Added experimental acme renew from Let's Encrypt

.gitignore

@@ -29,3 +29,4 @@ src/Zoraxy_*_*
 src/certs/*
 src/rules/*
 src/README.md
+src/mod/acme/test/stackoverflow.pem

src/acme.go

@@ -1,10 +1,18 @@
 package main
 
 import (
+	"fmt"
+	"io/ioutil"
 	"log"
+	"math/rand"
 	"net/http"
+	"regexp"
+	"strconv"
+	"time"
 
+	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/dynamicproxy"
+	"imuslab.com/zoraxy/mod/utils"
 )
 
 /*
@@ -13,18 +21,53 @@ import (
 	This script handle special routing required for acme auto cert renew functions
 */
 
+// Helper function to generate a random port above a specified value
+func getRandomPort(minPort int) int {
+	return rand.Intn(65535-minPort) + minPort
+}
+
+// init the new ACME instance
+func initACME() *acme.ACMEHandler {
+	log.Println("Starting ACME handler")
+	rand.Seed(time.Now().UnixNano())
+	// Generate a random port above 30000
+	port := getRandomPort(30000)
+
+	// Check if the port is already in use
+	for acme.IsPortInUse(port) {
+		port = getRandomPort(30000)
+	}
+
+	return acme.NewACME("https://acme-staging-v02.api.letsencrypt.org/directory", strconv.Itoa(port))
+}
+
+// create the special routing rule for ACME
 func acmeRegisterSpecialRoutingRule() {
+	log.Println("Assigned temporary port:" + acmeHandler.Getport())
+
 	err := dynamicProxyRouter.AddRoutingRules(&dynamicproxy.RoutingRule{
 		ID: "acme-autorenew",
 		MatchRule: func(r *http.Request) bool {
-			if r.RequestURI == "/.well-known/" {
+			found, _ := regexp.MatchString("/.well-known/*", r.RequestURI)
-				return true
+			return found
-			}
-
-			return false
 		},
 		RoutingHandler: func(w http.ResponseWriter, r *http.Request) {
-			w.Write([]byte("HELLO WORLD, THIS IS ACME REQUEST HANDLER"))
+
+			req, err := http.NewRequest(http.MethodGet, "http://localhost:"+acmeHandler.Getport()+r.RequestURI, nil)
+			req.Host = r.Host
+			if err != nil {
+				fmt.Printf("client: could not create request: %s\n", err)
+			}
+			res, err := http.DefaultClient.Do(req)
+			if err != nil {
+				fmt.Printf("client: error making http request: %s\n", err)
+			}
+
+			resBody, err := ioutil.ReadAll(res.Body)
+			if err != nil {
+				fmt.Printf("error reading: %s\n", err)
+			}
+			w.Write(resBody)
 		},
 		Enabled: true,
 	})
@@ -33,3 +76,36 @@ func acmeRegisterSpecialRoutingRule() {
 		log.Println("[Err] " + err.Error())
 	}
 }
+
+// This function check if the renew setup is satisfied. If not, toggle them automatically
+func AcmeCheckAndHandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
+	isForceHttpsRedirectEnabledOriginally := false
+	if dynamicProxyRouter.Option.Port == 443 {
+		//Enable port 80 to 443 redirect
+		if !dynamicProxyRouter.Option.ForceHttpsRedirect {
+			log.Println("Temporary enabling HTTP to HTTPS redirect for ACME certificate renew requests")
+			dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(true)
+		} else {
+			//Set this to true, so after renew, do not turn it off
+			isForceHttpsRedirectEnabledOriginally = true
+		}
+
+	} else if dynamicProxyRouter.Option.Port == 80 {
+		//Go ahead
+
+	} else {
+		//This port do not support ACME
+		utils.SendErrorResponse(w, "ACME renew only support web server listening on port 80 (http) or 443 (https)")
+	}
+
+	// Pass over to the acmeHandler to deal with the communication
+	acmeHandler.HandleRenewCertificate(w, r)
+
+	if dynamicProxyRouter.Option.Port == 443 {
+		if !isForceHttpsRedirectEnabledOriginally {
+			//Default is off. Turn the redirection off
+			log.Println("Restoring HTTP to HTTPS redirect settings")
+			dynamicProxyRouter.UpdateHttpToHttpsRedirectSetting(false)
+		}
+	}
+}

src/api.go

@@ -59,6 +59,7 @@ func initAPIs() {
 	authRouter.HandleFunc("/api/cert/tlsRequireLatest", handleSetTlsRequireLatest)
 	authRouter.HandleFunc("/api/cert/upload", handleCertUpload)
 	authRouter.HandleFunc("/api/cert/list", handleListCertificate)
+	authRouter.HandleFunc("/api/cert/listdomains", handleListDomains)
 	authRouter.HandleFunc("/api/cert/checkDefault", handleDefaultCertCheck)
 	authRouter.HandleFunc("/api/cert/delete", handleCertRemove)
 
@@ -135,6 +136,7 @@ func initAPIs() {
 	authRouter.HandleFunc("/api/tools/ipscan", HandleIpScan)
 	authRouter.HandleFunc("/api/tools/traceroute", netutils.HandleTraceRoute)
 	authRouter.HandleFunc("/api/tools/ping", netutils.HandlePing)
+	authRouter.HandleFunc("/api/tools/whois", netutils.HandleWhois)
 	authRouter.HandleFunc("/api/tools/webssh", HandleCreateProxySession)
 	authRouter.HandleFunc("/api/tools/websshSupported", HandleWebSshSupportCheck)
 	authRouter.HandleFunc("/api/tools/wol", HandleWakeOnLan)
@@ -150,6 +152,15 @@ func initAPIs() {
 	//Others
 	http.HandleFunc("/api/info/x", HandleZoraxyInfo)
 
+	//ACME & Auto Renewer
+	authRouter.HandleFunc("/api/acme/listExpiredDomains", acmeHandler.HandleGetExpiredDomains)
+	authRouter.HandleFunc("/api/acme/obtainCert", AcmeCheckAndHandleRenewCertificate)
+	authRouter.HandleFunc("/api/acme/autoRenew/enable", acmeAutoRenewer.HandleAutoRenewEnable)
+	authRouter.HandleFunc("/api/acme/autoRenew/email", acmeAutoRenewer.HandleACMEEmail)
+	authRouter.HandleFunc("/api/acme/autoRenew/setDomains", acmeAutoRenewer.HandleSetAutoRenewDomains)
+	authRouter.HandleFunc("/api/acme/autoRenew/listDomains", acmeAutoRenewer.HandleLoadAutoRenewDomains)
+	authRouter.HandleFunc("/api/acme/autoRenew/renewNow", acmeAutoRenewer.HandleRenewNow)
+
 	//If you got APIs to add, append them here
 }
 

src/cert.go

@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
+	"time"
 
 	"imuslab.com/zoraxy/mod/utils"
 )
@@ -44,6 +46,7 @@ func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 			Domain           string
 			LastModifiedDate string
 			ExpireDate       string
+			RemainingDays    int
 		}
 
 		results := []*CertInfo{}
@@ -60,6 +63,7 @@ func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 
 			certExpireTime := "Unknown"
 			certBtyes, err := os.ReadFile(certFilepath)
+			expiredIn := 0
 			if err != nil {
 				//Unable to load this file
 				continue
@@ -70,6 +74,11 @@ func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 					cert, err := x509.ParseCertificate(block.Bytes)
 					if err == nil {
 						certExpireTime = cert.NotAfter.Format("2006-01-02 15:04:05")
+
+						duration := cert.NotAfter.Sub(time.Now())
+
+						// Convert the duration to days
+						expiredIn = int(duration.Hours() / 24)
 					}
 				}
 			}
@@ -78,6 +87,7 @@ func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 				Domain:           filename,
 				LastModifiedDate: modifiedTime,
 				ExpireDate:       certExpireTime,
+				RemainingDays:    expiredIn,
 			}
 
 			results = append(results, &thisCertInfo)
@@ -99,6 +109,64 @@ func handleListCertificate(w http.ResponseWriter, r *http.Request) {
 
