github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/libpages/server.go (about)

     1  // Copyright 2017 Keybase Inc. All rights reserved.
     2  // Use of this source code is governed by a BSD
     3  // license that can be found in the LICENSE file.
     4  
     5  package libpages
     6  
     7  import (
     8  	"context"
     9  	"crypto/ecdsa"
    10  	"crypto/elliptic"
    11  	"crypto/rand"
    12  	"fmt"
    13  	"io"
    14  	"log"
    15  	"net/http"
    16  	"os"
    17  	"path"
    18  	"reflect"
    19  	"strings"
    20  	"sync"
    21  	"time"
    22  
    23  	lru "github.com/hashicorp/golang-lru"
    24  	"github.com/keybase/client/go/kbfs/libfs"
    25  	"github.com/keybase/client/go/kbfs/libkbfs"
    26  	"github.com/keybase/client/go/kbfs/libmime"
    27  	"github.com/keybase/client/go/kbfs/libpages/config"
    28  	"github.com/keybase/client/go/kbfs/tlf"
    29  	"go.uber.org/zap"
    30  	"golang.org/x/crypto/acme"
    31  	"golang.org/x/crypto/acme/autocert"
    32  )
    33  
    34  // CertStoreType is a type for specifying if and what cert store should be used
    35  // for acme/autocert.
    36  type CertStoreType string
    37  
    38  // Possible cert store types.
    39  const (
    40  	NoCertStore      CertStoreType = ""
    41  	DiskCertStore    CertStoreType = "disk"
    42  	KVStoreCertStore CertStoreType = "kvstore"
    43  )
    44  
    45  // ServerConfig holds configuration parameters for Server.
    46  type ServerConfig struct {
    47  	// If DomainWhitelist is non-nil and non-empty, only domains in the
    48  	// whitelist are served and others are blocked.
    49  	DomainWhitelist []string
    50  	// If DomainBlacklist is non-nil and non-empty, domains in the blacklist
    51  	// and all subdomains under them are blocked. When a domain is present in
    52  	// both blacklist and whitelist, the domain is blocked.
    53  	DomainBlacklist []string
    54  	UseStaging      bool
    55  	Logger          *zap.Logger
    56  	CertStore       CertStoreType
    57  	StatsReporter   StatsReporter
    58  
    59  	domainListsOnce sync.Once
    60  	domainWhitelist map[string]bool
    61  	domainBlacklist []string
    62  }
    63  
    64  // ErrDomainBlockedInBlacklist is returned when the server is configured
    65  // with a domain blacklist, and we receive a HTTP request that was sent to a
    66  // domain that's in the blacklist.
    67  type ErrDomainBlockedInBlacklist struct{}
    68  
    69  // Error implements the error interface.
    70  func (ErrDomainBlockedInBlacklist) Error() string {
    71  	return "a blacklist is configured and the given domain is in the list"
    72  }
    73  
    74  // ErrDomainNotAllowedInWhitelist is returned when the server is configured
    75  // with a domain whitelist, and we receive a HTTP request that was sent to a
    76  // domain that's not in the whitelist.
    77  type ErrDomainNotAllowedInWhitelist struct{}
    78  
    79  // Error implements the error interface.
    80  func (ErrDomainNotAllowedInWhitelist) Error() string {
    81  	return "a whitelist is configured and the given domain is not in the list"
    82  }
    83  
    84  func (c *ServerConfig) checkDomainLists(domain string) error {
    85  	c.domainListsOnce.Do(func() {
    86  		if len(c.DomainWhitelist) > 0 {
    87  			c.domainWhitelist = make(map[string]bool, len(c.DomainWhitelist))
    88  			for _, d := range c.DomainWhitelist {
    89  				c.domainWhitelist[strings.ToLower(strings.TrimSpace(d))] = true
    90  			}
    91  		}
    92  		if len(c.DomainBlacklist) > 0 {
    93  			c.domainBlacklist = make([]string, len(c.DomainBlacklist))
    94  			for i, d := range c.DomainBlacklist {
    95  				c.domainBlacklist[i] = strings.ToLower(strings.TrimSpace(d))
    96  			}
    97  		}
    98  	})
    99  
   100  	for _, blocked := range c.domainBlacklist {
   101  		if strings.HasSuffix(domain, blocked) {
   102  			return ErrDomainBlockedInBlacklist{}
   103  		}
   104  	}
   105  	if len(c.domainWhitelist) > 0 && !c.domainWhitelist[domain] {
   106  		return ErrDomainNotAllowedInWhitelist{}
   107  	}
   108  
   109  	// No domainWhitelist; allow everything!
