {
+	var resultErr error = nil
+
+	for _, cert := range this.Certs {
+		err := cert.DeleteFiles()
+		if err != nil {
+			resultErr = err
+		}
+	}
+
+	return resultErr
+}
+
+// 查找单个证书配置
+func (this *SSLConfig) FindCert(certId string) *SSLCertConfig {
+	for _, cert := range this.Certs {
+		if cert.Id == certId {
+			return cert
+		}
+	}
+	return nil
+}
+
+// 添加证书
+func (this *SSLConfig) AddCert(cert *SSLCertConfig) {
+	this.Certs = append(this.Certs, cert)
+}
+
+// CA证书Pool，用于TLS对客户端进行认证
+func (this *SSLConfig) CAPool() *x509.CertPool {
+	return this.clientCAPool
+}
+
+// 分解所有监听地址
+func (this *SSLConfig) ParseListenAddresses() []string {
+	result := []string{}
+	var reg = regexp.MustCompile(`\[\s*(\d+)\s*[,:-]\s*(\d+)\s*]$`)
+	for _, addr := range this.Listen {
+		match := reg.FindStringSubmatch(addr)
+		if len(match) == 0 {
+			result = append(result, addr)
+		} else {
+			min := types.Int(match[1])
+			max := types.Int(match[2])
+			if min > max {
+				min, max = max, min
+			}
+			for i := min; i <= max; i++ {
+				newAddr := reg.ReplaceAllString(addr, ":"+strconv.Itoa(i))
+				result = append(result, newAddr)
+			}
+		}
+	}
+	return result
+}

internal/configs/serverconfigs/sslconfigs/ssl_auth.go

@@ -0,0 +1,75 @@
+package sslconfigs
+
+import (
+	"crypto/tls"
+	"github.com/iwind/TeaGo/maps"
+)
+
+// 认证类型
+type SSLClientAuthType = int
+
+const (
+	SSLClientAuthTypeNoClientCert               SSLClientAuthType = 0
+	SSLClientAuthTypeRequestClientCert          SSLClientAuthType = 1
+	SSLClientAuthTypeRequireAnyClientCert       SSLClientAuthType = 2
+	SSLClientAuthTypeVerifyClientCertIfGiven    SSLClientAuthType = 3
+	SSLClientAuthTypeRequireAndVerifyClientCert SSLClientAuthType = 4
+)
+
+// 所有的客户端认证类型
+func AllSSLClientAuthTypes() []maps.Map {
+	return []maps.Map{
+		{
+			"name":      "不需要客户端证书",
+			"type":      SSLClientAuthTypeNoClientCert,
+			"requireCA": false,
+		},
+		{
+			"name":      "请求客户端证书",
+			"type":      SSLClientAuthTypeRequestClientCert,
+			"requireCA": true,
+		},
+		{
+			"name":      "需要客户端证书，但不校验",
+			"type":      SSLClientAuthTypeRequireAnyClientCert,
+			"requireCA": true,
+		},
+		{
+			"name":      "有客户端证书的时候才校验",
+			"type":      SSLClientAuthTypeVerifyClientCertIfGiven,
+			"requireCA": true,
+		},
+		{
+			"name":      "校验客户端提供的证书",
+			"type":      SSLClientAuthTypeRequireAndVerifyClientCert,
+			"requireCA": true,
+		},
+	}
+}
+
+// 查找单个认证方式的名称
+func FindSSLClientAuthTypeName(authType SSLClientAuthType) string {
+	for _, m := range AllSSLClientAuthTypes() {
+		if m.GetInt("type") == authType {
+			return m.GetString("name")
+		}
+	}
+	return ""
+}
+
+// 认证类型和tls包内类型的映射
+func GoSSLClientAuthType(authType SSLClientAuthType) tls.ClientAuthType {
+	switch authType {
+	case SSLClientAuthTypeNoClientCert:
+		return tls.NoClientCert
+	case SSLClientAuthTypeRequestClientCert:
+		return tls.RequestClientCert
+	case SSLClientAuthTypeRequireAnyClientCert:
+		return tls.RequireAnyClientCert
+	case SSLClientAuthTypeVerifyClientCertIfGiven:
+		return tls.VerifyClientCertIfGiven
+	case SSLClientAuthTypeRequireAndVerifyClientCert:
+		return tls.RequireAndVerifyClientCert
+	}
+	return tls.NoClientCert
+}

