feat: Add support for Mux SSL mode and update related settings (#11509)

* feat: Add support for Mux SSL mode and update related settings

- Introduced a new SSL mode "Mux" in the settings, allowing for HTTP to HTTPS redirection.
- Updated the `SSL` field in the `SettingUpdate` struct to include "Mux" as a valid option.
- Modified the server logic to handle Mux connections, including certificate management and HTTP redirection.
- Updated frontend components to reflect the new SSL options and improved user guidance in multiple languages.

* fix: Update HTTPS related messages for improved clarity and security guidance in multiple languages

Author: HynoR

core/app/dto/setting.go

@@ -64,7 +64,7 @@ type SettingUpdate struct {
 type SSLUpdate struct {
 	SSLType string `json:"sslType" validate:"required,oneof=self select import import-paste import-local"`
 	Domain  string `json:"domain"`
-	SSL     string `json:"ssl" validate:"required,oneof=Enable Disable"`
+	SSL     string `json:"ssl" validate:"required,oneof=Enable Disable Mux"`
 	Cert    string `json:"cert"`
 	Key     string `json:"key"`
 	SSLID   uint   `json:"sslID"`

core/constant/status.go

@@ -21,6 +21,7 @@ const (
 
 	StatusEnable  = "Enable"
 	StatusDisable = "Disable"
+	StatusMux     = "Mux"
 
 	StatusInstalling = "Installing"
 	StatusNormal     = "Normal"

core/go.mod

@@ -81,6 +81,7 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect

core/go.sum

@@ -250,6 +250,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
@@ -342,6 +344,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -363,6 +366,7 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

core/server/server.go

@@ -4,6 +4,11 @@ import (
 	"crypto/tls"
 	"encoding/gob"
 	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path"
+
 	"github.com/1Panel-dev/1Panel/core/init/auth"
 	"github.com/1Panel-dev/1Panel/core/init/db"
 	"github.com/1Panel-dev/1Panel/core/init/geo"
@@ -12,10 +17,7 @@ import (
 	"github.com/1Panel-dev/1Panel/core/init/proxy"
 	"github.com/1Panel-dev/1Panel/core/init/run"
 	"github.com/gin-gonic/gin"
-	"net"
-	"net/http"
-	"os"
-	"path"
+	"github.com/soheilhy/cmux"
 
 	"github.com/1Panel-dev/1Panel/core/constant"
 	"github.com/1Panel-dev/1Panel/core/global"
@@ -99,10 +101,64 @@ func Start() {
 		if err := server.ServeTLS(tcpKeepAliveListener{ln.(*net.TCPListener)}, "", ""); err != nil {
 			panic(err)
 		}
+		return
+	} else if global.CONF.Conn.SSL == constant.StatusMux {
+		certPath := path.Join(global.CONF.Base.InstallDir, "1panel/secret/server.crt")
+		keyPath := path.Join(global.CONF.Base.InstallDir, "1panel/secret/server.key")
+		certificate, err := os.ReadFile(certPath)
+		if err != nil {
+			panic(err)
+		}
+		key, err := os.ReadFile(keyPath)
+		if err != nil {
+			panic(err)
+		}
+		cert, err := tls.X509KeyPair(certificate, key)
+		if err != nil {
+			panic(err)
+		}
+		constant.CertStore.Store(&cert)
+
+		server.TLSConfig = &tls.Config{
+			GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				return constant.CertStore.Load().(*tls.Certificate), nil
+			},
+		}
+
+		global.LOG.Infof("listen at mux (http/https)://%s:%s [%s]", global.CONF.Conn.BindAddress, global.CONF.Conn.Port, tcpItem)
+
+		m := cmux.New(ln)
+
+		httpsL := m.Match(cmux.TLS())
+		httpL := m.Match(cmux.Any())
+
+		go func() {
+			if err := server.Serve(tls.NewListener(httpsL, server.TLSConfig)); err != nil {
+				global.LOG.Errorf("HTTPS Serve Error: %v", err)
+			}
+		}()
+
+		go func() {
+			redirectServer := &http.Server{
+				Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					target := "https://" + r.Host + r.RequestURI
+					http.Redirect(w, r, target, http.StatusTemporaryRedirect)
+				}),
+			}
+			if err := redirectServer.Serve(httpL); err != nil {
+				global.LOG.Errorf("HTTP Redirect Serve Error: %v", err)
+			}
+		}()
+
+		if err := m.Serve(); err != nil {
+			panic(err)
+		}
+		return
 	} else {
 		global.LOG.Infof("listen at http://%s:%s [%s]", global.CONF.Conn.BindAddress, global.CONF.Conn.Port, tcpItem)
 		if err := server.Serve(tcpKeepAliveListener{ln.(*net.TCPListener)}); err != nil {
 			panic(err)
 		}
+		return
 	}
 }