   110  	return nil
   111  }
   112  
   113  const fsCacheSize = 2 << 15
   114  
   115  // Server handles incoming HTTP requests by creating a Root for each host and
   116  // serving content from it.
   117  type Server struct {
   118  	config     *ServerConfig
   119  	kbfsConfig libkbfs.Config
   120  
   121  	rootLoader RootLoader
   122  	siteCache  *lru.Cache
   123  }
   124  
   125  func (s *Server) getSite(ctx context.Context, root Root) (st *site, err error) {
   126  	siteCached, ok := s.siteCache.Get(root)
   127  	if ok {
   128  		if st, ok := siteCached.(*site); ok {
   129  			if !st.fs.IsObsolete() {
   130  				return st, nil
   131  			}
   132  			s.config.Logger.Info("fs end of life",
   133  				zap.String("root", fmt.Sprintf("%#+v", root)))
   134  		}
   135  		s.config.Logger.Error("nasty entry in s.siteCache",
   136  			zap.String("reflect_type", reflect.TypeOf(siteCached).String()))
   137  	}
   138  	fs, tlfID, fsShutdown, err := root.MakeFS(ctx, s.config.Logger, s.kbfsConfig)
   139  	if err != nil {
   140  		return nil, err
   141  	}
   142  	var added bool
   143  	defer func() {
   144  		// This is in case there's a panic before we get to add st into
   145  		// s.siteCache.
   146  		if !added {
   147  			fsShutdown()
   148  		}
   149  	}()
   150  	st = makeSite(fs, tlfID, fsShutdown, root)
   151  	s.siteCache.Add(root, st)
   152  	added = true
   153  	return st, nil
   154  }
   155  
   156  func (s *Server) siteCacheEvict(_ interface{}, value interface{}) {
   157  	if s, ok := value.(*site); ok {
   158  		// It's possible to have a race here where a site gets evicted by the
   159  		// LRU cache while the server is still using it to serve a request. But
   160  		// since the cache is LRU, this should almost never happen given a
   161  		// sufficiently large cache, and under the assumption that serving a
   162  		// request won't take super long.
   163  		s.shutdown()
   164  		return
   165  	}
   166  	s.config.Logger.Error("nasty entry in s.siteCache",
   167  		zap.String("reflect_type", reflect.TypeOf(value).String()))
   168  }
   169  
   170  func (s *Server) handleError(w http.ResponseWriter, err error) {
   171  	// TODO: have a nicer error page for configuration errors?
   172  	switch err.(type) {
   173  	case nil:
   174  	case ErrKeybasePagesRecordNotFound,
   175  		ErrDomainNotAllowedInWhitelist, ErrDomainBlockedInBlacklist:
   176  		http.Error(w, err.Error(), http.StatusServiceUnavailable)
   177  		return
   178  	case ErrKeybasePagesRecordTooMany, ErrInvalidKeybasePagesRecord:
   179  		http.Error(w, err.Error(), http.StatusPreconditionFailed)
   180  		return
   181  	case config.ErrDuplicatePerPathConfigPath, config.ErrInvalidPermissions,
   182  		config.ErrInvalidVersion, config.ErrUndefinedUsername:
   183  		http.Error(w, "invalid .kbp_config", http.StatusPreconditionFailed)
   184  		return
   185  	default:
   186  		// Don't write unknown errors in case we leak data unintentionally.
   187  		http.Error(w, "", http.StatusInternalServerError)
   188  		return
   189  	}
   190  }
   191  
   192  // CtxKBPTagKey is the type used for unique context tags within kbp and
   193  // libpages.
   194  type CtxKBPTagKey int
   195  
   196  const (
   197  	// CtxKBPKey is the tag key for unique operation IDs within kbp and
   198  	// libpages.
   199  	CtxKBPKey CtxKBPTagKey = iota
   200  )
   201  
   202  // CtxKBPOpID is the display name for unique operations in kbp and libpages.