internal/configs/serverconfigs/sslconfigs/ssl_cert.go

@@ -0,0 +1,271 @@
+package sslconfigs
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"github.com/TeaOSLab/EdgeNode/internal/configs/serverconfigs/configutils"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/files"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/utils/string"
+	"io/ioutil"
+	"strings"
+	"time"
+)
+
+// SSL证书
+type SSLCertConfig struct {
+	Id          string `yaml:"id" json:"id"`
+	On          bool   `yaml:"on" json:"on"`
+	Description string `yaml:"description" json:"description"` // 说明
+	CertFile    string `yaml:"certFile" json:"certFile"`
+	KeyFile     string `yaml:"keyFile" json:"keyFile"`
+	IsLocal     bool   `yaml:"isLocal" json:"isLocal"`       // 是否为本地文件
+	TaskId      string `yaml:"taskId" json:"taskId"`         // 生成证书任务ID
+	IsShared    bool   `yaml:"isShared" json:"isShared"`     // 是否为公用组件
+	ServerName  string `yaml:"serverName" json:"serverName"` // 证书使用的主机名，在请求TLS服务器时需要
+	IsCA        bool   `yaml:"isCA" json:"isCA"`             // 是否为CA证书
+
+	dnsNames   []string
+	cert       *tls.Certificate
+	timeBefore time.Time
+	timeAfter  time.Time
+	issuer     pkix.Name
+}
+
+// 获取新的SSL证书
+func NewSSLCertConfig(certFile string, keyFile string) *SSLCertConfig {
+	return &SSLCertConfig{
+		On:       true,
+		Id:       stringutil.Rand(16),
+		CertFile: certFile,
+		KeyFile:  keyFile,
+	}
+}
+
+// 校验
+func (this *SSLCertConfig) Init() error {
+	if this.IsShared {
+		shared := this.FindShared()
+		if shared == nil {
+			return errors.New("the shared cert has been deleted")
+		}
+
+		// 拷贝之前需要保留的
+		serverName := this.ServerName
+
+		// copy
+		configutils.CopyStructObject(this, shared)
+		this.ServerName = serverName
+	}
+
+	this.dnsNames = []string{}
+
+	if len(this.CertFile) == 0 {
+		return errors.New("cert file should not be empty")
+	}
+
+	// 分析证书
+	if this.IsCA { // CA证书
+		data, err := ioutil.ReadFile(this.FullCertPath())
+		if err != nil {
+			return err
+		}
+
+		index := -1
+		this.cert = &tls.Certificate{
+			Certificate: [][]byte{},
+		}
+		for {
+			index++
+
+			block, rest := pem.Decode(data)
+			if block == nil {
+				break
+			}
+			if len(rest) == 0 {
+				break
+			}
+			this.cert.Certificate = append(this.cert.Certificate, block.Bytes)
+			data = rest
+			c, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return err
+			}
+			if c == nil {
+				return errors.New("no available certificates in file")
+			}
+
+			dnsNames := c.DNSNames
+			if len(dnsNames) > 0 {
+				for _, dnsName := range dnsNames {
+					if !lists.ContainsString(this.dnsNames, dnsName) {
+						this.dnsNames = append(this.dnsNames, dnsName)
+					}
+				}
+			}
+
+			if index == 0 {
+				this.timeBefore = c.NotBefore
+				this.timeAfter = c.NotAfter
+				this.issuer = c.Issuer
+			}
+		}
+	} else { // 证书+私钥
+		if len(this.KeyFile) == 0 {
+			return errors.New("key file should not be empty")
+		}
+		cert, err := tls.LoadX509KeyPair(this.FullCertPath(), this.FullKeyPath())
+		if err != nil {
+			return errors.New("load certificate '" + this.CertFile + "', '" + this.KeyFile + "' failed:" + err.Error())
