name.www=www.cacert.local
name.api=api.cacert.local
-port=443
+https.port=443
+http.port=80
#emailProvider=org.cacert.gigi.email.Sendmail
emailProvider=org.cacert.gigi.email.CommandlineEmailProvider
sql.driver=com.mysql.jdbc.Driver
type=local
-serverPort=443
+serverPort.https=443
+serverPort.http=80
mail=localhost:8474
# ==== OR ===
type=autonomous
java=java -cp bin;/path/to/mysqlConnector.jar org.cacert.gigi.Launcher
-serverPort=4443
+serverPort.https=4443
+serverPort.http=8098
mailPort=8473
}
+ private static String staticTemplateVarHttp;
+
+ private static String staticTemplateVarHttps;
+
+ private static String getStaticTemplateVar(boolean https) {
+ if (https) {
+ if (staticTemplateVarHttps == null) {
+ staticTemplateVarHttps = "https://" + ServerConstants.getStaticHostNamePortSecure();
+ }
+ return staticTemplateVarHttps;
+ } else {
+ if (staticTemplateVarHttp == null) {
+ staticTemplateVarHttp = "http://" + ServerConstants.getStaticHostNamePort();
+ }
+ return staticTemplateVarHttp;
+ }
+ }
+
@Override
protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
- addXSSHeaders(resp);
+ boolean isSecure = req.getServerPort() == ServerConstants.getSecurePort();
+ addXSSHeaders(resp, isSecure);
// if (req.getHeader("Origin") != null) {
// resp.getWriter().println("No cross domain access allowed.");
// return;
// }
HttpSession hs = req.getSession();
-
final Page p = getPage(req.getPathInfo());
- if (p != null) {
+ if (p != null) {
+ if (!isSecure && (p.needsLogin() || p instanceof LoginPage || p instanceof RegisterPage)) {
+ resp.sendRedirect("https://" + ServerConstants.getWwwHostNamePortSecure() + req.getPathInfo());
+ return;
+ }
User currentPageUser = LoginPage.getUser(req);
if ( !p.isPermitted(currentPageUser) && hs.getAttribute("loggedin") == null) {
String request = req.getPathInfo();
vars.put(Menu.USER_VALUE, currentPageUser);
vars.put("menu", rootMenu);
vars.put("title", Page.getLanguage(req).getTranslation(p.getTitle()));
- vars.put("static", ServerConstants.getStaticHostNamePort());
+ vars.put("static", getStaticTemplateVar(isSecure));
vars.put("year", Calendar.getInstance().get(Calendar.YEAR));
vars.put("content", content);
baseTemplate.output(resp.getWriter(), Page.getLanguage(req), vars);
}
- public static void addXSSHeaders(HttpServletResponse hsr) {
- hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePort() + " https://" + ServerConstants.getSecureHostNamePort());
+ public static void addXSSHeaders(HttpServletResponse hsr, boolean doHttps) {
+ hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePortSecure() + " https://" + ServerConstants.getSecureHostNamePort());
hsr.addHeader("Access-Control-Max-Age", "60");
-
- hsr.addHeader("Content-Security-Policy", getDefaultCSP());
+ if (doHttps) {
+ hsr.addHeader("Content-Security-Policy", getHttpsCSP());
+ } else {
+ hsr.addHeader("Content-Security-Policy", getHttpCSP());
+ }
hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
}
- private static String defaultCSP = null;
+ private static String httpsCSP = null;
+
+ private static String httpCSP = null;
+
+ private static String getHttpsCSP() {
+ if (httpsCSP == null) {
+ StringBuffer csp = new StringBuffer();
+ csp.append("default-src 'none'");
+ csp.append(";font-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";img-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";media-src 'none'; object-src 'none'");
+ csp.append(";script-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";style-src https://" + ServerConstants.getStaticHostNamePortSecure());
+ csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://" + ServerConstants.getWwwHostNamePortSecure());
+ csp.append(";report-url https://api.cacert.org/security/csp/report");
+ httpsCSP = csp.toString();
+ }
+ return httpsCSP;
+ }
- private static String getDefaultCSP() {
- if (defaultCSP == null) {
+ private static String getHttpCSP() {
+ if (httpCSP == null) {
StringBuffer csp = new StringBuffer();
- csp.append("default-src 'none';");
- csp.append("font-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";img-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";media-src 'none'; object-src 'none';");
- csp.append("script-src https://" + ServerConstants.getStaticHostNamePort());
- csp.append(";style-src https://" + ServerConstants.getStaticHostNamePort());
+ csp.append("default-src 'none'");
+ csp.append(";font-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";img-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";media-src 'none'; object-src 'none'");
+ csp.append(";script-src http://" + ServerConstants.getStaticHostNamePort());