 }
 
+// List all certificates and map all their domains to the cert filename
+func handleListDomains(w http.ResponseWriter, r *http.Request) {
+	filenames, err := os.ReadDir("./certs/")
+
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	certnameToDomainMap := map[string]string{}
+	for _, filename := range filenames {
+		if filename.IsDir() {
+			continue
+		}
+		certFilepath := filepath.Join("./certs/", filename.Name())
+
+		certBtyes, err := os.ReadFile(certFilepath)
+		if err != nil {
+			// Unable to load this file
+			log.Println("Unable to load certificate: " + certFilepath)
+			continue
+		} else {
+			// Cert loaded. Check its expiry time
+			block, _ := pem.Decode(certBtyes)
+			if block != nil {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				if err == nil {
+					certname := strings.TrimSuffix(filepath.Base(certFilepath), filepath.Ext(certFilepath))
+					for _, dnsName := range cert.DNSNames {
+						certnameToDomainMap[dnsName] = certname
+					}
+					certnameToDomainMap[cert.Subject.CommonName] = certname
+				}
+			}
+		}
+	}
+
+	requireCompact, _ := utils.GetPara(r, "compact")
+	if requireCompact == "true" {
+		result := make(map[string][]string)
+
+		for key, value := range certnameToDomainMap {
+			if _, ok := result[value]; !ok {
+				result[value] = make([]string, 0)
+			}
+
+			result[value] = append(result[value], key)
+		}
+
+		js, _ := json.Marshal(result)
+		utils.SendJSONResponse(w, string(js))
+		return
+	}
+
+	js, _ := json.Marshal(certnameToDomainMap)
+	utils.SendJSONResponse(w, string(js))
+}
+
 // Handle front-end toggling TLS mode
 func handleToggleTLSProxy(w http.ResponseWriter, r *http.Request) {
 	currentTlsSetting := false

src/go.mod

@@ -4,14 +4,16 @@ go 1.16
 
 require (
 	github.com/boltdb/bolt v1.3.1
+	github.com/go-acme/lego/v4 v4.12.1 // indirect
 	github.com/go-ping/ping v1.1.0
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/sessions v1.2.1
 	github.com/gorilla/websocket v1.4.2
 	github.com/grandcat/zeroconf v1.0.0
+	github.com/likexian/whois v1.15.0 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.24
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/satori/go.uuid v1.2.0
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.11.0
-	golang.org/x/sys v0.8.0
+	golang.org/x/sys v0.9.0
 )

src/main.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/aroz"
 	"imuslab.com/zoraxy/mod/auth"
 	"imuslab.com/zoraxy/mod/database"
@@ -37,11 +38,12 @@ var showver = flag.Bool("version", false, "Show version of this server")
 var allowSshLoopback = flag.Bool("sshlb", false, "Allow loopback web ssh connection (DANGER)")
 var ztAuthToken = flag.String("ztauth", "", "ZeroTier authtoken for the local node")
 var ztAPIPort = flag.Int("ztport", 9993, "ZeroTier controller API port")
+var acmeAutoRenewInterval = flag.Int("autorenew", 86400, "ACME auto TLS/SSL certificate renew check interval (seconds)")
 var (
 	name        = "Zoraxy"
-	version     = "2.6.4"
+	version     = "2.6.5"
 	nodeUUID    = "generic"
-	development = false //Set this to false to use embedded web fs
+	development = true //Set this to false to use embedded web fs
 	bootTime    = time.Now().Unix()
 
 	/*
@@ -67,6 +69,8 @@ var (
 	ganManager         *ganserv.NetworkManager //Global Area Network Manager
 	webSshManager      *sshprox.Manager        //Web SSH connection service
 	tcpProxyManager    *tcpprox.Manager        //TCP Proxy Manager
+	acmeHandler        *acme.ACMEHandler       //Handler for ACME Certificate renew
+	acmeAutoRenewer    *acme.AutoRenewer       //Handler for ACME auto renew ticking
 
 	//Helper modules
 	EmailSender    *email.Sender        //Email sender that handle email sending

src/mod/acme/acme.go

@@ -0,0 +1,288 @@
+package acme
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge/http01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+// ACMEUser represents a user in the ACME system.
+type ACMEUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+// GetEmail returns the email of the ACMEUser.
+func (u *ACMEUser) GetEmail() string {
+	return u.Email
+}
+
+// GetRegistration returns the registration resource of the ACMEUser.
+func (u ACMEUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+
+// GetPrivateKey returns the private key of the ACMEUser.
+func (u *ACMEUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+// ACMEHandler handles ACME-related operations.
+type ACMEHandler struct {
+	DefaultAcmeServer string
+	Port              string
+}
+
+// NewACME creates a new ACMEHandler instance.
+func NewACME(acmeServer string, port string) *ACMEHandler {
+	return &ACMEHandler{
+		DefaultAcmeServer: acmeServer,
+		Port:              port,
+	}
+}
+
+// ObtainCert obtains a certificate for the specified domains.
+func (a *ACMEHandler) ObtainCert(domains []string, certificateName string, email string, ca string) (bool, error) {
+	log.Println("[ACME] Obtaining certificate...")
+
+	// generate private key
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+
+	// create a admin user for our new generation
+	adminUser := ACMEUser{
+		Email: email,
+		key:   privateKey,
+	}
+
+	// create config
+	config := lego.NewConfig(&adminUser)
+
+	// setup who is the issuer and the key type
+	config.CADirURL = a.DefaultAcmeServer
+
+	//Overwrite the CADir URL if set
+	if ca != "" {
+		caLinkOverwrite, err := loadCAApiServerFromName(ca)
+		if err == nil {
+			config.CADirURL = caLinkOverwrite
+			log.Println("[INFO] Using " + caLinkOverwrite + " for CA Directory URL")
+		} else {
+			return false, errors.New("CA " + ca + " is not supported. Please contribute to the source code and add this CA's directory link.")
+		}
+	}
+
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+
+	// setup how to receive challenge
+	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", a.Port))
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+
+	// New users will need to register
+	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+	adminUser.Registration = reg
+
+	// obtain the certificate
+	request := certificate.ObtainRequest{
+		Domains: domains,
+		Bundle:  true,
+	}
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+
+	// Each certificate comes back with the cert bytes, the bytes of the client's
+	// private key, and a certificate URL.
+	err = ioutil.WriteFile("./certs/"+certificateName+".crt", certificates.Certificate, 0777)
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+	err = ioutil.WriteFile("./certs/"+certificateName+".key", certificates.PrivateKey, 0777)
+	if err != nil {
+		log.Println(err)
+		return false, err
+	}
+
+	return true, nil
+}
+
+// CheckCertificate returns a list of domains that are in expired certificates.
+// It will return all domains that is in expired certificates
+// *** if there is a vaild certificate contains the domain and there is a expired certificate contains the same domain
+// it will said expired as well!
+func (a *ACMEHandler) CheckCertificate() []string {
+	// read from dir
+	filenames, err := os.ReadDir("./certs/")
+
+	expiredCerts := []string{}
+
+	if err != nil {
+		log.Println(err)
+		return []string{}
+	}
+
+	for _, filename := range filenames {
+		certFilepath := filepath.Join("./certs/", filename.Name())
+
+		certBytes, err := os.ReadFile(certFilepath)
+		if err != nil {
+			// Unable to load this file
+			continue
+		} else {
+			// Cert loaded. Check its expiry time
+			block, _ := pem.Decode(certBytes)
+			if block != nil {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				if err == nil {
+					elapsed := time.Since(cert.NotAfter)
+					if elapsed > 0 {
+						// if it is expired then add it in
+						// make sure it's uniqueless
+						for _, dnsName := range cert.DNSNames {
+							if !contains(expiredCerts, dnsName) {
+								expiredCerts = append(expiredCerts, dnsName)
+							}
+						}
+						if !contains(expiredCerts, cert.Subject.CommonName) {
+							expiredCerts = append(expiredCerts, cert.Subject.CommonName)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return expiredCerts
+}
+
+// return the current port number
+func (a *ACMEHandler) Getport() string {
+	return a.Port
+}
+
+// contains checks if a string is present in a slice.
+func contains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
+
+// HandleGetExpiredDomains handles the HTTP GET request to retrieve the list of expired domains.
+// It calls the CheckCertificate method to obtain the expired domains and sends a JSON response
+// containing the list of expired domains.
+func (a *ACMEHandler) HandleGetExpiredDomains(w http.ResponseWriter, r *http.Request) {
+	type ExpiredDomains struct {
+		Domain []string `json:"domain"`
+	}
+
+	info := ExpiredDomains{
+		Domain: a.CheckCertificate(),
+	}
+
+	js, _ := json.MarshalIndent(info, "", " ")
+	utils.SendJSONResponse(w, string(js))
+}
+
+// HandleRenewCertificate handles the HTTP GET request to renew a certificate for the provided domains.
+// It retrieves the domains and filename parameters from the request, calls the ObtainCert method
+// to renew the certificate, and sends a JSON response indicating the result of the renewal process.
+func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) {
+	domainPara, err := utils.PostPara(r, "domains")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+
+	filename, err := utils.PostPara(r, "filename")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+
+	email, err := utils.PostPara(r, "email")
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+
+	ca, err := utils.PostPara(r, "ca")
+	if err != nil {
+		log.Println("CA not set. Using default (Let's Encrypt)")
+		ca = "Let's Encrypt"
+	}
+
+	domains := strings.Split(domainPara, ",")
+	result, err := a.ObtainCert(domains, filename, email, ca)
+	if err != nil {
+		utils.SendErrorResponse(w, jsonEscape(err.Error()))
+		return
+	}
+	utils.SendJSONResponse(w, strconv.FormatBool(result))
+}
+
+// Escape JSON string
+func jsonEscape(i string) string {
+	b, err := json.Marshal(i)
+	if err != nil {
+		log.Println("Unable to escape json data: " + err.Error())
+		return i
+	}
+	s := string(b)
+	return s[1 : len(s)-1]
+}
+
+// Helper function to check if a port is in use
+func IsPortInUse(port int) bool {
+	address := fmt.Sprintf(":%d", port)
+	listener, err := net.Listen("tcp", address)
+	if err != nil {
+		return true // Port is in use
+	}
+	defer listener.Close()
+	return false // Port is not in use
+}