   203  const CtxKBPOpID = "KBP"
   204  
   205  type adaptedLogger struct {
   206  	msg    string
   207  	logger *zap.Logger
   208  }
   209  
   210  func (a adaptedLogger) Warning(format string, args ...interface{}) {
   211  	a.logger.Warn(a.msg, zap.String("desc", fmt.Sprintf(format, args...)))
   212  }
   213  
   214  func (s *Server) handleUnauthorized(w http.ResponseWriter,
   215  	r *http.Request, realm string, authorizationPossible bool) {
   216  	if authorizationPossible {
   217  		w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%s", realm))
   218  		w.WriteHeader(http.StatusUnauthorized)
   219  	} else {
   220  		w.WriteHeader(http.StatusForbidden)
   221  	}
   222  }
   223  
   224  func (s *Server) isDirWithNoIndexHTML(
   225  	realFS *libfs.FS, requestPath string) (bool, error) {
   226  	fi, err := realFS.Stat(strings.Trim(path.Clean(requestPath), "/"))
   227  	switch {
   228  	case os.IsNotExist(err):
   229  		// It doesn't exist! So just let the http package handle it.
   230  		return false, nil
   231  	case err != nil:
   232  		// Some other error happened. To be safe, error here.
   233  		return false, err
   234  	default:
   235  		// continue
   236  	}
   237  
   238  	if !fi.IsDir() {
   239  		return false, nil
   240  	}
   241  
   242  	_, err = realFS.Stat(path.Join(requestPath, "index.html"))
   243  	switch {
   244  	case err == nil:
   245  		return false, nil
   246  	case os.IsNotExist(err):
   247  		return true, nil
   248  	default:
   249  		// Some other error happened. To be safe, error here.
   250  		return false, err
   251  	}
   252  }
   253  
   254  // ServedRequestInfo holds information regarding to an incoming request
   255  // that might be useful for stats.
   256  type ServedRequestInfo struct {
   257  	// Host is the `Host` field of http.Request.
   258  	Host string
   259  	// Proto is the `Proto` field of http.Request.
   260  	Proto string
   261  	// Authenticated means the client set WWW-Authenticate in this request and
   262  	// authentication using the given credentials has succeeded. It doesn't
   263  	// necessarily indicate that the authentication is required for this
   264  	// particular request.
   265  	Authenticated bool
   266  	// TlfID is the TLF ID associated with the site.
   267  	TlfID tlf.ID
   268  	// TlfType is the TLF type of the root that's used to serve the request.
   269  	TlfType tlf.Type
   270  	// RootType is the type of the root that's used to serve the request.
   271  	RootType RootType
   272  	// HTTPStatus is the HTTP status code that we have written for the request
   273  	// in the response header.
   274  	HTTPStatus int
   275  	// CloningShown is set to true if a "CLONING" page instead of the real site
   276  	// was served to the request.
   277  	CloningShown bool
   278  	// InvalidConfig is set to true if user has a config for the site being
   279  	// requested, but it's invalid.
