Add HTTPS support with OpenSSL (CL+SSL)

[fukamachi]

Usage

Use SSL key arguments of woo:run or clack:clackup.

(woo:run app
         :ssl-cert-file #P"path/to/cert.pem"
         :ssl-key-file #P"path/to/key.pem"
         :ssl-key-pass "password")

(clack:clackup app
               :ssl-cert-file #P"path/to/cert.pem"
               :ssl-key-file #P"path/to/key.pem"
               :ssl-key-pass "password")

To disable the HTTPS support to omit a dependency on CL+SSL, add woo-no-ssl to cl:*features*.

TODO

• Basic implementation
• HTTPS for static files
  • [FUTURE TASK] Add a flag to use SSL_sendfile (Using Kernel TLS) for better performance
• Refactoring
  • Wrap symbol references to internal symbols of cl+ssl
  • Better to reduce conditional flows (socket-ssl-stream)
• Add a feature to disable HTTPS to omit the dependency on cl+ssl
• Run tests for HTTPS
• Proper error code handling on SSL I/O (ssl-read/ssl-write)
• Benchmark to make sure its performance downgrade is limited or permissible
  • Not much difference from the master branch
  • Single thread: HTTP = 61k / HTTPS = 56k
  • 4 threads: HTTPS = 137k / HTTPS = 105k

[daninus14]

Hi

I'm trying this by running

/root/.roswell/bin/clackup --server woo --debug nil --address "0.0.0.0" --port "443" --ssl-cert-file "/etc/letsencrypt/live/mydomain/cert.pem" --ssl-key-file "/etc/letsencrypt/live/mydomain/privkey.pem" "app.lisp"

Where app.lisp is:

(lambda (env)
  (declare (ignore env))
  '(200 () ("Hello from Woo Server")))

When I navigate in chrome to the domain, I get the following error in the terminal on the server:

Woo server is going to start.
Listening on 0.0.0.0:443.
 <ERROR> [18:13:56] woo - HTTP parse error: INVALID-METHOD: invalid HTTP method
 <ERROR> [18:13:56] woo - HTTP parse error: INVALID-METHOD: invalid HTTP method

Any ideas on what's going on?

For reference the letsencrypt generated certificates are the following (this is the readme file):

This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.