src/mod/acme/acme_test.go

@@ -0,0 +1,24 @@
+package acme_test
+
+import (
+	"fmt"
+	"testing"
+
+	"imuslab.com/zoraxy/mod/acme"
+)
+
+// Test if the issuer extraction is working
+func TestExtractIssuerNameFromPEM(t *testing.T) {
+	pemFilePath := "test/stackoverflow.pem"
+	expectedIssuer := "Let's Encrypt"
+
+	issuerName, err := acme.ExtractIssuerNameFromPEM(pemFilePath)
+	fmt.Println(issuerName)
+	if err != nil {
+		t.Errorf("Error extracting issuer name: %v", err)
+	}
+
+	if issuerName != expectedIssuer {
+		t.Errorf("Unexpected issuer name. Expected: %s, Got: %s", expectedIssuer, issuerName)
+	}
+}

src/mod/acme/autorenew.go

@@ -0,0 +1,348 @@
+package acme
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"net/mail"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+/*
+	autorenew.go
+
+	This script handle auto renew
+*/
+
+type AutoRenewConfig struct {
+	Enabled      bool     //Automatic renew is enabled
+	Email        string   //Email for acme
+	RenewAll     bool     //Renew all or selective renew with the slice below
+	FilesToRenew []string //If RenewAll is false, renew these certificate files
+}
+
+type AutoRenewer struct {
+	ConfigFilePath    string
+	CertFolder        string
+	AcmeHandler       *ACMEHandler
+	RenewerConfig     *AutoRenewConfig
+	RenewTickInterval int64
+	TickerstopChan    chan bool
+}
+
+type ExpiredCerts struct {
+	Domains  []string
+	Filepath string
+	CA       string
+}
+
+// Create an auto renew agent, require config filepath and auto scan & renew interval (seconds)
+// Set renew check interval to 0 for auto (1 day)
+func NewAutoRenewer(config string, certFolder string, renewCheckInterval int64, AcmeHandler *ACMEHandler) (*AutoRenewer, error) {
+	if renewCheckInterval == 0 {
+		renewCheckInterval = 86400 //1 day
+	}
+
+	//Load the config file. If not found, create one
+	if !utils.FileExists(config) {
+		//Create one
+		os.MkdirAll(filepath.Dir(config), 0775)
+		newConfig := AutoRenewConfig{
+			RenewAll:     true,
+			FilesToRenew: []string{},
+		}
+		js, _ := json.MarshalIndent(newConfig, "", " ")
+		err := os.WriteFile(config, js, 0775)
+		if err != nil {
+			return nil, errors.New("Failed to create acme auto renewer config: " + err.Error())
+		}
+	}
+
+	renewerConfig := AutoRenewConfig{}
+	content, err := os.ReadFile(config)
+	if err != nil {
+		return nil, errors.New("Failed to open acme auto renewer config: " + err.Error())
+	}
+
+	err = json.Unmarshal(content, &renewerConfig)
+	if err != nil {
+		return nil, errors.New("Malformed acme config file: " + err.Error())
+	}
+
+	//Create an Auto renew object
+	thisRenewer := AutoRenewer{
+		ConfigFilePath:    config,
+		CertFolder:        certFolder,
+		AcmeHandler:       AcmeHandler,
+		RenewerConfig:     &renewerConfig,
+		RenewTickInterval: renewCheckInterval,
+	}
+
+	if thisRenewer.RenewerConfig.Enabled {
+		//Start the renew ticker
+		thisRenewer.StartAutoRenewTicker()
+
+		//Check and renew certificate on startup
+		go thisRenewer.CheckAndRenewCertificates()
+	}
+
+	return &thisRenewer, nil
+}
+
+func (a *AutoRenewer) StartAutoRenewTicker() {
+	//Stop the previous ticker if still running
+	if a.TickerstopChan != nil {
+		a.TickerstopChan <- true
+	}
+
+	time.Sleep(1 * time.Second)
+
+	ticker := time.NewTicker(time.Duration(a.RenewTickInterval) * time.Second)
+	done := make(chan bool)
+
+	//Start the ticker to check and renew every x seconds
+	go func(a *AutoRenewer) {
+		for {
+			select {
+			case <-done:
+				return
+			case <-ticker.C:
+				log.Println("Check and renew certificates in progress")
+				a.CheckAndRenewCertificates()
+			}
+		}
+	}(a)
+
+	a.TickerstopChan = done
+}
+
+func (a *AutoRenewer) StopAutoRenewTicker() {
+	if a.TickerstopChan != nil {
+		a.TickerstopChan <- true
+	}
+
+	a.TickerstopChan = nil
+}
+
+// Handle update auto renew domains
+// Set opr for different mode of operations
+// opr = setSelected -> Enter a list of file names (or matching rules) for auto renew
+// opr = setAuto -> Set to use auto detect certificates and renew
+func (a *AutoRenewer) HandleSetAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
+	opr, err := utils.GetPara(r, "opr")
+	if err != nil {
+		utils.SendErrorResponse(w, "Operation not set")
+		return
+	}
+
+	if opr == "setSelected" {
+		files, err := utils.PostPara(r, "domains")
+		if err != nil {
+			utils.SendErrorResponse(w, "Domains is not defined")
+			return
+		}
+
+		//Parse it int array of string
+		matchingRuleFiles := []string{}
+		err = json.Unmarshal([]byte(files), &matchingRuleFiles)
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		//Update the configs
+		a.RenewerConfig.RenewAll = false
+		a.RenewerConfig.FilesToRenew = matchingRuleFiles
+		a.saveRenewConfigToFile()
+		utils.SendOK(w)
+	} else if opr == "setAuto" {
+		a.RenewerConfig.RenewAll = true
+		a.saveRenewConfigToFile()
+		utils.SendOK(w)
+	}
+
+}
+
+// if auto renew all is true (aka auto scan), it will return []string{"*"}
+func (a *AutoRenewer) HandleLoadAutoRenewDomains(w http.ResponseWriter, r *http.Request) {
+	results := []string{}
+	if a.RenewerConfig.RenewAll {
+		//Auto pick which cert to renew.
+		results = append(results, "*")
+	} else {
+		//Manually set the files to renew
+		results = a.RenewerConfig.FilesToRenew
+	}
+
+	js, _ := json.Marshal(results)
+	utils.SendJSONResponse(w, string(js))
+}
+
+func (a *AutoRenewer) HandleRenewNow(w http.ResponseWriter, r *http.Request) {
+
+}
+
+func (a *AutoRenewer) HandleAutoRenewEnable(w http.ResponseWriter, r *http.Request) {
+	val, err := utils.PostPara(r, "enable")
+	if err != nil {
+		js, _ := json.Marshal(a.RenewerConfig.Enabled)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		if val == "true" {
+			//Check if the email is not empty
+			if a.RenewerConfig.Email == "" {
+				utils.SendErrorResponse(w, "Email is not set")
+				return
+			}
+
+			a.RenewerConfig.Enabled = true
+			a.saveRenewConfigToFile()
+			log.Println("[ACME] ACME auto renew enabled")
+			a.StartAutoRenewTicker()
+		} else {
+			a.RenewerConfig.Enabled = false
+			a.saveRenewConfigToFile()
+			log.Println("[ACME] ACME auto renew disabled")
+			a.StopAutoRenewTicker()
+		}
+	}
+}
+
+func (a *AutoRenewer) HandleACMEEmail(w http.ResponseWriter, r *http.Request) {
+
+	email, err := utils.PostPara(r, "set")
+	if err != nil {
+		//Return the current email to user
+		js, _ := json.Marshal(a.RenewerConfig.Email)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		//Check if the email is valid
+		_, err := mail.ParseAddress(email)
+		if err != nil {
+			utils.SendErrorResponse(w, err.Error())
+			return
+		}
+
+		//Set the new config
+		a.RenewerConfig.Email = email
+		a.saveRenewConfigToFile()
+	}
+
+}
+
+// Check and renew certificates. This check all the certificates in the
+// certificate folder and return a list of certs that is renewed in this call
+// Return string array with length 0 when no cert is expired
+func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
+	certFolder := a.CertFolder
+	files, err := os.ReadDir(certFolder)
+	if err != nil {
+		log.Println("Unable to renew certificates: " + err.Error())
+		return []string{}, err
+	}
+
+	expiredCertList := []*ExpiredCerts{}
+	if a.RenewerConfig.RenewAll {
+		//Scan and renew all
+		for _, file := range files {
+			if filepath.Ext(file.Name()) == ".crt" || filepath.Ext(file.Name()) == ".pem" {
+				//This is a public key file
+				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
+				if err != nil {
+					continue
+				}
+				if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
+					//This cert is expired
+					CAName, err := ExtractIssuerName(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						log.Println("Unable to extract issuer name for cert " + file.Name())
+						continue
+					}
+
+					DNSName, err := ExtractDomains(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						log.Println("Encounted error when trying to resolve DNS name for cert " + file.Name())
+						continue
+					}
+
+					expiredCertList = append(expiredCertList, &ExpiredCerts{
+						Filepath: filepath.Join(certFolder, file.Name()),
+						CA:       CAName,
+						Domains:  DNSName,
+					})
+				}
+			}
+		}
+	} else {
+		//Only renew those in the list
+		for _, file := range files {
+			fileName := file.Name()
+			certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
+			if contains(a.RenewerConfig.FilesToRenew, certName) {
+				//This is the one to auto renew
+				certBytes, err := os.ReadFile(filepath.Join(certFolder, file.Name()))
+				if err != nil {
+					continue
+				}
+				if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
+					//This cert is expired
+					CAName, err := ExtractIssuerName(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						log.Println("Unable to extract issuer name for cert " + file.Name())
+						continue
+					}
+
+					DNSName, err := ExtractDomains(certBytes)
+					if err != nil {
+						//Maybe self signed. Ignore this
+						log.Println("Encounted error when trying to resolve DNS name for cert " + file.Name())
+						continue
+					}
+
+					expiredCertList = append(expiredCertList, &ExpiredCerts{
+						Filepath: filepath.Join(certFolder, file.Name()),
+						CA:       CAName,
+						Domains:  DNSName,
+					})
+				}
+			}
+		}
+	}
+
+	return a.renewExpiredDomains(expiredCertList)
+}
+
+// Renew the certificate by filename extract all DNS name from the
+// certificate and renew them one by one by calling to the acmeHandler
+func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, error) {
+	renewedCertFiles := []string{}
+	for _, expiredCert := range certs {
+		log.Println("Renewing " + expiredCert.Filepath + " (Might take a few minutes)")
+		fileName := filepath.Base(expiredCert.Filepath)
+		certName := fileName[:len(fileName)-len(filepath.Ext(fileName))]
+		_, err := a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, expiredCert.CA)
+		if err != nil {
+			log.Println("Renew " + fileName + "(" + strings.Join(expiredCert.Domains, ",") + ") failed: " + err.Error())
+		} else {
+			log.Println("Successfully renewed " + filepath.Base(expiredCert.Filepath))
+			renewedCertFiles = append(renewedCertFiles, filepath.Base(expiredCert.Filepath))
+		}
+	}
+
+	return renewedCertFiles, nil
+}
+
+// Write the current renewer config to file
+func (a *AutoRenewer) saveRenewConfigToFile() error {
+	js, _ := json.MarshalIndent(a.RenewerConfig, "", " ")
+	return os.WriteFile(a.ConfigFilePath, js, 0775)
+}

