fix: Let's Encrypt integration with /* redirects

Let's Encrypt integration relies on acme challenges being redirected to main GitLab server and served there. We also allow serving ACME challenges from project content just in case users implemented Let's Encrypt integration manually. But when user adds `/* -> redirect_url` to .redirects, it treated as project content and will handles as redirect. Changelog: fixed This commit just stop handling redirects for any LE challenges.

fix: Let's Encrypt integration with /* redirects
Let's Encrypt integration relies on acme challenges being redirected to main GitLab server and served there. We also allow serving ACME challenges from project content just in case users implemented Let's Encrypt integration manually. But when user adds `/* -> redirect_url` to .redirects, it treated as project content and will handles as redirect. Changelog: fixed This commit just stop handling redirects for any LE challenges.
f7b43c58 · Vladimir Shushlin · 65a13cb5 · f7b43c58 · f7b43c58 · f7b43c58
Commit f7b43c58 authored 3 years ago by Vladimir Shushlin
--- a/internal/acme/acme.go
+++ b/internal/acme/acme.go
@@ -26,7 +26,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request,
 		return false
 	}

-	if !isAcmeChallenge(r.URL.Path) {
+	if !IsAcmeChallenge(r.URL.Path) {
 		return false
 	}

@@ -37,7 +37,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request,
 	return m.redirectToGitlab(w, r)
 }

-func isAcmeChallenge(path string) bool {
+func IsAcmeChallenge(path string) bool {
 	return strings.HasPrefix(filepath.Clean(path), "/.well-known/acme-challenge/")
 }


--- a/internal/redirects/redirects.go
+++ b/internal/redirects/redirects.go
@@ -14,6 +14,7 @@ import (

 	"gitlab.com/gitlab-org/labkit/log"

+	"gitlab.com/gitlab-org/gitlab-pages/internal/acme"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/vfs"
 )

@@ -100,6 +101,10 @@ func (r *Redirects) Status() string {
 // Rewrite takes in a URL and uses the parsed Netlify rules to rewrite
 // the URL to the new location if it matches any rule
 func (r *Redirects) Rewrite(originalURL *url.URL) (*url.URL, int, error) {
+	if acme.IsAcmeChallenge(originalURL.Path) {
+		return nil, 0, ErrNoRedirect
+	}
+
 	rule, newPath := r.match(originalURL.Path)
 	if rule == nil {
 		return nil, 0, ErrNoRedirect

--- a/internal/redirects/redirects_test.go
+++ b/internal/redirects/redirects_test.go
@@ -123,6 +123,14 @@ func TestRedirectsRewrite(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedErr:    "",
 		},
+		{
+			name:           "does_not_redirect_acme_challenges",
+			url:            "/.well-known/acme-challenge/token",
+			rule:           "/* /to/path 200",
+			expectedURL:    "",
+			expectedStatus: 0,
+			expectedErr:    ErrNoRedirect.Error(),
+		},
 	}

 	for _, tt := range tests {