+		}
+
+		for index, data := range cert.Certificate {
+			c, err := x509.ParseCertificate(data)
+			if err != nil {
+				continue
+			}
+			dnsNames := c.DNSNames
+			if len(dnsNames) > 0 {
+				for _, dnsName := range dnsNames {
+					if !lists.ContainsString(this.dnsNames, dnsName) {
+						this.dnsNames = append(this.dnsNames, dnsName)
+					}
+				}
+			}
+
+			if index == 0 {
+				this.timeBefore = c.NotBefore
+				this.timeAfter = c.NotAfter
+				this.issuer = c.Issuer
+			}
+		}
+
+		this.cert = &cert
+	}
+	return nil
+}
+
+// 查找共享的证书
+func (this *SSLCertConfig) FindShared() *SSLCertConfig {
+	if !this.IsShared {
+		return nil
+	}
+	return SharedSSLCertList().FindCert(this.Id)
+}
+
+// 证书文件路径
+func (this *SSLCertConfig) FullCertPath() string {
+	if len(this.CertFile) == 0 {
+		return ""
+	}
+	if !strings.ContainsAny(this.CertFile, "/\\") {
+		return Tea.ConfigFile(this.CertFile)
+	}
+	return this.CertFile
+}
+
+// 密钥文件路径
+func (this *SSLCertConfig) FullKeyPath() string {
+	if len(this.KeyFile) == 0 {
+		return ""
+	}
+	if !strings.ContainsAny(this.KeyFile, "/\\") {
+		return Tea.ConfigFile(this.KeyFile)
+	}
+	return this.KeyFile
+}
+
+// 校验是否匹配某个域名
+func (this *SSLCertConfig) MatchDomain(domain string) bool {
+	if len(this.dnsNames) == 0 {
+		return false
+	}
+	return configutils.MatchDomains(this.dnsNames, domain)
+}
+
+// 证书中的域名
+func (this *SSLCertConfig) DNSNames() []string {
+	return this.dnsNames
+}
+
+// 获取证书对象
+func (this *SSLCertConfig) CertObject() *tls.Certificate {
+	return this.cert
+}
+
+// 开始时间
+func (this *SSLCertConfig) TimeBefore() time.Time {
+	return this.timeBefore
+}
+
+// 结束时间
+func (this *SSLCertConfig) TimeAfter() time.Time {
+	return this.timeAfter
+}
+
+// 发行信息
+func (this *SSLCertConfig) Issuer() pkix.Name {
+	return this.issuer
+}
+
+// 删除文件
+func (this *SSLCertConfig) DeleteFiles() error {
+	if this.IsLocal {
+		return nil
+	}
+
+	var resultErr error = nil
+	if len(this.CertFile) > 0 && !strings.ContainsAny(this.CertFile, "/\\") {
+		err := files.NewFile(this.FullCertPath()).Delete()
+		if err != nil {
+			resultErr = err
+		}
+	}
+
+	if len(this.KeyFile) > 0 && !strings.ContainsAny(this.KeyFile, "/\\") {
+		err := files.NewFile(this.FullKeyPath()).Delete()
+		if err != nil {
+			resultErr = err
+		}
+	}
+	return resultErr
+}
+
+// 读取证书文件
+func (this *SSLCertConfig) ReadCert() ([]byte, error) {
+	if len(this.CertFile) == 0 {
+		return nil, errors.New("cert file should not be empty")
+	}
+
+	if this.IsLocal {
+		return ioutil.ReadFile(this.CertFile)
+	}
+
+	return ioutil.ReadFile(Tea.ConfigFile(this.CertFile))
+}
+
+// 读取密钥文件
+func (this *SSLCertConfig) ReadKey() ([]byte, error) {
+	if len(this.KeyFile) == 0 {
+		return nil, errors.New("key file should not be empty")
+	}
+
+	if this.IsLocal {
+		return ioutil.ReadFile(this.KeyFile)
+	}
+
+	return ioutil.ReadFile(Tea.ConfigFile(this.KeyFile))
+}
+
+// 匹配关键词
+func (this *SSLCertConfig) MatchKeyword(keyword string) (matched bool, name string, tags []string) {
+	if configutils.MatchKeyword(this.Description, keyword) {
+		matched = true
+		name = this.Description
+	}
+	return
+}