src/mod/acme/ca.go

@@ -0,0 +1,45 @@
+package acme
+
+/*
+	CA.go
+
+	This script load CA defination from embedded ca.json
+*/
+import (
+	_ "embed"
+	"encoding/json"
+	"errors"
+	"log"
+)
+
+// CA Defination, load from embeded json when startup
+type CaDef struct {
+	Production map[string]string
+	Test       map[string]string
+}
+
+//go:embed ca.json
+var caJson []byte
+
+var caDef CaDef = CaDef{}
+
+func init() {
+	runtimeCaDef := CaDef{}
+	err := json.Unmarshal(caJson, &runtimeCaDef)
+	if err != nil {
+		log.Println("[ERR] Unable to unmarshal CA def from embedded file. You sure your ca.json is valid?")
+		return
+	}
+
+	caDef = runtimeCaDef
+
+}
+
+// Get the CA ACME server endpoint and error if not found
+func loadCAApiServerFromName(caName string) (string, error) {
+	val, ok := caDef.Production[caName]
+	if !ok {
+		return "", errors.New("This CA is not supported")
+	}
+	return val, nil
+}

src/mod/acme/ca.json

@@ -0,0 +1,15 @@
+{
+    "production": {
+        "Let's Encrypt": "https://acme-v02.api.letsencrypt.org/directory",
+        "Buypass": "https://api.buypass.com/acme/directory",
+        "ZeroSSL": "https://acme.zerossl.com/v2/DV90",
+        "Google": "https://dv.acme-v02.api.pki.goog/directory"
+    },
+    "test":{
+        "Let's Encrypt": "https://acme-staging-v02.api.letsencrypt.org/directory",
+        "Buypass": "https://api.test4.buypass.no/acme/directory",
+        "Google": "https://dv.acme-v02.test-api.pki.goog/directory"
+    }
+  }
+  
+  

src/mod/acme/utils.go

@@ -0,0 +1,94 @@
+package acme
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"time"
+)
+
+// Get the issuer name from pem file
+func ExtractIssuerNameFromPEM(pemFilePath string) (string, error) {
+	// Read the PEM file
+	pemData, err := ioutil.ReadFile(pemFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	return ExtractIssuerName(pemData)
+}
+
+// Get the DNSName in the cert
+func ExtractDomains(certBytes []byte) ([]string, error) {
+	domains := []string{}
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return []string{}, err
+		}
+		for _, dnsName := range cert.DNSNames {
+			if !contains(domains, dnsName) {
+				domains = append(domains, dnsName)
+			}
+		}
+
+		return domains, nil
+	}
+	return []string{}, errors.New("decode cert bytes failed")
+}
+
+func ExtractIssuerName(certBytes []byte) (string, error) {
+	// Parse the PEM block
+	block, _ := pem.Decode(certBytes)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return "", fmt.Errorf("failed to decode PEM block containing certificate")
+	}
+
+	// Parse the certificate
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse certificate: %v", err)
+	}
+
+	// Extract the issuer name
+	issuer := cert.Issuer.Organization[0]
+
+	return issuer, nil
+}
+
+// Check if a cert is expired by public key
+func CertIsExpired(certBytes []byte) bool {
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err == nil {
+			elapsed := time.Since(cert.NotAfter)
+			if elapsed > 0 {
+				// if it is expired then add it in
+				// make sure it's uniqueless
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func CertExpireSoon(certBytes []byte) bool {
+	block, _ := pem.Decode(certBytes)
+	if block != nil {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err == nil {
+			expirationDate := cert.NotAfter
+			threshold := 14 * 24 * time.Hour // 14 days
+
+			timeRemaining := time.Until(expirationDate)
+			if timeRemaining <= threshold {
+				return true
+			}
+		}
+	}
+	return false
+}

src/mod/netutils/netutils.go

@@ -3,9 +3,11 @@ package netutils
 import (
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"strconv"
 
+	"github.com/likexian/whois"
 	"imuslab.com/zoraxy/mod/utils"
 )
 
@@ -46,6 +48,50 @@ func TraceRoute(targetIpOrDomain string, maxHops int) ([]string, error) {
 	return traceroute(targetIpOrDomain, maxHops)
 }
 
+func HandleWhois(w http.ResponseWriter, r *http.Request) {
+	targetIpOrDomain, err := utils.GetPara(r, "target")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid target (domain or ip) address given")
+		return
+	}
+
+	raw, _ := utils.GetPara(r, "raw")
+
+	result, err := whois.Whois(targetIpOrDomain)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	if raw == "true" {
+		utils.SendTextResponse(w, result)
+	} else {
+		if isDomainName(targetIpOrDomain) {
+			//Is Domain
+			parsedOutput, err := ParseWHOISResponse(result)
+			if err != nil {
+				utils.SendErrorResponse(w, err.Error())
+				return
+			}
+
+			js, _ := json.Marshal(parsedOutput)
+			utils.SendJSONResponse(w, string(js))
+		} else {
+			//Is IP
+			parsedOutput, err := ParseWhoisIpData(result)
+			if err != nil {
+				utils.SendErrorResponse(w, err.Error())
+				return
+			}
+
+			js, _ := json.Marshal(parsedOutput)
+			utils.SendJSONResponse(w, string(js))
+		}
+
+	}
+
+}
+
 func HandlePing(w http.ResponseWriter, r *http.Request) {
 	targetIpOrDomain, err := utils.GetPara(r, "target")
 	if err != nil {
@@ -53,13 +99,44 @@ func HandlePing(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	results := []string{}
+	type MixedPingResults struct {
+		ICMP []string
+		TCP  []string
+		UDP  []string
+	}
+
+	results := MixedPingResults{
+		ICMP: []string{},
+		TCP:  []string{},
+		UDP:  []string{},
+	}
+
+	//Ping ICMP
 	for i := 0; i < 4; i++ {
 		realIP, pingTime, ttl, err := PingIP(targetIpOrDomain)
 		if err != nil {
-			results = append(results, "Reply from "+realIP+": "+err.Error())
+			results.ICMP = append(results.ICMP, "Reply from "+realIP+": "+err.Error())
 		} else {
-			results = append(results, fmt.Sprintf("Reply from %s: Time=%dms TTL=%d", realIP, pingTime.Milliseconds(), ttl))
+			results.ICMP = append(results.ICMP, fmt.Sprintf("Reply from %s: Time=%dms TTL=%d", realIP, pingTime.Milliseconds(), ttl))
+		}
+	}
+
+	//Ping TCP
+	for i := 0; i < 4; i++ {
+		pingTime, err := TCPPing(targetIpOrDomain)
+		if err != nil {
+			results.TCP = append(results.TCP, "Reply from "+resolveIpFromDomain(targetIpOrDomain)+": "+err.Error())
+		} else {
+			results.TCP = append(results.TCP, fmt.Sprintf("Reply from %s: Time=%dms", resolveIpFromDomain(targetIpOrDomain), pingTime.Milliseconds()))
+		}
+	}
+	//Ping UDP
+	for i := 0; i < 4; i++ {
+		pingTime, err := UDPPing(targetIpOrDomain)
+		if err != nil {
+			results.UDP = append(results.UDP, "Reply from "+resolveIpFromDomain(targetIpOrDomain)+": "+err.Error())
+		} else {
+			results.UDP = append(results.UDP, fmt.Sprintf("Reply from %s: Time=%dms", resolveIpFromDomain(targetIpOrDomain), pingTime.Milliseconds()))
 		}
 	}
 