   280  	InvalidConfig bool
   281  }
   282  
   283  type statusCodePeekingResponseWriter struct {
   284  	w    http.ResponseWriter
   285  	code *int
   286  }
   287  
   288  var _ http.ResponseWriter = statusCodePeekingResponseWriter{}
   289  
   290  func (w statusCodePeekingResponseWriter) Header() http.Header {
   291  	return w.w.Header()
   292  }
   293  
   294  func (w statusCodePeekingResponseWriter) WriteHeader(status int) {
   295  	if *w.code == 0 {
   296  		*w.code = status
   297  	}
   298  	w.w.WriteHeader(status)
   299  }
   300  
   301  func (w statusCodePeekingResponseWriter) Write(data []byte) (int, error) {
   302  	if *w.code == 0 {
   303  		*w.code = http.StatusOK
   304  	}
   305  	return w.w.Write(data)
   306  }
   307  
   308  func (s *ServedRequestInfo) wrapResponseWriter(
   309  	w http.ResponseWriter) http.ResponseWriter {
   310  	return statusCodePeekingResponseWriter{w: w, code: &s.HTTPStatus}
   311  }
   312  
   313  func (s *Server) logRequest(sri *ServedRequestInfo, requestPath string, startTime time.Time, err *error) {
   314  	s.config.Logger.Info("ReqProcessed",
   315  		zap.String("host", sri.Host),
   316  		zap.String("path", requestPath),
   317  		zap.String("proto", sri.Proto),
   318  		zap.String("tlf_id", sri.TlfID.String()),
   319  		zap.Int("http_status", sri.HTTPStatus),
   320  		zap.Bool("authenticated", sri.Authenticated),
   321  		zap.Bool("cloning_shown", sri.CloningShown),
   322  		zap.Bool("invalid_config", sri.InvalidConfig),
   323  		zap.Duration("duration", time.Since(startTime)),
   324  		zap.NamedError("pre_FileServer_error", *err),
   325  	)
   326  }
   327  
   328  func (s *Server) setCommonResponseHeaders(w http.ResponseWriter) {
   329  	// Enforce XSS protection. References:
   330  	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
   331  	// https://blog.innerht.ml/the-misunderstood-x-xss-protection/
   332  	w.Header().Set("X-XSS-Protection", "1; mode=block")
   333  	// Only allow HTTPS on this domain, and make this policy expire in a
   334  	// week. This means if user decides to migrate off Keybase Pages, there's a
   335  	// 1-week gap before they can use HTTP again. Note that we don't use the
   336  	// 'preload' directive, for the same reason we use 302 instead of 301 for
   337  	// HTTP->HTTPS redirection. Reference: https://hstspreload.org/#opt-in
   338  	w.Header().Set("Strict-Transport-Security", "max-age=604800")
   339  	// TODO: allow user to opt-in some directives of Content-Security-Policy?
   340  }
   341  
   342  func (s *Server) setAccessControlAllowOriginHeader(w http.ResponseWriter, accessControlAllowOrigin string) {
   343  	w.Header().Set("Access-Control-Allow-Origin", accessControlAllowOrigin)
   344  }
   345  
   346  // ServeHTTP implements the http.Handler interface.
   347  func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
   348  	startTime := time.Now()
   349  	sri := &ServedRequestInfo{
   350  		Proto: r.Proto,
   351  		Host:  r.Host,
   352  	}
   353  	w = sri.wrapResponseWriter(w)
   354  	if s.config.StatsReporter != nil {
   355  		defer s.config.StatsReporter.ReportServedRequest(sri)
   356  	}
   357  
   358  	var err error
   359  	defer s.logRequest(sri, r.URL.Path, startTime, &err)
   360  
   361  	if err = s.config.checkDomainLists(r.Host); err != nil {
   362  		s.handleError(w, err)
   363  		return
   364  	}
   365  
   366  	s.setCommonResponseHeaders(w)
   367  
   368  	// Don't serve the config file itself.
   369  	if path.Clean(strings.ToLower(r.URL.Path)) == config.DefaultConfigFilepath {
   370  		// TODO: integrate this check into Config?
   371  		http.Error(w, fmt.Sprintf("Reading %s directly is forbidden.",
   372  			config.DefaultConfigFilepath), http.StatusForbidden)
   373  		return
   374  	}
   375  
   376  	// Construct a *site from DNS record.
   377  	root, err := s.rootLoader.LoadRoot(r.Host)
   378  	if err != nil {
   379  		s.handleError(w, err)
   380  		return
   381  	}
   382  	sri.TlfType, sri.RootType = root.TlfType, root.Type
   383  	ctx := libfs.EnableFastMode(
   384  		libkbfs.CtxWithRandomIDReplayable(r.Context(),
   385  			CtxKBPKey, CtxKBPOpID, adaptedLogger{
   386  				msg:    "CtxWithRandomIDReplayable",
   387  				logger: s.config.Logger,
   388  			}),
   389  	)
   390  	st, err := s.getSite(ctx, root)
   391  	if err != nil {
   392  		s.handleError(w, err)
   393  		return
   394  	}
   395  	sri.TlfID = st.tlfID
   396  
   397  	realFS, err := st.fs.Use()
   398  	if err != nil {
   399  		s.handleError(w, err)
   400  		return
   401  	}
   402  
   403  	// Get a site config, which can be either a user-defined one, or the
   404  	// default one if it's missing from the site root.