internal/configs/serverconfigs/sslconfigs/ssl_cert_list.go

@@ -0,0 +1,86 @@
+package sslconfigs
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/configs/serverconfigs/shared"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/logs"
+	"gopkg.in/yaml.v3"
+	"io/ioutil"
+)
+
+const (
+	sslCertListFilename = "ssl.certs.conf"
+)
+
+// 获取证书列表实例
+// 一定会返回不为nil的值
+func SharedSSLCertList() *SSLCertList {
+	data, err := ioutil.ReadFile(Tea.ConfigFile(sslCertListFilename))
+	if err != nil {
+		return NewSSLCertList()
+	}
+
+	list := &SSLCertList{}
+	err = yaml.Unmarshal(data, list)
+	if err != nil {
+		logs.Error(err)
+		return NewSSLCertList()
+	}
+
+	return list
+}
+
+// 公共的SSL证书列表
+type SSLCertList struct {
+	Certs []*SSLCertConfig `yaml:"certs" json:"certs"` // 证书
+}
+
+// 获取新对象
+func NewSSLCertList() *SSLCertList {
+	return &SSLCertList{
+		Certs: []*SSLCertConfig{},
+	}
+}
+
+// 添加证书
+func (this *SSLCertList) AddCert(cert *SSLCertConfig) {
+	this.Certs = append(this.Certs, cert)
+}
+
+// 删除证书
+func (this *SSLCertList) RemoveCert(certId string) {
+	result := []*SSLCertConfig{}
+	for _, cert := range this.Certs {
+		if cert.Id == certId {
+			continue
+		}
+		result = append(result, cert)
+	}
+	this.Certs = result
+}
+
+// 查找证书
+func (this *SSLCertList) FindCert(certId string) *SSLCertConfig {
+	if len(certId) == 0 {
+		return nil
+	}
+	for _, cert := range this.Certs {
+		if cert.Id == certId {
+			return cert
+		}
+	}
+	return nil
+}
+
+// 保存
+func (this *SSLCertList) Save() error {
+	shared.Locker.Lock()
+	defer shared.Locker.Unlock()
+
+	data, err := yaml.Marshal(this)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(Tea.ConfigFile(sslCertListFilename), data, 0777)
+}

internal/configs/serverconfigs/sslconfigs/ssl_go_1.11.go

@@ -0,0 +1,124 @@
+// +build !go1.12
+
+package sslconfigs
+
+import "crypto/tls"
+
+var AllTlsVersions = []TLSVersion{"SSL 3.0", "TLS 1.0", "TLS 1.1", "TLS 1.2"}
+
+var AllTLSCipherSuites = []TLSCipherSuite{
+	"TLS_RSA_WITH_RC4_128_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+}
+
+var TLSModernCipherSuites = []string{
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+}
+
+var TLSIntermediateCipherSuites = []string{
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+}
+
+func (this *SSLConfig) convertMinVersion() {
+	switch this.MinVersion {
+	case "SSL 3.0":
+		this.minVersion = tls.VersionSSL30
+	case "TLS 1.0":
+		this.minVersion = tls.VersionTLS10
+	case "TLS 1.1":
+		this.minVersion = tls.VersionTLS11
+	case "TLS 1.2":
+		this.minVersion = tls.VersionTLS12
+	default:
+		this.minVersion = tls.VersionTLS10
+	}
+}
+
+func (this *SSLConfig) initCipherSuites() {
+	// cipher suites
+	suites := []uint16{}
+	for _, suite := range this.CipherSuites {
+		switch suite {
+		case "TLS_RSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_RC4_128_SHA)
+		case "TLS_RSA_WITH_3DES_EDE_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+		case "TLS_RSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
+		case "TLS_RSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
+		case "TLS_RSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_RSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_RSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
+		case "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305)
+		case "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
+		}
+	}
+	this.cipherSuites = suites
+}

internal/configs/serverconfigs/sslconfigs/ssl_go_1.12.go

@@ -0,0 +1,148 @@
+// +build go1.12
+
+package sslconfigs
+
+import (
+	"crypto/tls"
+	"os"
+)
+
+var AllTlsVersions = []TLSVersion{"SSL 3.0", "TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3"}
+
+var AllTLSCipherSuites = []TLSCipherSuite{
+	"TLS_RSA_WITH_RC4_128_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_AES_128_GCM_SHA256",
+	"TLS_AES_256_GCM_SHA384",
+	"TLS_CHACHA20_POLY1305_SHA256",
+}
+
+var TLSModernCipherSuites = []string{
+	"TLS_AES_128_GCM_SHA256",
+	"TLS_CHACHA20_POLY1305_SHA256",
+	"TLS_AES_256_GCM_SHA384",
+
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+}
+
+var TLSIntermediateCipherSuites = []string{
+	"TLS_AES_128_GCM_SHA256",
+	"TLS_CHACHA20_POLY1305_SHA256",
+	"TLS_AES_256_GCM_SHA384",
+
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+}
+
+func (this *SSLConfig) convertMinVersion() {
+	switch this.MinVersion {
+	case "SSL 3.0":
+		this.minVersion = tls.VersionSSL30
+	case "TLS 1.0":
+		this.minVersion = tls.VersionTLS10
+	case "TLS 1.1":
+		this.minVersion = tls.VersionTLS11
+	case "TLS 1.2":
+		this.minVersion = tls.VersionTLS12
+	case "TLS 1.3":
+		this.minVersion = tls.VersionTLS13
+
+		os.Setenv("GODEBUG", "tls13=1") // TODO should be removed in go 1.14, in go 1.12 tls IS NOT FULL IMPLEMENTED YET
+	default:
+		this.minVersion = tls.VersionTLS10
+	}
+}
+
+func (this *SSLConfig) initCipherSuites() {
+	// cipher suites
+	suites := []uint16{}
+	for _, suite := range this.CipherSuites {
+		switch suite {
+		case "TLS_RSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_RC4_128_SHA)
+		case "TLS_RSA_WITH_3DES_EDE_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+		case "TLS_RSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
+		case "TLS_RSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
+		case "TLS_RSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_RSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_RSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_RC4_128_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
+		case "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
+		case "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
+		case "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
+		case "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":
+			suites = append(suites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305)
+		case "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":
+			suites = append(suites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
+		case "TLS_AES_128_GCM_SHA256":
+			suites = append(suites, tls.TLS_AES_128_GCM_SHA256)
+		case "TLS_AES_256_GCM_SHA384":
+			suites = append(suites, tls.TLS_AES_256_GCM_SHA384)
+		case "TLS_CHACHA20_POLY1305_SHA256":
+			suites = append(suites, tls.TLS_CHACHA20_POLY1305_SHA256)
+		}
+	}
+	this.cipherSuites = suites
+}

