mirror of
https://github.com/go-gitea/gitea
synced 2024-12-27 02:54:27 +00:00
c88547ce71
Continues on from #19202. Following the addition of pprof labels we can now more easily understand the relationship between a goroutine and the requests that spawn them. This PR takes advantage of the labels and adds a few others, then provides a mechanism for the monitoring page to query the pprof goroutine profile. The binary profile that results from this profile is immediately piped in to the google library for parsing this and then stack traces are formed for the goroutines. If the goroutine is within a context or has been created from a goroutine within a process context it will acquire the process description labels for that process. The goroutines are mapped with there associate pids and any that do not have an associated pid are placed in a group at the bottom as unbound. In this way we should be able to more easily examine goroutines that have been stuck. A manager command `gitea manager processes` is also provided that can export the processes (with or without stacktraces) to the command line. Signed-off-by: Andrew Thornton <art27@cantab.net>
137 lines
4.3 KiB
Go
137 lines
4.3 KiB
Go
// Copyright 2020 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/graceful"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/process"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"github.com/caddyserver/certmagic"
|
|
)
|
|
|
|
func getCARoot(path string) (*x509.CertPool, error) {
|
|
r, err := os.ReadFile(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
block, _ := pem.Decode(r)
|
|
if block == nil {
|
|
return nil, fmt.Errorf("no PEM found in the file %s", path)
|
|
}
|
|
caRoot, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certPool := x509.NewCertPool()
|
|
certPool.AddCert(caRoot)
|
|
return certPool, nil
|
|
}
|
|
|
|
func runACME(listenAddr string, m http.Handler) error {
|
|
// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
|
|
// Due to docker port mapping this can't be checked programmatically
|
|
// TODO: these are placeholders until we add options for each in settings with appropriate warning
|
|
enableHTTPChallenge := true
|
|
enableTLSALPNChallenge := true
|
|
altHTTPPort := 0
|
|
altTLSALPNPort := 0
|
|
|
|
if p, err := strconv.Atoi(setting.PortToRedirect); err == nil {
|
|
altHTTPPort = p
|
|
}
|
|
if p, err := strconv.Atoi(setting.HTTPPort); err == nil {
|
|
altTLSALPNPort = p
|
|
}
|
|
|
|
magic := certmagic.NewDefault()
|
|
magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
|
|
// Try to use private CA root if provided, otherwise defaults to system's trust
|
|
var certPool *x509.CertPool
|
|
if setting.AcmeCARoot != "" {
|
|
var err error
|
|
certPool, err = getCARoot(setting.AcmeCARoot)
|
|
if err != nil {
|
|
log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
|
|
}
|
|
}
|
|
myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
|
|
CA: setting.AcmeURL,
|
|
TrustedRoots: certPool,
|
|
Email: setting.AcmeEmail,
|
|
Agreed: setting.AcmeTOS,
|
|
DisableHTTPChallenge: !enableHTTPChallenge,
|
|
DisableTLSALPNChallenge: !enableTLSALPNChallenge,
|
|
ListenHost: setting.HTTPAddr,
|
|
AltTLSALPNPort: altTLSALPNPort,
|
|
AltHTTPPort: altHTTPPort,
|
|
})
|
|
|
|
magic.Issuers = []certmagic.Issuer{myACME}
|
|
|
|
// this obtains certificates or renews them if necessary
|
|
err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tlsConfig := magic.TLSConfig()
|
|
tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
|
|
|
|
if version := toTLSVersion(setting.SSLMinimumVersion); version != 0 {
|
|
tlsConfig.MinVersion = version
|
|
}
|
|
if version := toTLSVersion(setting.SSLMaximumVersion); version != 0 {
|
|
tlsConfig.MaxVersion = version
|
|
}
|
|
|
|
// Set curve preferences
|
|
if curves := toCurvePreferences(setting.SSLCurvePreferences); len(curves) > 0 {
|
|
tlsConfig.CurvePreferences = curves
|
|
}
|
|
|
|
// Set cipher suites
|
|
if ciphers := toTLSCiphers(setting.SSLCipherSuites); len(ciphers) > 0 {
|
|
tlsConfig.CipherSuites = ciphers
|
|
}
|
|
|
|
if enableHTTPChallenge {
|
|
go func() {
|
|
_, _, finished := process.GetManager().AddTypedContext(graceful.GetManager().HammerContext(), "Web: ACME HTTP challenge server", process.SystemProcessType, true)
|
|
defer finished()
|
|
|
|
log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
|
|
// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
|
|
err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
|
|
if err != nil {
|
|
log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
|
|
}
|
|
}()
|
|
}
|
|
|
|
return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m)
|
|
}
|
|
|
|
func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "GET" && r.Method != "HEAD" {
|
|
http.Error(w, "Use HTTPS", http.StatusBadRequest)
|
|
return
|
|
}
|
|
// Remove the trailing slash at the end of setting.AppURL, the request
|
|
// URI always contains a leading slash, which would result in a double
|
|
// slash
|
|
target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()
|
|
http.Redirect(w, r, target, http.StatusTemporaryRedirect)
|
|
}
|