[go-nuts] Autocert behavior for IP address lookups?

Mon, 31 Jan 2022 20:59:46 -0800 

I made a cache client <https://github.com/jwendel/smcache> for autocert 
that has been working fine, but I noticed something odd in my logs.  
Specifically, I am seeing calls against Autocert's Cache.Get(...) method (CS 
link 
<https://cs.opensource.google/go/x/crypto/+/master:acme/autocert/cache.go;l=26;drc=60c769a6c58655dab1b9adac0d58967dd517cfba>)
 
for IP addresses.  By that I mean, the `*key*` value passed into Get(..) is 
my host's IP address.  My understanding is that this shouldn't happen with 
the HostPolicy usnig HostWhitelist, but it seems to be anyways.

The one thing I do notice is right after the Cache.Get(...) calls, I see an 
HTTP error in my logs (xxx.xxx.xx.xxx is my host's IP address):

http: TLS handshake error from 192.241.213.196:53056: acme/autocert: host 
"xxx.xxx.xxx.xxx" not configured in HostWhitelist".

It seems the scanner seems to be some security research (stretchoid).

*My question*: Is it expected that Cache.Get(...) gets called before the 
HostPolicy is invoked?  That seems wrong to me.

Here's my AutoCert code (swapping out my specific config values for 
example.com):

                m := &autocert.Manager{
                        Cache:     
 smcache.NewSMCache(smcache.Config{ProjectID: "project-id", SecretPrefix: 
"prefixhere-", DebugLogging: true}),
                        Prompt:     autocert.AcceptTOS,
                        Email:      "em...@example.com",
                        HostPolicy: 
autocert.HostWhitelist("is.example.com", "test.example.com"),
                }
                s := &http.Server{
                        Addr:              ":https",
                        TLSConfig:         m.TLSConfig(),
                        Handler:           e,
                        ReadTimeout:       10 * time.Second,
                        WriteTimeout:      10 * time.Second,
                        IdleTimeout:       70 * time.Second,
                        ReadHeaderTimeout: 5 * time.Second,
                }

                go func() {
                        panic(http.ListenAndServe(getHTTPPort(), 
m.HTTPHandler(nil)))
                }()

                panic(s.ListenAndServeTLS("", ""))

Thanks,
-James

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/d2bbed55-5a97-40ef-b68a-a2d1f6334e4fn%40googlegroups.com.

Reply via email to