internal/configs/serverconfigs/sslconfigs/ssl_hsts.go

@@ -0,0 +1,63 @@
+package sslconfigs
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/configs/serverconfigs/configutils"
+	"strconv"
+	"strings"
+)
+
+// HSTS设置
+// 参考： https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+type HSTSConfig struct {
+	On                bool     `yaml:"on" json:"on"`
+	MaxAge            int      `yaml:"maxAge" json:"maxAge"` // 单位秒
+	IncludeSubDomains bool     `yaml:"includeSubDomains" json:"includeSubDomains"`
+	Preload           bool     `yaml:"preload" json:"preload"`
+	Domains           []string `yaml:"domains" json:"domains"`
+
+	hasDomains  bool
+	headerValue string
+}
+
+// 校验
+func (this *HSTSConfig) Init() error {
+	this.hasDomains = len(this.Domains) > 0
+	this.headerValue = this.asHeaderValue()
+	return nil
+}
+
+// 判断是否匹配域名
+func (this *HSTSConfig) Match(domain string) bool {
+	if !this.hasDomains {
+		return true
+	}
+	return configutils.MatchDomains(this.Domains, domain)
+}
+
+// Header Key
+func (this *HSTSConfig) HeaderKey() string {
+	return "Strict-Transport-Security"
+}
+
+// 取得当前的Header值
+func (this *HSTSConfig) HeaderValue() string {
+	return this.headerValue
+}
+
+// 转换为Header值
+func (this *HSTSConfig) asHeaderValue() string {
+	b := strings.Builder{}
+	b.WriteString("max-age=")
+	if this.MaxAge > 0 {
+		b.WriteString(strconv.Itoa(this.MaxAge))
+	} else {
+		b.WriteString("31536000") // 1 year
+	}
+	if this.IncludeSubDomains {
+		b.WriteString("; includeSubDomains")
+	}
+	if this.Preload {
+		b.WriteString("; preload")
+	}
+	return b.String()
+}

internal/configs/serverconfigs/sslconfigs/ssl_hsts_test.go

@@ -0,0 +1,39 @@
+package sslconfigs
+
+import (
+	"github.com/iwind/TeaGo/assert"
+	"testing"
+)
+
+func TestHSTSConfig(t *testing.T) {
+	h := &HSTSConfig{}
+	h.Init()
+	t.Log(h.HeaderValue())
+
+	h.IncludeSubDomains = true
+	h.Init()
+	t.Log(h.HeaderValue())
+
+	h.Preload = true
+	h.Init()
+	t.Log(h.HeaderValue())
+
+	h.IncludeSubDomains = false
+	h.Init()
+	t.Log(h.HeaderValue())
+
+	h.MaxAge = 86400
+	h.Init()
+	t.Log(h.HeaderValue())
+
+	a := assert.NewAssertion(t)
+	a.IsTrue(h.Match("abc.com"))
+
+	h.Domains = []string{"abc.com"}
+	h.Init()
+	a.IsTrue(h.Match("abc.com"))
+
+	h.Domains = []string{"1.abc.com"}
+	h.Init()
+	a.IsFalse(h.Match("abc.com"))
+}