+ csp.append(";style-src http://" + ServerConstants.getStaticHostNamePort());
csp.append(";form-action https://" + ServerConstants.getSecureHostNamePort() + " https://" + ServerConstants.getWwwHostNamePort());
- csp.append("report-url https://api.cacert.org/security/csp/report");
- defaultCSP = csp.toString();
+ csp.append(";report-url http://api.cacert.org/security/csp/report");
+ httpCSP = csp.toString();
}
- return defaultCSP;
+ return httpCSP;
}
public static String getPathByPage(Page p) {
<html>
<head>
<title><?=$title?></title>
-<link rel="stylesheet" href="https://<?=$static?>/default.css" type="text/css">
-<script src="https://<?=$static?>/menu.js"></script>
+<link rel="stylesheet" href="<?=$static?>/default.css" type="text/css">
+<script src="<?=$static?>/menu.js"></script>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div id="pageName">
<br>
<div id="pageLogo">
- <a href="/"><img src="https://<?=$static?>/images/cacert4.png"
+ <a href="/"><img src="<?=$static?>/images/cacert4.png"
alt="CAcert.org logo"></a>
</div>
<div id="googlead">
<div class="sponsorinfo">
<?=_CAcert operations are sponsored by?>
<a href="http://www.bit.nl/" target="_blank">
- <img class="sponsorlogo" src="https://<?=$static?>/images/bit.png" alt="[BIT logo]">
+ <img class="sponsorlogo" src="<?=$static?>/images/bit.png" alt="[BIT logo]">
</a>
<a href="http://www.tunix.nl/" target="_blank">
- <img class="sponsorlogo" src="https://<?=$static?>/images/tunix.png" alt="[TUNIX logo]">
+ <img class="sponsorlogo" src="<?=$static?>/images/tunix.png" alt="[TUNIX logo]">
</a>
<a href="http://www.nlnet.nl/" target="_blank">
- <img class="sponsorlogo" src="https://<?=$static?>/images/nlnet.png" alt="[NLnet logo]">
+ <img class="sponsorlogo" src="<?=$static?>/images/nlnet.png" alt="[NLnet logo]">
</a>
<a href="http://www.openarchitecturenetwork.org/" target="_blank">
- <img class="sponsorlogo" src="https://<?=$static?>/images/oan.png" alt="[OAN logo]">
+ <img class="sponsorlogo" src="<?=$static?>/images/oan.png" alt="[OAN logo]">
</a>
</div>
initEmails(conf);
Server s = new Server();
- // === SSL HTTP Configuration ===
- HttpConfiguration https_config = new HttpConfiguration();
- https_config.setSendServerVersion(false);
- https_config.setSendXPoweredBy(false);
+ HttpConfiguration httpsConfig = createHttpConfiguration();
// for client-cert auth
- https_config.addCustomizer(new SecureRequestCustomizer());
+ httpsConfig.addCustomizer(new SecureRequestCustomizer());
+
+ HttpConfiguration httpConfig = createHttpConfiguration();
- ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(https_config));
- connector.setHost(conf.getMainProps().getProperty("host"));
- connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port")));
- connector.setAcceptQueueSize(100);
s.setConnectors(new Connector[] {
- connector
+ createConnector(conf, s, httpsConfig, true), createConnector(conf, s, httpConfig, false)
});
HandlerList hl = new HandlerList();
});
s.setHandler(hl);
s.start();
- if (connector.getPort() <= 1024 && !System.getProperty("os.name").toLowerCase().contains("win")) {
+ if ((ServerConstants.getSecurePort() <= 1024 || ServerConstants.getPort() <= 1024) && !System.getProperty("os.name").toLowerCase().contains("win")) {
SetUID uid = new SetUID();
if ( !uid.setUid(65536 - 2, 65536 - 2).getSuccess()) {
Log.getLogger(Launcher.class).warn("Couldn't set uid!");
}
}
+ private static ServerConnector createConnector(GigiConfig conf, Server s, HttpConfiguration httpConfig, boolean doHttps) throws GeneralSecurityException, IOException {
+ ServerConnector connector;
+ if (doHttps) {
+ connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(httpConfig));
+ } else {
+ connector = new ServerConnector(s);
+ }
+ connector.setHost(conf.getMainProps().getProperty("host"));
+ if(doHttps) {
+ connector.setPort(ServerConstants.getSecurePort());
+ } else {
+ connector.setPort(ServerConstants.getPort());
+ }
+ connector.setAcceptQueueSize(100);
+ return connector;
+ }
+
+ private static HttpConfiguration createHttpConfiguration() {
+ // SSL HTTP Configuration
+ HttpConfiguration httpsConfig = new HttpConfiguration();
+ httpsConfig.setSendServerVersion(false);
+ httpsConfig.setSendXPoweredBy(false);
+ return httpsConfig;
+ }
+
private static void initEmails(GigiConfig conf) throws GeneralSecurityException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyStore privateStore = conf.getPrivateStore();
Certificate mail = privateStore.getCertificate("mail");
StringBuffer body = new StringBuffer();
body.append(l.getTranslation("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!"));
body.append("\n\nhttps://");
- body.append(ServerConstants.getWwwHostNamePort());
+ body.append(ServerConstants.getWwwHostNamePortSecure());
body.append("/verify?type=");
body.append(type);
body.append("&id=");
public static void output(HttpServletRequest req, HttpServletResponse resp) {
HashMap<String, Object> vars = new HashMap<String, Object>();
vars.put("minsize", "2048");
- vars.put("normalhost", "https://" + ServerConstants.getWwwHostNamePort());
+ vars.put("normalhost", "https://" + ServerConstants.getWwwHostNamePortSecure());
vars.put("securehost", "https://" + ServerConstants.getSecureHostNamePort());
- vars.put("statichost", "https://" + ServerConstants.getStaticHostNamePort());
+ vars.put("statichost", "https://" + ServerConstants.getStaticHostNamePortSecure());
try {
normal.output(resp.getWriter(), Page.getLanguage(req), vars);
} catch (IOException e) {
private Page p;
public PageMenuItem(Page p) {
- super("https://" + ServerConstants.getWwwHostNamePort() + Gigi.getPathByPage(p), p.getTitle());
+ super("https://" + ServerConstants.getWwwHostNamePortSecure() + Gigi.getPathByPage(p), p.getTitle());
this.p = p;
}
}
Domain domain = doms[point];
vars.put("id", domain.getId());
- vars.put("domainhref", "https://" + ServerConstants.getWwwHostNamePort() + DomainOverview.PATH + domain.getId());
+ vars.put("domainhref", "https://" + ServerConstants.getWwwHostNamePortSecure() + DomainOverview.PATH + domain.getId());
vars.put("domain", domain.getSuffix());
vars.put("status", l.getTranslation(domain.isVerified() ? "verified" : "not verified"));
point++;
private static String apiHostName = "api.cacert.local";
- private static String port;
+ private static String securePort, port;
public static void init(Properties conf) {
- port = "";
- if ( !conf.getProperty("port").equals("443")) {
- port = ":" + conf.getProperty("port");
+ securePort = port = "";
+ if ( !conf.getProperty("https.port").equals("443")) {
+ securePort = ":" + conf.getProperty("https.port");
+ }
+ if ( !conf.getProperty("http.port").equals("80")) {
+ port = ":" + conf.getProperty("http.port");
}
wwwHostName = conf.getProperty("name.www");
secureHostName = conf.getProperty("name.secure");
staticHostName = conf.getProperty("name.static");
apiHostName = conf.getProperty("name.api");
+
}
public static String getSecureHostName() {
}
public static String getSecureHostNamePort() {
- return secureHostName + port;
+ return secureHostName + securePort;
+ }
+
+ public static String getStaticHostNamePortSecure() {
+ return staticHostName + securePort;
+ }
+
+ public static String getWwwHostNamePortSecure() {
+ return wwwHostName + securePort;
}
public static String getStaticHostNamePort() {
}
public static String getApiHostNamePort() {
- return apiHostName + port;
+ return apiHostName + securePort;
+ }
+
+ public static int getSecurePort() {
+ if (securePort.isEmpty()) {
+ return 443;
+ }
+ return Integer.parseInt(securePort.substring(1, securePort.length()));
+ }
+
+ public static int getPort() {
+ if (port.isEmpty()) {
+ return 80;
+ }
+ return Integer.parseInt(port.substring(1, port.length()));
}
}
Properties mainProps = generateMainProps();
ServerConstants.init(mainProps);
if (type.equals("local")) {
- url = testProps.getProperty("name.www") + ":" + testProps.getProperty("serverPort");
+ url = testProps.getProperty("name.www") + ":" + testProps.getProperty("serverPort.https");
String[] parts = testProps.getProperty("mail").split(":", 2);
ter = new TestEmailReciever(new InetSocketAddress(parts[0], Integer.parseInt(parts[1])));
return;
}
- url = testProps.getProperty("name.www") + ":" + testProps.getProperty("serverPort");
+ url = testProps.getProperty("name.www") + ":" + testProps.getProperty("serverPort.https");
gigi = Runtime.getRuntime().exec(testProps.getProperty("java"));
DataOutputStream toGigi = new DataOutputStream(gigi.getOutputStream());
System.out.println("... starting server");
mainProps.setProperty("name.www", testProps.getProperty("name.www"));
mainProps.setProperty("name.static", testProps.getProperty("name.static"));
- mainProps.setProperty("port", testProps.getProperty("serverPort"));
+ mainProps.setProperty("https.port", testProps.getProperty("serverPort.https"));
+ mainProps.setProperty("http.port", testProps.getProperty("serverPort.http"));
mainProps.setProperty("emailProvider", "org.cacert.gigi.email.TestEmailProvider");
mainProps.setProperty("emailProvider.port", "8473");
mainProps.setProperty("sql.driver", testProps.getProperty("sql.driver"));