[management] Store connected proxies in DB (#5472)

Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
2026-04-16 07:16:38 +00:00 · 2026-03-03 18:39:46 +01:00
parent 05b66e73bc
commit d7c8e37ff4
52 changed files with 1727 additions and 924 deletions
--- a/proxy/internal/acme/manager.go
+++ b/proxy/internal/acme/manager.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/asn1"
+	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -59,7 +60,10 @@ type Manager struct {
 // NewManager creates a new ACME certificate manager. The certDir is used
 // for caching certificates. The lockMethod controls cross-replica
 // coordination strategy (see CertLockMethod constants).
-func NewManager(certDir, acmeURL string, notifier certificateNotifier, logger *log.Logger, lockMethod CertLockMethod) *Manager {
+// eabKID and eabHMACKey are optional External Account Binding credentials
+// required for some CAs like ZeroSSL. The eabHMACKey should be the base64
+// URL-encoded string provided by the CA.
+func NewManager(certDir, acmeURL, eabKID, eabHMACKey string, notifier certificateNotifier, logger *log.Logger, lockMethod CertLockMethod) *Manager {
 	if logger == nil {
 		logger = log.StandardLogger()
 	}
@@ -70,10 +74,26 @@ func NewManager(certDir, acmeURL string, notifier certificateNotifier, logger *l
 		certNotifier: notifier,
 		logger:       logger,
 	}
+
+	var eab *acme.ExternalAccountBinding
+	if eabKID != "" && eabHMACKey != "" {
+		decodedKey, err := base64.RawURLEncoding.DecodeString(eabHMACKey)
+		if err != nil {
+			logger.Errorf("failed to decode EAB HMAC key: %v", err)
+		} else {
+			eab = &acme.ExternalAccountBinding{
+				KID: eabKID,
+				Key: decodedKey,
+			}
+			logger.Infof("configured External Account Binding with KID: %s", eabKID)
+		}
+	}
+
 	mgr.Manager = &autocert.Manager{
-		Prompt:     autocert.AcceptTOS,
-		HostPolicy: mgr.hostPolicy,
-		Cache:      autocert.DirCache(certDir),
+		Prompt:                 autocert.AcceptTOS,
+		HostPolicy:             mgr.hostPolicy,
+		Cache:                  autocert.DirCache(certDir),
+		ExternalAccountBinding: eab,
 		Client: &acme.Client{
 			DirectoryURL: acmeURL,
 		},
@@ -136,7 +156,7 @@ func (mgr *Manager) prefetchCertificate(d domain.Domain) {
 	cert, err := mgr.GetCertificate(hello)
 	elapsed := time.Since(start)
 	if err != nil {
-		mgr.logger.Warnf("prefetch certificate for domain %q: %v", name, err)
+		mgr.logger.Warnf("prefetch certificate for domain %q in %s: %v", name, elapsed.String(), err)
 		mgr.setDomainState(d, domainFailed, err.Error())
 		return
 	}
--- a/proxy/internal/acme/manager_test.go
+++ b/proxy/internal/acme/manager_test.go
@@ -10,7 +10,7 @@ import (
 )

 func TestHostPolicy(t *testing.T) {
-	mgr := NewManager(t.TempDir(), "https://acme.example.com/directory", nil, nil, "")
+	mgr := NewManager(t.TempDir(), "https://acme.example.com/directory", "", "", nil, nil, "")
 	mgr.AddDomain("example.com", "acc1", "rp1")

 	// Wait for the background prefetch goroutine to finish so the temp dir
@@ -70,7 +70,7 @@ func TestHostPolicy(t *testing.T) {
 }

 func TestDomainStates(t *testing.T) {
-	mgr := NewManager(t.TempDir(), "https://acme.example.com/directory", nil, nil, "")
+	mgr := NewManager(t.TempDir(), "https://acme.example.com/directory", "", "", nil, nil, "")

 	assert.Equal(t, 0, mgr.PendingCerts(), "initially zero")
 	assert.Equal(t, 0, mgr.TotalDomains(), "initially zero domains")