feat: auto-HTTPS and graceful shutdown fix

config/.env.example

@@ -24,3 +24,10 @@ WEBHIX_TRUSTED_PROXIES=
 
 # Start in read-only mode — disables request capture (default: false)
 WEBHIX_READONLY=false
+
+# Auto-HTTPS via Let's Encrypt (optional)
+# When set, Webhix listens on :443 (TLS) and :80 (HTTP → HTTPS redirect + ACME challenge)
+# WEBHIX_ADDR is ignored when TLS is active
+# WEBHIX_BASE_URL should be updated to https:// when TLS is enabled
+WEBHIX_TLS_DOMAIN=hooks.example.com
+WEBHIX_TLS_CACHE_DIR=./data/certs

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/pressly/goose/v3 v3.27.1
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
+	golang.org/x/crypto v0.52.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -22,7 +23,9 @@ require (
 	github.com/sethvargo/go-retry v0.3.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 // indirect
 )

go.sum

@@ -43,10 +43,16 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/app/app.go

@@ -3,10 +3,14 @@ package app
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"time"
 
+	"golang.org/x/crypto/acme/autocert"
+
 	"github.com/GaIsBAX/Webhix/internal/config"
 	"github.com/GaIsBAX/Webhix/internal/core"
 	"github.com/GaIsBAX/Webhix/internal/server"
@@ -72,12 +76,79 @@ func newHTTPHandler(mux *http.ServeMux, cfg *config.Config) (http.Handler, error
 }
 
 func (a *App) Start(ctx context.Context) error {
+	if a.config.TLSDomain != "" {
+		return a.startTLS(ctx)
+	}
+	return a.startPlain(ctx)
+}
+
+func (a *App) startPlain(ctx context.Context) error {
+	slog.Info("webhix started", "addr", a.config.Addr, "base_url", a.config.BaseURL)
+	return a.run(ctx, a.server.ListenAndServe)
+}
+
+func (a *App) startTLS(ctx context.Context) error {
+	m := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		HostPolicy: autocert.HostWhitelist(a.config.TLSDomain),
+		Cache:      autocert.DirCache(a.config.TLSCacheDir),
+	}
+
+	a.server.Addr = ":443"
+	a.server.TLSConfig = m.TLSConfig()
+
+	redirect := &http.Server{
+		Addr: ":80",
+		Handler: m.HTTPHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			target := &url.URL{
+				Scheme:   "https",
+				Host:     a.config.TLSDomain,
+				Path:     r.URL.Path,
+				RawQuery: r.URL.RawQuery,
+			}
+			w.Header().Set("Location", target.String())
+			w.WriteHeader(http.StatusPermanentRedirect)
+		})),
+		ReadHeaderTimeout: readHeaderTimeout,
+	}
+	defer shutdownServer(redirect, "redirect server")
+
+	serverErr := make(chan error, 2)
+
+	go func() {
+		err := redirect.ListenAndServe()
+		if !errors.Is(err, http.ErrServerClosed) {
+			serverErr <- fmt.Errorf("redirect server (:80): %w", err)
+		}
+	}()
+
+	go func() {
+		err := a.server.ListenAndServeTLS("", "")
+		if errors.Is(err, http.ErrServerClosed) {
+			err = nil
+		}
+		serverErr <- err
+	}()
+
+	slog.Info("webhix started (TLS)", "domain", a.config.TLSDomain, "base_url", a.config.BaseURL)
+
+	select {
+	case err := <-serverErr:
+		shutdownServer(a.server, "main server")
+		return err
+	case <-ctx.Done():
+		return a.Shutdown(ctx)
+	}
+}
+
+func (a *App) run(ctx context.Context, listen func() error) error {
 	serverErr := make(chan error, 1)
 	go func() {
-		slog.Info("webhix started", "addr", a.config.Addr, "base_url", a.config.BaseURL)
-		if err := a.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			serverErr <- err
+		err := listen()
+		if errors.Is(err, http.ErrServerClosed) {
+			err = nil
 		}
+		serverErr <- err
 	}()
 
 	select {
@@ -89,6 +160,15 @@ func (a *App) Start(ctx context.Context) error {
 	}
 }
 
+func shutdownServer(s *http.Server, name string) {
+	ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+	defer cancel()
+
+	if err := s.Shutdown(ctx); err != nil {
+		slog.Error("shutdown", "server", name, "err", err)
+	}
+}
+
 func (a *App) RunServe(ctx context.Context, retention time.Duration) error {
 	a.deps.services.serve.StartRetentionCleaner(
 		ctx,
@@ -102,7 +182,7 @@ func (a *App) Shutdown(ctx context.Context) error {
 	slog.Info("shutting down")
 	a.deps.infra.hub.Close()
 
-	shutdownCtx, cancel := context.WithTimeout(ctx, shutdownTimeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
 	defer cancel()
 
 	if err := a.server.Shutdown(shutdownCtx); err != nil {

internal/config/config.go

@@ -20,6 +20,9 @@ type Config struct {
 	TrustedProxies []string `env:"WEBHIX_TRUSTED_PROXIES"`
 	MaxRequests    int64    `env:"WEBHIX_MAX_REQUESTS" env-default:"10000"`
 	ReadOnly       bool     `env:"WEBHIX_READONLY"`
+
+	TLSDomain   string `env:"WEBHIX_TLS_DOMAIN"`
+	TLSCacheDir string `env:"WEBHIX_TLS_CACHE_DIR" env-default:"./data/certs"`
 }
 
 func LoadConfig() (*Config, error) {