@@ -67,3 +144,16 @@ func HandlePing(w http.ResponseWriter, r *http.Request) {
 	utils.SendJSONResponse(w, string(js))
 
 }
+
+func resolveIpFromDomain(targetIpOrDomain string) string {
+	//Resolve target ip address
+	targetIpAddrString := ""
+	ipAddr, err := net.ResolveIPAddr("ip", targetIpOrDomain)
+	if err != nil {
+		targetIpAddrString = targetIpOrDomain
+	} else {
+		targetIpAddrString = ipAddr.IP.String()
+	}
+
+	return targetIpAddrString
+}

src/mod/netutils/pingip.go

@@ -6,6 +6,39 @@ import (
 	"time"
 )
 
+// TCP ping
+func TCPPing(ipOrDomain string) (time.Duration, error) {
+	start := time.Now()
+
+	conn, err := net.DialTimeout("tcp", ipOrDomain+":80", 3*time.Second)
+	if err != nil {
+		return 0, fmt.Errorf("failed to establish TCP connection: %v", err)
+	}
+	defer conn.Close()
+
+	elapsed := time.Since(start)
+	pingTime := elapsed.Round(time.Millisecond)
+
+	return pingTime, nil
+}
+
+// UDP Ping
+func UDPPing(ipOrDomain string) (time.Duration, error) {
+	start := time.Now()
+
+	conn, err := net.DialTimeout("udp", ipOrDomain+":80", 3*time.Second)
+	if err != nil {
+		return 0, fmt.Errorf("failed to establish UDP connection: %v", err)
+	}
+	defer conn.Close()
+
+	elapsed := time.Since(start)
+	pingTime := elapsed.Round(time.Millisecond)
+
+	return pingTime, nil
+}
+
+// Traditional ICMP ping
 func PingIP(ipOrDomain string) (string, time.Duration, int, error) {
 	ipAddr, err := net.ResolveIPAddr("ip", ipOrDomain)
 	if err != nil {

src/mod/netutils/whois.go

@@ -0,0 +1,199 @@
+package netutils
+
+import (
+	"net"
+	"strings"
+	"time"
+)
+
+type WHOISResult struct {
+	DomainName       string    `json:"domainName"`
+	RegistryDomainID string    `json:"registryDomainID"`
+	Registrar        string    `json:"registrar"`
+	UpdatedDate      time.Time `json:"updatedDate"`
+	CreationDate     time.Time `json:"creationDate"`
+	ExpiryDate       time.Time `json:"expiryDate"`
+	RegistrantID     string    `json:"registrantID"`
+	RegistrantName   string    `json:"registrantName"`
+	RegistrantEmail  string    `json:"registrantEmail"`
+	AdminID          string    `json:"adminID"`
+	AdminName        string    `json:"adminName"`
+	AdminEmail       string    `json:"adminEmail"`
+	TechID           string    `json:"techID"`
+	TechName         string    `json:"techName"`
+	TechEmail        string    `json:"techEmail"`
+	NameServers      []string  `json:"nameServers"`
+	DNSSEC           string    `json:"dnssec"`
+}
+
+func ParseWHOISResponse(response string) (WHOISResult, error) {
+	result := WHOISResult{}
+
+	lines := strings.Split(response, "\n")
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "Domain Name:") {
+			result.DomainName = strings.TrimSpace(strings.TrimPrefix(line, "Domain Name:"))
+		} else if strings.HasPrefix(line, "Registry Domain ID:") {
+			result.RegistryDomainID = strings.TrimSpace(strings.TrimPrefix(line, "Registry Domain ID:"))
+		} else if strings.HasPrefix(line, "Registrar:") {
+			result.Registrar = strings.TrimSpace(strings.TrimPrefix(line, "Registrar:"))
+		} else if strings.HasPrefix(line, "Updated Date:") {
+			dateStr := strings.TrimSpace(strings.TrimPrefix(line, "Updated Date:"))
+			updatedDate, err := time.Parse("2006-01-02T15:04:05Z", dateStr)
+			if err == nil {
+				result.UpdatedDate = updatedDate
+			}
+		} else if strings.HasPrefix(line, "Creation Date:") {
+			dateStr := strings.TrimSpace(strings.TrimPrefix(line, "Creation Date:"))
+			creationDate, err := time.Parse("2006-01-02T15:04:05Z", dateStr)
+			if err == nil {
+				result.CreationDate = creationDate
+			}
+		} else if strings.HasPrefix(line, "Registry Expiry Date:") {
+			dateStr := strings.TrimSpace(strings.TrimPrefix(line, "Registry Expiry Date:"))
+			expiryDate, err := time.Parse("2006-01-02T15:04:05Z", dateStr)
+			if err == nil {
+				result.ExpiryDate = expiryDate
+			}
+		} else if strings.HasPrefix(line, "Registry Registrant ID:") {
+			result.RegistrantID = strings.TrimSpace(strings.TrimPrefix(line, "Registry Registrant ID:"))
+		} else if strings.HasPrefix(line, "Registrant Name:") {
+			result.RegistrantName = strings.TrimSpace(strings.TrimPrefix(line, "Registrant Name:"))
+		} else if strings.HasPrefix(line, "Registrant Email:") {
+			result.RegistrantEmail = strings.TrimSpace(strings.TrimPrefix(line, "Registrant Email:"))
+		} else if strings.HasPrefix(line, "Registry Admin ID:") {
+			result.AdminID = strings.TrimSpace(strings.TrimPrefix(line, "Registry Admin ID:"))
+		} else if strings.HasPrefix(line, "Admin Name:") {
+			result.AdminName = strings.TrimSpace(strings.TrimPrefix(line, "Admin Name:"))
+		} else if strings.HasPrefix(line, "Admin Email:") {
+			result.AdminEmail = strings.TrimSpace(strings.TrimPrefix(line, "Admin Email:"))
+		} else if strings.HasPrefix(line, "Registry Tech ID:") {
+			result.TechID = strings.TrimSpace(strings.TrimPrefix(line, "Registry Tech ID:"))
+		} else if strings.HasPrefix(line, "Tech Name:") {
+			result.TechName = strings.TrimSpace(strings.TrimPrefix(line, "Tech Name:"))
+		} else if strings.HasPrefix(line, "Tech Email:") {
+			result.TechEmail = strings.TrimSpace(strings.TrimPrefix(line, "Tech Email:"))
+		} else if strings.HasPrefix(line, "Name Server:") {
+			ns := strings.TrimSpace(strings.TrimPrefix(line, "Name Server:"))
+			result.NameServers = append(result.NameServers, ns)
+		} else if strings.HasPrefix(line, "DNSSEC:") {
+			result.DNSSEC = strings.TrimSpace(strings.TrimPrefix(line, "DNSSEC:"))
+		}
+	}
+
+	return result, nil
+}
+
+type WhoisIpLookupEntry struct {
+	NetRange     string
+	CIDR         string
+	NetName      string
+	NetHandle    string
+	Parent       string
+	NetType      string
+	OriginAS     string
+	Organization Organization
+	RegDate      time.Time
+	Updated      time.Time
+	Ref          string
+}
+
+type Organization struct {
+	OrgName    string
+	OrgId      string
+	Address    string
+	City       string
+	StateProv  string
+	PostalCode string
+	Country    string
+	/*
+		RegDate    time.Time
+		Updated    time.Time
+			OrgTechHandle    string
+			OrgTechName      string
+			OrgTechPhone     string
+			OrgTechEmail     string
+			OrgAbuseHandle   string
+			OrgAbuseName     string
+			OrgAbusePhone    string
+			OrgAbuseEmail    string
+			OrgRoutingHandle string
+			OrgRoutingName   string
+			OrgRoutingPhone  string
+			OrgRoutingEmail  string
+	*/
+}
+
+func ParseWhoisIpData(data string) (WhoisIpLookupEntry, error) {
+	var entry WhoisIpLookupEntry = WhoisIpLookupEntry{}
+	var org Organization = Organization{}
+
+	lines := strings.Split(data, "\n")
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "NetRange:") {
+			entry.NetRange = strings.TrimSpace(strings.TrimPrefix(line, "NetRange:"))
+		} else if strings.HasPrefix(line, "CIDR:") {
+			entry.CIDR = strings.TrimSpace(strings.TrimPrefix(line, "CIDR:"))
+		} else if strings.HasPrefix(line, "NetName:") {
+			entry.NetName = strings.TrimSpace(strings.TrimPrefix(line, "NetName:"))
+		} else if strings.HasPrefix(line, "NetHandle:") {
+			entry.NetHandle = strings.TrimSpace(strings.TrimPrefix(line, "NetHandle:"))
+		} else if strings.HasPrefix(line, "Parent:") {
+			entry.Parent = strings.TrimSpace(strings.TrimPrefix(line, "Parent:"))
+		} else if strings.HasPrefix(line, "NetType:") {
+			entry.NetType = strings.TrimSpace(strings.TrimPrefix(line, "NetType:"))
+		} else if strings.HasPrefix(line, "OriginAS:") {
+			entry.OriginAS = strings.TrimSpace(strings.TrimPrefix(line, "OriginAS:"))
+		} else if strings.HasPrefix(line, "Organization:") {
+			org.OrgName = strings.TrimSpace(strings.TrimPrefix(line, "Organization:"))
+		} else if strings.HasPrefix(line, "OrgId:") {
+			org.OrgId = strings.TrimSpace(strings.TrimPrefix(line, "OrgId:"))
+		} else if strings.HasPrefix(line, "Address:") {
+			org.Address = strings.TrimSpace(strings.TrimPrefix(line, "Address:"))
+		} else if strings.HasPrefix(line, "City:") {
+			org.City = strings.TrimSpace(strings.TrimPrefix(line, "City:"))
+		} else if strings.HasPrefix(line, "StateProv:") {
+			org.StateProv = strings.TrimSpace(strings.TrimPrefix(line, "StateProv:"))
+		} else if strings.HasPrefix(line, "PostalCode:") {
+			org.PostalCode = strings.TrimSpace(strings.TrimPrefix(line, "PostalCode:"))
+		} else if strings.HasPrefix(line, "Country:") {
+			org.Country = strings.TrimSpace(strings.TrimPrefix(line, "Country:"))
+		} else if strings.HasPrefix(line, "RegDate:") {
+			entry.RegDate, _ = parseDate(strings.TrimSpace(strings.TrimPrefix(line, "RegDate:")))
+		} else if strings.HasPrefix(line, "Updated:") {
+			entry.Updated, _ = parseDate(strings.TrimSpace(strings.TrimPrefix(line, "Updated:")))
+		} else if strings.HasPrefix(line, "Ref:") {
+			entry.Ref = strings.TrimSpace(strings.TrimPrefix(line, "Ref:"))
+		}
+	}
+
+	entry.Organization = org
+	return entry, nil
+}
+
+func parseDate(dateStr string) (time.Time, error) {
+	dateLayout := "2006-01-02"
+	date, err := time.Parse(dateLayout, strings.TrimSpace(dateStr))
+	if err != nil {
+		return time.Time{}, err
+	}
+	return date, nil
+}
+
+func isDomainName(input string) bool {
+	ip := net.ParseIP(input)
+	if ip != nil {
+		// Check if it's IPv4 or IPv6
+		if ip.To4() != nil {
+			return false
+		} else if ip.To16() != nil {
+			return false
+		}
+	}
+
+	_, err := net.LookupHost(input)
+	return err == nil
+}

