From c735220642e3e14623499e1f42e76121d372b3f9 Mon Sep 17 00:00:00 2001
From: Alec Muffett <alec.muffett@gmail.com>
Date: Wed, 4 Aug 2021 14:02:20 +0100
Subject: [PATCH] commit: update truncation

---
 lib.d/do-configure.pl      | 12 ++++++++----
 lib.d/lint.pl              |  1 +
 templates.d/nginx.conf.txt | 15 ++++++++++++++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/lib.d/do-configure.pl b/lib.d/do-configure.pl
index 4847463..7b54b74 100755
--- a/lib.d/do-configure.pl
+++ b/lib.d/do-configure.pl
@@ -10,6 +10,8 @@ die "$0: needs EOTK_HOME environment variable to be set\n"
 
 $site_conf = 'eotk-site.conf';
 
+my $ONION_V3_TRUNCATE = 20;
+
 # state
 
 my %projects = ();
@@ -52,15 +54,15 @@ sub OnionVersion {
 # most Unixes, and NGINX surfaces this issue.
 # https://gitlab.com/gitlab-org/gitlab-development-kit/issues/55
 
-sub TruncDir {
+sub TruncateOnion {
     my $onion = shift;
     $onion = &ExtractOnion($onion);
     if (&ValidOnionV3($onion)) {
         my $suffix = "-v3";
-        $onion = substr($onion, 0, 30 - length($suffix));
+        $onion = substr($onion, 0, $ONION_V3_TRUNCATE);
         $onion = "$onion$suffix";
     }
-    return "$onion.d";
+    return $onion;
 }
 
 sub Nonce {
@@ -330,7 +332,9 @@ sub DoMap {
     $row{ONION_ADDRESS_RE8} = &PolySlash($onion_doto, 8);
     $row{ONION_ADDRESS_RE12} = &PolySlash($onion_doto, 12);
 
-    $row{ONION_DIRNAME} = &TruncDir($onion_doto);
+    my $otrunc = &TruncateOnion($onion_doto);
+    $row{ONION_TRUNCATED} = $otrunc;
+    $row{ONION_DIRNAME} = "$otrunc.d";
     $row{ONION_VERSION} = &OnionVersion($onion_doto);
 
     warn Dumper(\%row);
diff --git a/lib.d/lint.pl b/lib.d/lint.pl
index d100d03..5f8c40a 100755
--- a/lib.d/lint.pl
+++ b/lib.d/lint.pl
@@ -132,6 +132,7 @@ my %known =
      'SSL_MKCERT' => 1,
      'SSL_PROOF_CSV' => 1,
      'SSL_TOOL' => 1,
+     'SSL_TRUNCATED' => 1, # where ssl certs for the current project live
      'SUPPRESS_HEADER_CSP' => 1,
      'SUPPRESS_HEADER_HPKP' => 1,
      'SUPPRESS_HEADER_HSTS' => 1,
diff --git a/templates.d/nginx.conf.txt b/templates.d/nginx.conf.txt
index a98f3c4..bcdb171 100644
--- a/templates.d/nginx.conf.txt
+++ b/templates.d/nginx.conf.txt
@@ -554,9 +554,14 @@ http {
   proxy_connect_timeout %NGINX_TIMEOUT%;
 
   # SSL config
+  ssl_buffer_size 4k;
+  %%IF %SSL_CERTS_PER_ONION%
+  # SSL_CERTS_PER_ONION is enabled, see individual onions for ssl_certificate directives
+  %%ELSE
+  # SSL_CERTS_PER_ONION is disabled, all SubjectAltNames MUST be defined this certificate file
   ssl_certificate %SSL_DIR%/%CERT_PREFIX%.cert;
   ssl_certificate_key %SSL_DIR%/%CERT_PREFIX%.pem;
-  ssl_buffer_size 4k;
+  %%ENDIF
   #ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES256'; ## LibreSSL, OpenSSL 1.1.0+
   ssl_ciphers 'EECDH+AESGCM:EECDH+AES256'; ## OpenSSL 1.0.1% to 1.0.2%
   ssl_ecdh_curve prime256v1;
@@ -652,6 +657,14 @@ http {
     listen unix:%PROJECT_DIR%/%ONION_DIRNAME%/port-443.sock ssl;
     %%ENDIF
 
+    %%IF %SSL_CERTS_PER_ONION%
+    # SSL_CERTS_PER_ONION is enabled, use separate certs per onion
+    ssl_certificate %SSL_DIR%/%ONION_TRUNCATED%.cert;
+    ssl_certificate_key %SSL_DIR%/%ONION_TRUNCATED%.pem;
+    %%ELSE
+    # SSL_CERTS_PER_ONION is disabled, see global certificate directive, above
+    %%ENDIF
+
     %%IF %LOG_SEPARATE%
     access_log %LOG_DIR%/nginx-access-%DNS_DOMAIN%.log;
     %%ENDIF