   405  	cfg, err := st.getConfig(false)
   406  	if err != nil {
   407  		// User has a .kbp_config file but it's invalid.
   408  		// TODO: error page to show the error message?
   409  		sri.InvalidConfig = true
   410  		s.handleError(w, err)
   411  		return
   412  	}
   413  
   414  	var username *string
   415  	user, pass, ok := r.BasicAuth()
   416  	if ok && cfg.Authenticate(r.Context(), user, pass) {
   417  		sri.Authenticated = true
   418  		username = &user
   419  	}
   420  	canRead, canList, possibleRead, possibleList,
   421  		realm, err := cfg.GetPermissions(r.URL.Path, username)
   422  	if err != nil {
   423  		s.handleError(w, err)
   424  		return
   425  	}
   426  
   427  	// Check if it's a directory containing no index.html before letting
   428  	// http.FileServer handle it.  This permission check should ideally
   429  	// happen inside the http package, but unfortunately there isn't a
   430  	// way today.
   431  	isListing, err := s.isDirWithNoIndexHTML(realFS, r.URL.Path)
   432  	if err != nil {
   433  		s.handleError(w, err)
   434  		return
   435  	}
   436  
   437  	if isListing && !canList {
   438  		s.handleUnauthorized(w, r, realm, possibleList)
   439  		return
   440  	}
   441  
   442  	if !isListing && !canRead {
   443  		s.handleUnauthorized(w, r, realm, possibleRead)
   444  		return
   445  	}
   446  
   447  	accessControlAllowOrigin, err := cfg.GetAccessControlAllowOrigin(r.URL.Path)
   448  	if err != nil {
   449  		s.handleError(w, err)
   450  		return
   451  	}
   452  	if len(accessControlAllowOrigin) > 0 {
   453  		s.setAccessControlAllowOriginHeader(w, accessControlAllowOrigin)
   454  	}
   455  
   456  	http.FileServer(realFS.ToHTTPFileSystem(ctx)).ServeHTTP(w, r)
   457  }
   458  
   459  // allowDomain is used to determine whether a given domain should be
   460  // served. It's also used as a HostPolicy in autocert package.
   461  func (s *Server) allowDomain(ctx context.Context, host string) (err error) {
   462  	host = strings.ToLower(strings.TrimSpace(host))
   463  	if err = s.config.checkDomainLists(host); err != nil {
   464  		return err
   465  	}
   466  
   467  	// DoS protection: look up kbp TXT record before attempting ACME cert
   468  	// issuance, and only allow those that have DNS records configured. This is
   469  	// in case someone keeps sending us TLS handshakes with random SNIs,
   470  	// causing us to be rate-limited by the ACME server.
   471  	//
   472  	// TODO: cache the parsed root somewhere so we don't end up doing it twice
   473  	// for each connection.
   474  	if _, err = s.rootLoader.LoadRoot(host); err != nil {
   475  		return err
   476  	}
   477  
   478  	return nil
   479  }
   480  
   481  const (
   482  	gracefulShutdownTimeout = 16 * time.Second
   483  	httpReadHeaderTimeout   = 8 * time.Second
   484  	httpIdleTimeout         = 1 * time.Minute
   485  	stagingDiskCacheName    = "./kbp-cert-cache-staging"
   486  	prodDiskCacheName       = "./kbp-cert-cache"
   487  )
   488  
   489  func makeACMEManager(kbfsConfig libkbfs.Config, useStaging bool,
   490  	certStoreType CertStoreType, hostPolicy autocert.HostPolicy) (
   491  	*autocert.Manager, error) {
   492  	manager := &autocert.Manager{
   493  		Prompt:     autocert.AcceptTOS,
   494  		HostPolicy: hostPolicy,
   495  	}
   496  
   497  	switch certStoreType {
   498  	case DiskCertStore:
   499  		if useStaging {
   500  			manager.Cache = autocert.DirCache(stagingDiskCacheName)
   501  		} else {
   502  			manager.Cache = autocert.DirCache(prodDiskCacheName)
   503  		}
   504  	case KVStoreCertStore:
   505  		manager.Cache = newCertStoreBackedByKVStore(kbfsConfig)
   506  	default:
   507  	}
   508  
   509  	if useStaging {
   510  		acmeKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
   511  		if err != nil {
   512  			return nil, err
   513  		}
   514  		manager.Client = &acme.Client{
   515  			DirectoryURL: "https://acme-staging.api.letsencrypt.org/directory",
   516  			Key:          acmeKey,
   517  		}
   518  	}
   519  
   520  	return manager, nil
   521  }
   522  
   523  var additionalMimeTypes = map[string]string{
   524  	".wasm": "application/wasm",
   525  }
   526  
   527  type logForwarder struct {
   528  	msg     string
   529  	logFunc func(msg string, fields ...zap.Field)
   530  }
   531  
   532  var _ io.Writer = (*logForwarder)(nil)
   533  
   534  func (f *logForwarder) Write(p []byte) (n int, err error) {
   535  	f.logFunc(f.msg, zap.String("content", string(p)))
   536  	return len(p), nil
   537  }
   538  
   539  // ListenAndServe listens on 443 and 80 ports of all addresses, and serve
   540  // Keybase Pages based on config and kbfsConfig. HTTPs setup is handled with
   541  // ACME.
   542  func ListenAndServe(ctx context.Context,
   543  	config *ServerConfig, kbfsConfig libkbfs.Config) (err error) {
   544  	ctx, cancel := context.WithCancel(ctx)
   545  	defer cancel()
   546  
   547  	libmime.Patch(additionalMimeTypes)
   548  
   549  	server := &Server{
   550  		config:     config,
   551  		kbfsConfig: kbfsConfig,
   552  		rootLoader: NewDNSRootLoader(config.Logger),
   553  	}
   554  	server.siteCache, err = lru.NewWithEvict(fsCacheSize, server.siteCacheEvict)
   555  	if err != nil {
   556  		return err
   557  	}
   558  
   559  	manager, err := makeACMEManager(
   560  		kbfsConfig, config.UseStaging, config.CertStore, server.allowDomain)
   561  	if err != nil {
   562  		return err
   563  	}
   564  
   565  	if manager.Client == nil || len(manager.Client.DirectoryURL) == 0 {
   566  		config.Logger.Info("ListenAndServe",
   567  			zap.String("acme directory url", autocert.DefaultACMEDirectory))
   568  	} else {
   569  		config.Logger.Info("ListenAndServe",
   570  			zap.String("acme directory url", manager.Client.DirectoryURL))
   571  	}
   572  
   573  	httpsServer := http.Server{
   574  		Handler:           server,
   575  		ReadHeaderTimeout: httpReadHeaderTimeout,
   576  		IdleTimeout:       httpIdleTimeout,
   577  		ErrorLog: log.New(&logForwarder{
   578  			msg:     "http error log",
   579  			logFunc: config.Logger.Error,
   580  		}, "", 0),
   581  	}
   582  
   583  	httpServer := http.Server{
   584  		Addr: ":80",
   585  		// Enable http-01 by calling the HTTPHandler method, and set the
   586  		// fallback HTTP handler to nil. As described in the autocert doc
   587  		// (https://github.com/golang/crypto/blob/13931e22f9e72ea58bb73048bc752b48c6d4d4ac/acme/autocert/autocert.go#L248-L251),
   588  		// this means for requests not for ACME domain verification, a default
   589  		// fallback handler is used, which redirects all HTTP traffic using GET
   590  		// and HEAD to HTTPS using 302 Found, and responds with 400 Bad Request
   591  		// for requests with other methods.
   592  		Handler:           manager.HTTPHandler(nil),
   593  		ReadHeaderTimeout: httpReadHeaderTimeout,
   594  		IdleTimeout:       httpIdleTimeout,
   595  	}
   596  
   597  	go func() {
   598  		<-ctx.Done()
   599  		shutdownCtx, cancel := context.WithTimeout(
   600  			context.Background(), gracefulShutdownTimeout)
   601  		defer cancel()
   602  		_ = httpsServer.Shutdown(shutdownCtx)
   603  		_ = httpServer.Shutdown(shutdownCtx)
   604  	}()
   605  
   606  	go func() {
   607  		err := httpServer.ListenAndServe()
   608  		if err != nil {
   609  			config.Logger.Error("http.ListenAndServe:80", zap.Error(err))
   610  		}
   611  	}()
   612  
   613  	return httpsServer.Serve(manager.Listener())
   614  }