src/mod/pathrule/pathrule.go

@@ -12,15 +12,14 @@ import (
 )
 
 /*
-	Pathblock.go
+	Pathrules.go
 
-	This script block off some of the specific pathname in access
+	This script handle advance path settings and rules on particular
-	For example, this module can help you block request for a particular
+	paths of the incoming requests
-	apache directory or functional endpoints like /.well-known/ when you
-	are not using it
 */
 
 type Options struct {
+	Enabled      bool   //If the pathrule is enabled.
 	ConfigFolder string //The folder to store the path blocking config files
 }
 
@@ -41,7 +40,7 @@ type Handler struct {
 }
 
 // Create a new path blocker handler
-func NewPathBlocker(options *Options) *Handler {
+func NewPathRuleHandler(options *Options) *Handler {
 	//Create folder if not exists
 	if !utils.FileExists(options.ConfigFolder) {
 		os.Mkdir(options.ConfigFolder, 0775)

src/start.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"imuslab.com/zoraxy/mod/acme"
 	"imuslab.com/zoraxy/mod/auth"
 	"imuslab.com/zoraxy/mod/database"
 	"imuslab.com/zoraxy/mod/dynamicproxy/redirection"
@@ -95,13 +96,14 @@ func startupSequence() {
 	}
 
 	/*
-		Path Blocker
+		Path Rules
 
-		This section of starutp script start the pathblocker
+		This section of starutp script start the path rules where
-		from file.
+		user can define their own routing logics
 	*/
 
-	pathRuleHandler = pathrule.NewPathBlocker(&pathrule.Options{
+	pathRuleHandler = pathrule.NewPathRuleHandler(&pathrule.Options{
+		Enabled:      false,
 		ConfigFolder: "./rules/pathrules",
 	})
 
@@ -188,6 +190,17 @@ func startupSequence() {
 
 	//Create an analytic loader
 	AnalyticLoader = analytic.NewDataLoader(sysdb, statisticCollector)
+
+	/*
+		ACME API
+
+		Obtaining certificates from ACME Server
+	*/
+	acmeHandler = initACME()
+	acmeAutoRenewer, err = acme.NewAutoRenewer("./rules/acme_conf.json", "./certs/", int64(*acmeAutoRenewInterval), acmeHandler)
+	if err != nil {
+		log.Fatal(err)
+	}
 }
 
 // This sequence start after everything is initialized

src/web/components/cert.html

@@ -67,6 +67,7 @@
         </tbody>
         </table>
         <button class="ui basic button" onclick="initManagedDomainCertificateList();"><i class="green refresh icon"></i> Refresh List</button>
+        <button class="ui basic button" onclick="openACMEManager();"><i class="yellow refresh icon"></i> Auto Renew (ACME) Settings</button>
     </div>
     <div class="ui message">
         <h4><i class="info circle icon"></i> Sub-domain Certificates</h4>
@@ -106,11 +107,14 @@
                 msgbox(data.error, false, 5000);
             }else{
                 $("#certifiedDomainList").html("");
+                data.sort((a,b) => {
+                    return a.Domain > b.Domain
+                });
                 data.forEach(entry => {
                     $("#certifiedDomainList").append(`<tr>
                         <td>${entry.Domain}</td>
                         <td>${entry.LastModifiedDate}</td>
-                        <td>${entry.ExpireDate}</td>
+                        <td>${entry.ExpireDate} (${entry.RemainingDays} days left)</td>
                         <td><button title="Delete key-pair" class="ui mini basic red icon button" onclick="deleteCertificate('${entry.Domain}');"><i class="ui red trash icon"></i></button></td>
                     </tr>`);
                 });
@@ -125,6 +129,10 @@
     }
     initManagedDomainCertificateList();
 
+    function openACMEManager(){
+        showSideWrapper('snippet/acme.html');
+    }
+
     function handleDomainUploadByKeypress(){
         handleDomainKeysUpload(function(){
             $("#certUploadingDomain").text($("#certdomain").val().trim());

src/web/components/networktools.html

@@ -45,8 +45,17 @@
             </div>
             
         </div>
-        <div class=""></div>
+        <div class="ui divider"></div>
-
+        <!-- Whois-->
+        <h2>Whois</h2>
+        <p>Check the owner and registration information of a given domain</p>
+        <div class="ui icon input">
+            <input id="whoisdomain" type="text" onkeypress="if(event.keyCode === 13) { performWhoisLookup(); }" placeholder="Domain or IP">
+            <i onclick="performWhoisLookup();" class="circular search link icon"></i>
+        </div><br>
+        <small>Lookup might take a few minutes to complete</small>
+        <br>
+        <div id="whois_table"></div>
     </div>
 
     <div class="ui bottom attached tab segment nettoolstab" data-tab="tab2">
@@ -485,10 +494,70 @@ function ping(){
             $("#traceroute_results").val("");
             msgbox(data.error, false, 6000);
         }else{
-            $("#traceroute_results").val(data.join("\n"));
+            $("#traceroute_results").val(`--------- ICMP Ping -------------
+${data.ICMP.join("\n")}\n
+---------- TCP Ping -------------
+${data.TCP.join("\n")}\n
+---------- UDP Ping -------------
+${data.UDP.join("\n")}`);
         }
     });
 }
+
+function performWhoisLookup(){
+    let whoisDomain = $("#whoisdomain").val().trim();
+    $("#whoisdomain").parent().addClass("disabled");
+    $("#whoisdomain").parent().css({
+        "cursor": "wait"
+    });
+    $.get("/api/tools/whois?target=" + whoisDomain, function(data){
+        $("#whoisdomain").parent().removeClass("disabled");
+        $("#whoisdomain").parent().css({
+            "cursor": "auto"
+        });
+        if (data.error != undefined){
+            msgbox(data.error, false, 6000);
+        }else{
+            renderWhoisDomainTable(data);
+        }
+    })
+}
+
+function renderWhoisDomainTable(jsonData) {
+
+    function formatDate(dateString) {
+        var date = new Date(dateString);
+        return date.toLocaleString('en-US', { year: 'numeric', month: '2-digit', day: '2-digit', hour: '2-digit', minute: '2-digit', second: '2-digit' });
+    }
+
+    var table = $('<table>').addClass('ui definition table');
+
+    // Create table body
+    var body = $('<tbody>');
+    for (var key in jsonData) {
+    var value = jsonData[key];
+    var row = $('<tr>');
+    row.append($('<td>').text(key));
+    if (key.endsWith('Date')) {
+        row.append($('<td>').text(formatDate(value)));
+    } else if (Array.isArray(value)) {
+        row.append($('<td>').text(value.join(', ')));
+    }else if (typeof(value) == "object"){
+        row.append($('<td>').text(JSON.stringify(value)));
+    } else {
+        row.append($('<td>').text(value));
+    }
+    body.append(row);
+    }
+
+    // Append the table body to the table
+    table.append(body);
+
+    // Append the table to the target element
+    $('#whois_table').empty().append(table);
+}
+
+
 </script>
 