frontend/src/lang/modules/en.ts

@@ -1995,7 +1995,7 @@ const message = {
         error444: 'Connection Closed',
         error500: 'Internal Server Error',
 
-        https: 'Setting up HTTPS protocol access for the panel can enhance the security of panel access.',
+        https: 'Setting up HTTPS for the panel improves access security.\nStrict mode blocks non-HTTPS traffic from reaching the panel.\nMux mode redirects HTTP to HTTPS, but may reduce security.',
         certType: 'Certificate type',
         selfSigned: 'Self signed',
         selfSignedHelper: `Browsers may not trust self-signed certificates and may display security warnings.`,

frontend/src/lang/modules/es-es.ts

@@ -2009,7 +2009,7 @@ const message = {
         error416: 'Rango no satisfactorio',
         error444: 'Conexión cerrada',
         error500: 'Error interno del servidor',
-        https: 'Configurar acceso al panel mediante protocolo HTTPS puede mejorar la seguridad del acceso.',
+        https: 'Configurar HTTPS en el panel mejora la seguridad de acceso.\nEn modo Strict, el tráfico sin HTTPS no puede conectarse al panel.\nEl modo Mux redirige HTTP a HTTPS, pero puede reducir la seguridad.',
         certType: 'Tipo de certificado',
         selfSigned: 'Autofirmado',
         selfSignedHelper:

frontend/src/lang/modules/ja.ts

@@ -1921,7 +1921,7 @@ const message = {
         error444: '接続が閉じた',
         error500: 'サーバーエラー',
 
-        https: 'パネル用のHTTPSプロトコルアクセスをセットアップすると、パネルアクセスのセキュリティが強化されます。',
+        https: 'パネルに HTTPS を設定するとアクセスの安全性が向上します。\nStrict モードでは HTTPS 以外の通信はパネルに接続できません。\nMux モードは HTTP を HTTPS にリダイレクトしますが、安全性が低下する可能性があります。',
         certType: '証明書の種類',
         selfSigned: '自己署名',
         selfSignedHelper: `ブラウザは、自己署名の証明書を信頼していない場合があり、セキュリティ警告を表示する場合があります。`,

frontend/src/lang/modules/ko.ts

@@ -1890,7 +1890,7 @@ const message = {
         error444: '연결 닫힘',
         error500: '서버 오류',
 
-        https: '패널의 HTTPS 프로토콜 접근 설정은 패널 접근 보안을 강화할 수 있습니다.',
+        https: '패널에 HTTPS를 설정하면 접근 보안이 향상됩니다.\nStrict 모드에서는 HTTPS가 아닌 트래픽이 패널에 연결할 수 없습니다.\nMux 모드는 HTTP를 HTTPS로 리다이렉트하지만 보안이 다소 낮아질 수 있습니다.',
         certType: '인증서 유형',
         selfSigned: '자가 서명',
         selfSignedHelper: '자가 서명 인증서는 브라우저에서 신뢰하지 않을 수 있으며 보안 경고가 표시될 수 있습니다.',

frontend/src/lang/modules/ms.ts

@@ -1977,7 +1977,7 @@ const message = {
         error444: 'Sambungan ditutup',
         error500: 'Ralat Pelayan',
 
-        https: 'Menetapkan protokol akses HTTPS untuk panel boleh meningkatkan keselamatan akses panel.',
+        https: 'Menetapkan HTTPS untuk panel meningkatkan keselamatan akses.\nDalam mod Strict, trafik bukan HTTPS tidak boleh menyambung ke panel.\nMod Mux mengalih hala HTTP ke HTTPS, tetapi mungkin mengurangkan keselamatan.',
         certType: 'Jenis sijil',
         selfSigned: 'Diterbitkan sendiri',
         selfSignedHelper: