This is a port of commit cea86c937dc278ba6b2100c238b1d5206bbae2f0 from
meek. Its purpose is to remove the need to copy-paste parts of
net/http.Server.ListenAndServeTLS. Here is a copy of the commit message
from meek:
The net/http package provides ListenAndServe and ListenAndServeTLS
functions, but it doesn't provide a way to set up a listener without
also entering an infinite serve loop. This matters for
ListenAndServeTLS, which sets up a lot of magic behind the scenes for
TLS and HTTP/2 support. Formerly, we had copy-pasted code from
ListenAndServeTLS, but that code has only gotten more complicated in
upstream net/http.
The price we pay for this is that it's no longer possible for a server
bindaddr to ask to listen on port 0 (i.e., a random ephemeral port).
That's because we never get a change to find out what the listening
address is, before entering the serve loop.
What we gain is HTTP/2 support; formerly our copy-pasted code had the
side effect of disabling HTTP/2, because it was copied from an older
version and did things like
config.NextProtos = []string{"http/1.1"}
The new code calls http2.ConfigureServer first, but that's not what's
providing HTTP/2 support. HTTP/2 support happens by default. The reason
we call http2.ConfigureServer is because we need to set
TLSConfig.GetCertificate, and http2.ConfigureServer is a convenient way
to initialize TLSConfig in a way that is guaranteed to work with HTTP/2.
As with commit fcc274ac68 for the broker,
we need to start using the HTTP-01 challenge type in the Snowflake
websocket server transport plugin.
https://bugs.torproject.org/25346
Current versions of tor accept USERADDR with or without a port number,
but future versions may become more strict and require the port number.
https://bugs.torproject.org/23080
This way, we don't lose state of certificates every time the process is
restarted. There's a possibility, otherwise, that if you have to restart
the server rapidly, you might run into Let's Encrypt rate limits and be
unable to create a cert for a while.
https://godoc.org/rsc.io/letsencrypt#hdr-Persistent_Storage
This removes the --tls-cert and --tls-keys options and replaces them
with --acme-hostname and (optional) --acme-email. It uses
https://godoc.org/golang.org/x/crypto/acme/autocert, which is kind of a
successor to https://godoc.org/rsc.io/letsencrypt.
The autocert package only works when the listener runs on port 443. For
that reason, if TOR_PT_SERVER_BINDADDR asks for a port other than 443,
the program will open an *additional* listening port on 443. If there is
an error opening the listener, it is reported through an SMETHOD-ERROR
for the requested address.
The inspiration for this code came from George Tankersley's patch for
meek-server:
https://bugs.torproject.org/18655#comment:8https://github.com/gtank/meek/tree/letsencrypt
There's one FIFO reader goroutine instead of one per bindaddr.
makePeerConnectionFromOffer gives you a PeerConnection with an answer
and also sets up callbacks to pass a webRTCConn to datachannelHandler
when ready.