 

src/web/components/redirection.html

@@ -72,7 +72,7 @@
           <i class="ui green checkmark icon"></i> Redirection Rules Added
         </div>
         <br><br>
-        <!--
+
         <div class="advancezone ui basic segment">
           <div class="ui accordion advanceSettings">
             <div class="title">
@@ -85,7 +85,7 @@
             </div>
           </div>
         </div>
-         -->
+
     </div>
   </div>
 </div>

src/web/index.html

@@ -364,6 +364,7 @@
                 $(".sideWrapper").show();
                 $(".sideWrapper .fadingBackground").fadeIn("fast");
                 $(".sideWrapper .content").transition('slide left in', 300);
+                $("body").css("overflow", "hidden");
             }
 
             function hideSideWrapper(discardFrameContent = false){
@@ -378,6 +379,7 @@
                         $(".sideWrapper").hide(); 
                     });
                 });
+                $("body").css("overflow", "auto");
             }
         </script>
     </body>

src/web/main.css

@@ -179,7 +179,7 @@ body{
 }
 
 .sideWrapper iframe{
-    height: 100%;
+    height: calc(100% - 55px);
     width: 100%;
     border: 0px solid transparent;
 }

src/web/snippet/acme.html

@@ -0,0 +1,454 @@
+<!DOCTYPE html>
+<html>
+  <head>
+      <!-- Notes: This should be open in its original path-->
+      <link rel="stylesheet" href="../script/semantic/semantic.min.css">
+      <script src="../script/jquery-3.6.0.min.js"></script>
+      <script src="../script/semantic/semantic.min.js"></script>
+      <style>
+        .disabled.table{
+          opacity: 0.5;
+          pointer-events: none;
+          
+        }
+
+        .expiredDomain{
+          color: rgb(238, 31, 31);
+        }
+
+        .validDomain{
+          color: rgb(49, 192, 113);
+        }
+      </style>
+  </head>
+  <body>
+  <br>
+  <div class="ui container">
+    <div class="ui header">
+        <div class="content">
+            Certificates Auto Renew Settings
+            <div class="sub header">Fetch and renew your certificates with Automated Certificate Management Environment (ACME) protocol</div>
+        </div>
+    </div>
+    <div class="ui basic segment">
+      <p style="float: right; color: #21ba45; display:none;" id="enableToggleSucc"><i class="green checkmark icon"></i> Setting Updated</p>
+      <div class="ui toggle checkbox">
+        <input type="checkbox" id="enableCertAutoRenew">
+        <label>Enable Certificate Auto Renew</label>
+      </div>
+      <br>
+      <h3>ACME Email</h3>
+      <p>Email is required by many CAs for renewing via ACME protocol</p>
+      <div class="ui fluid action input">
+        <input id="caRegisterEmail" type="text" placeholder="webmaster@example.com">
+        <button class="ui icon basic button" onclick="saveEmailToConfig(this);">
+            <i class="blue save icon"></i>
+        </button>
+      </div>
+      <small>If you don't want to share your private email address, you can also fill in an email address that point to a mailbox not exists on your domain.</small>
+    </div>
+    <div class="ui basic segment" style="background-color: #f7f7f7; border-radius: 1em;">
+      <div class="ui accordion advanceSettings">
+          <div class="title">
+            <i class="dropdown icon"></i>
+              Advance Renew Policy
+          </div>
+          <div class="content">
+              <p>Renew all certificates with ACME supported CAs</p>
+              <div class="ui toggle checkbox">
+                <input type="checkbox" id="renewAllSupported" onchange="setAutoRenewIfCASupportMode(this.checked);" checked>
+                <label>Renew All Certs</label>
+              </div><br>
+              <button id="renewNowBtn" onclick="renewNow();" class="ui basic right floated button" style="margin-top: -2em;"><i class="yellow refresh icon"></i> Renew Now</button>
+              <div class="ui horizontal divider"> OR </div>
+              <p>Select the certificates to automatic renew in the list below</p>
+              <table id="domainCertFileTable" class="ui very compact unstackable basic disabled table">
+                <thead>
+                  <tr>
+                    <th>Domain Name</th>
+                    <th>Match Rule</th>
+                    <th>Auto-Renew</th>
+                  </tr>
+                </thead>
+                <tbody id="domainTableBody"></tbody>
+              </table>
+              <small><i class="ui red info circle icon"></i> Domain in red are expired</small><br>
+              <div class="ui yellow message">
+                Certificate Renew only works on the certification authority (CA) supported by Zoraxy. Check Zoraxy wiki for more information on supported list of CAs.
+              </div>
+              <button class="ui basic right floated button" onclick="saveAutoRenewPolicy();"><i class="blue save icon"></i> Save Changes</button>
+              <button id="renewSelectedButton" onclick="renewNow();" class="ui basic right floated disabled button"><i class="yellow refresh icon"></i> Renew Selected</button>
+              <br><br>
+          </div>
+      </div>
+  </div>
+  <div class="ui divider"></div>
+  <h3>Manual Renew</h3>
+  <p>Pick a certificate below to force renew</p>
+  <div class="ui form">
+    <div class="field">
+      <label>Domain(s)</label>
+      <input id="domainsInput" type="text" placeholder="example.com" onkeyup="checkIfInputDomainIsMultiple();">
+      <small>If you have more than one domain in a single certificate, enter the domains separated by commas (e.g. s1.dev.example.com,s2.dev.example.com)</small>
+    </div>
+    <div class="field multiDomainOnly" style="display:none;">
+      <label>Matching Rule</label>
+      <input id="filenameInput" type="text" placeholder="Enter filename (no file extension)">
+      <small>Matching rule to let Zoraxy pick which certificate to use (Also be used as filename). Usually is the longest common suffix of the entered addresses. (e.g. dev.example.com)</small>
+    </div>
+    <div class="field multiDomainOnly" style="display:none;">
+      <button class="ui basic fluid button" onclick="autoDetectMatchingRules();">Auto Detect Matching Rule</button>
+    </div>
+    <div class="field">
+      <label>Certificate Authority (CA)</label>
+      <div class="ui selection dropdown" id="ca">
+        <input type="hidden" name="ca">
+        <i class="dropdown icon"></i>
+        <div class="default text">Let's Encrypt</div>
+        <div class="menu">
+          <div class="item" data-value="Let's Encrypt">Let's Encrypt</div>
+          <div class="item" data-value="Buypass">Buypass</div>
+          <div class="item" data-value="ZeroSSL">ZeroSSL</div>
+          <!-- <div class="item" data-value="Google">Google</div> -->
+        </div>
+      </div>
+    </div>
+    <button id="obtainButton" class="ui basic button" type="submit"><i class="yellow refresh icon"></i> Renew Certificate</button>
+  </div>
+
+  <button class="ui basic button"  style="float: right;" onclick="parent.hideSideWrapper();"><i class="remove icon"></i> Cancel</button>
+  <br><br><br><br>
+  </div>
+
+  <script>
+    let expiredDomains = [];
+    let enableTrigerOnChangeEvent = true;
+    $(".accordion").accordion();
+    $(".dropdown").dropdown();
+
+    function setAutoRenewIfCASupportMode(useAutoMode = true){
+      if (useAutoMode){
+        $("#domainCertFileTable").addClass("disabled");
+        $("#renewNowBtn").removeClass("disabled");
+        $("#renewSelectedButton").addClass("disabled");
+      }else{
+        $("#domainCertFileTable").removeClass("disabled");
+        $("#renewNowBtn").addClass("disabled");
+        $("#renewSelectedButton").removeClass("disabled");
+      }
+    }
+
+    function initRenewerConfigFromFile(){
+      $.get("/api/acme/autoRenew/enable", function(data){
+        if (data == true){
+          $("#enableCertAutoRenew").parent().checkbox("set checked");
+        }
+
+        $("#enableCertAutoRenew").on("change", function(){
+          if (!enableTrigerOnChangeEvent){
+            return;
+          }
+          toggleAutoRenew();
+        })
+      });
+
+      $.get("/api/acme/autoRenew/email", function(data){
+        if (data != "" && data != undefined && data != null){
+          $("#caRegisterEmail").val(data);
+        }
+      });
+    }
+    initRenewerConfigFromFile();
+
+    function saveEmailToConfig(btn){
+      $.ajax({
+        url: "/api/acme/autoRenew/email",
+        data: {set: $("#caRegisterEmail").val()},
+        success: function(data){
+          if (data.error != undefined){
+            parent.msgbox(data.error, false, 5000);
+          }else{
+            parent.msgbox("Email updated");
+            $(btn).html(`<i class="green check icon"></i>`);
+            $(btn).addClass("disabled");
+            setTimeout(function(){
+              $(btn).html(`<i class="blue save icon"></i>`);
+              $(btn).removeClass("disabled");
+            }, 3000);
+          }
+        }
+      });
+    }
+
+    function toggleAutoRenew(){
+      var enabled = $("#enableCertAutoRenew").parent().checkbox("is checked");
+      $.post("/api/acme/autoRenew/enable?enable=" + enabled, function(data){
+        if (data.error){
+          parent.msgbox(data.error, false, 5000);
+          if (enabled){
+            enableTrigerOnChangeEvent = false;
+            $("#enableCertAutoRenew").parent().checkbox("set unchecked");
+            enableTrigerOnChangeEvent = true;
+          }
+        }else{
+          $("#enableToggleSucc").stop().finish().fadeIn("fast").delay(3000).fadeOut("fast");
+        }
+      });
+    }
+
+    //Render the domains table that exists in this zoraxy host
+    function renderDomainTable(domainFileList) {
+      // Get the table body element
+      var tableBody = $('#domainTableBody');
+      
+      // Clear the table body
+      tableBody.empty();
+      
+      // Iterate over the domain names
+      var counter = 0;
+      for (const [srcfile, domains] of Object.entries(domainFileList)) {
+
+        // Create a table row
+        var row = $('<tr>');
+        
+        // Create the domain name cell
+        var domainClass = "validDomain";
+        for (var i = 0; i < domains.length; i++){
+          let thisDomain = domains[i];
+          if (expiredDomains.includes(thisDomain)){
+            domainClass = "expiredDomain";
+          }
+        }
+       
+        var domainCell = $('<td class="' + domainClass  +'">').html(domains.join("<br>"));
+        row.append(domainCell);
+
+        var srcFileCell = $('<td>').text(srcfile);
+        row.append(srcFileCell);
+        
+        // Create the auto-renew checkbox cell
+        let domainsEncoded = encodeURIComponent(JSON.stringify(domains));
+        var checkboxCell = $(`<td domain="${domainsEncoded}" srcfile="${srcfile}">`);
+        var checkbox = $(`<input name="${srcfile}">`).attr('type', 'checkbox');
+        checkboxCell.append(checkbox);
+        row.append(checkboxCell);
+        
+        // Add the row to the table body
+        tableBody.append(row);
+
+        counter++;
+      }
+    }
+
+    //Initiate domain table. If you needs to update the expired domain as well
+    //call from initDomainFileList() instead
+    function initDomainTable(){
+      $.get("/api/cert/listdomains?compact=true", function(data){
+        if (data.error != undefined){
+          parent.msgbox(data.error, false);
+        }else{
+          renderDomainTable(data);
+        }
+        initAutoRenewPolicy();
+      })
+    }
+
+    function initDomainFileList() {
+      $.ajax({
+        url: "/api/acme/listExpiredDomains",
+        method: "GET",
+        success: function(response) {
+          // Render domain table
+          expiredDomains = response.domain;
+          initDomainTable();
+          //renderDomainTable(response.domain);
+        },
+        error: function(error) {
+          console.log("Failed to fetch expired domains:", error);
+        }
+      });
+    }
+    initDomainFileList();
+
+    // Button click event handler for obtaining certificate
+    $("#obtainButton").click(function() {
+      $("#obtainButton").addClass("loading").addClass("disabled");
+      obtainCertificate();
+    });
+
+    // Obtain certificate from API
+    function obtainCertificate() {
+      var domains = $("#domainsInput").val();
+      var filename = $("#filenameInput").val();
+      var email = $("#caRegisterEmail").val();
+      if (email == ""){
+        parent.msgbox("ACME renew email is not set")
+        return;
+      }
+      if (filename.trim() == "" && !domains.includes(",")){
+        //Zoraxy filename are the matching name for domains.
+        //Use the same as domains
+        filename = domains;
+      }else if (filename != "" && !domains.includes(",")){
+        //Invalid settings. Force the filename to be same as domain
+        //if there are only 1 domain
+        filename = domains;
+      }else{
+        parent.msgbox("Filename cannot be empty for certs containing multiple domains.")
+        return;
+      }
+      var ca = $("#ca").dropdown("get value");
+      $.ajax({
+        url: "/api/acme/obtainCert",
+        method: "GET",
+        data: {
+          domains: domains,
+          filename: filename,
+          email: email,
+          ca: ca,
+        },
+        success: function(response) {
+          $("#obtainButton").removeClass("loading").removeClass("disabled");
+          if (response.error) {
+            console.log("Error:", response.error);
+            // Show error message
+            parent.msgbox(response.error, false, 12000);
+          } else {
+            console.log("Certificate renewed successfully");
+            // Show success message
+            parent.msgbox("Certificate renewed successfully");
+            
+            // Renew the parent certificate list
+            parent.initManagedDomainCertificateList();
+          }
+        },
+        error: function(error) {
+          $("#obtainButton").removeClass("loading").removeClass("disabled");
+          console.log("Failed to renewed certificate:", error);
+        }
+      });
+    }
+
+    function checkIfInputDomainIsMultiple(){
+      var inputDomains = $("#domainsInput").val();
+      if (inputDomains.includes(",")){
+        $(".multiDomainOnly").show();
+      }else{
+        $(".multiDomainOnly").hide();
+      }
+    }
+
+    //Grab the longest common suffix of all domains
+    //not that smart technically
+    function autoDetectMatchingRules(){
+      var domainsString = $("#domainsInput").val();
+      if (!domainsString.includes(",")){
+        return domainsString;
+      }
+
+      let domains = domainsString.split(",");
+
+      //Clean out any spacing between commas
+      for (var i = 0; i < domains.length; i++){
+        domains[i] = domains[i].trim();
+      }
+
+      function getLongestCommonSuffix(strings) {
+        if (strings.length === 0) {
+          return ''; // Return an empty string if the array is empty
+        }
+
+        var sortedStrings = strings.slice().sort(); // Create a sorted copy of the array
+
+        var firstString = sortedStrings[0];
+        var lastString = sortedStrings[sortedStrings.length - 1];
+
+        var suffix = '';
+        var minLength = Math.min(firstString.length, lastString.length);
+
+        for (var i = 0; i < minLength; i++) {
+          if (firstString[firstString.length - 1 - i] !== lastString[lastString.length - 1 - i]) {
+            break; // Stop iterating if characters don't match
+          }
+          suffix = firstString[firstString.length - 1 - i] + suffix;
+        }
+
+        return suffix;
+      }
+
+      let longestSuffix = getLongestCommonSuffix(domains);
+
+      //Check if the suffix is a valid domain
+      if (longestSuffix.substr(0,1) == "."){
+        //Trim off the first dot
+        longestSuffix = longestSuffix.substr(1);
+      }
+
+      if (!longestSuffix.includes(".")){
+        parent.msgbox("Auto Detect failed: Multiple Domains", false, 5000);
+        return;
+      }
+      $("#filenameInput").val(longestSuffix);
+    }
+
+    //Handle the renew now btn click
+    function renewNow(){
+      alert("wip");
+      return
+      $.get("/api/acme/autoRenew/renewNow", function(data){
+        alert(data);
+      })
+    }
+
+    function initAutoRenewPolicy(){
+      $.get("/api/acme/autoRenew/listDomains", function(data){
+        if (data.error != undefined){
+          parent.msgbox(data.error, false)
+        }else{
+          if (data[0] == "*"){
+            //Auto select and renew is enabled
+            $("#renewAllSupported").parent().checkbox("set checked");
+          }else{
+            //This is a list of domain files
+            data.forEach(function(name) {
+              $('#domainTableBody input[type="checkbox"][name="' + name + '"]').prop('checked', true);
+            });
+            $("#domainCertFileTable").removeClass("disabled");
+            $("#renewNowBtn").addClass("disabled");
+            $("#renewSelectedButton").removeClass("disabled");
+          }
+        }
+      })
+    }
+
+    function saveAutoRenewPolicy(){
+      let autoRenewAll = $("#renewAllSupported").parent().checkbox("is checked");
+      if (autoRenewAll == true){
+        $.ajax({
+          url: "/api/acme/autoRenew/setDomains",
+          data: {opr: "setAuto"},
+          success: function(data){
+            parent.msgbox("Renew policy rule updated")
+          }
+        });
+      }else{
+        let checkedNames = [];
+        $('#domainTableBody input[type="checkbox"]:checked').each(function() {
+          checkedNames.push($(this).attr('name'));
+        });
+
+        $.ajax({
+          url: "/api/acme/autoRenew/setDomains",
+          data: {opr: "setSelected", domains: JSON.stringify(checkedNames)},
+          success: function(data){
+            parent.msgbox("Renew policy rule updated")
+          }
+        });
+      }
+    }
+
+    //Clear  up the input field when page load
+    $("#filenameInput").val("");
+  </script>
+</body>
+</html>