The server log scrubbing code from ticket #21304 is now refactored into
a safelog package, along with the appropriate tests

Modified regular expressions to not scrub fingerprints, but catch all
instances of IPv4 and IPv6 addresses. Expanded test cases with those
suggested by dcf.

Log scrubber now scrubs addresses even in the case where they are split
across calls to the scrubber's output io.Writer.

Added test cases to test that the writer behaves correctly across split
lines.

It is now more readable, and the regexp's are only compiled once

IPv6 regexes didn't need to be that precise, added more tests for
edge-cases.

Added a scrubber that takes all logging output to the standard logger
and passes through a series of regular expressions to replace IP
addresses with safe strings (e.g., X.X.X.X:443).

Ensure server logs to stdout are also scrubbed

Ignore SIGINT, honor TOR_PT_EXIT_ON_STDIN_CLOSE.

Cf. https://bugs.torproject.org/24875

This is a port of commit e3f3054f8b74caa639a6d9be09702693af9a70e7 from
meek.

In the previous commit, we changed from separate Listen and Serve steps
to always calling ListenAndServe. However, we would really like to
immediately get feedback if any errors happen in the Listen step inside
the call, because it's much better for debugging if those errors get
reported to tor through SMETHOD-ERROR--rather than reporting success to
tor and actually logging an error only in the snowflake log. So we wait
100 ms for an error to occur before deciding that the Listen succeeded.

We don't need to apply this hack to the ACME HTTP-01 listener, because
it's a plaintext listener. Unlike in the TLS case, there isn't any
internal magic that the net library does that we have to rely on. We
just call net.ListenTCP and check for an error.

This is a port of commit cea86c937dc278ba6b2100c238b1d5206bbae2f0 from
meek. Its purpose is to remove the need to copy-paste parts of
net/http.Server.ListenAndServeTLS. Here is a copy of the commit message
from meek:

    The net/http package provides ListenAndServe and ListenAndServeTLS
    functions, but it doesn't provide a way to set up a listener without
    also entering an infinite serve loop. This matters for
    ListenAndServeTLS, which sets up a lot of magic behind the scenes for
    TLS and HTTP/2 support. Formerly, we had copy-pasted code from
    ListenAndServeTLS, but that code has only gotten more complicated in
    upstream net/http.

    The price we pay for this is that it's no longer possible for a server
    bindaddr to ask to listen on port 0 (i.e., a random ephemeral port).
    That's because we never get a change to find out what the listening
    address is, before entering the serve loop.

    What we gain is HTTP/2 support; formerly our copy-pasted code had the
    side effect of disabling HTTP/2, because it was copied from an older
    version and did things like
            config.NextProtos = []string{"http/1.1"}

    The new code calls http2.ConfigureServer first, but that's not what's
    providing HTTP/2 support. HTTP/2 support happens by default. The reason
    we call http2.ConfigureServer is because we need to set
    TLSConfig.GetCertificate, and http2.ConfigureServer is a convenient way
    to initialize TLSConfig in a way that is guaranteed to work with HTTP/2.

As with commit fcc274ac for the broker,
we need to start using the HTTP-01 challenge type in the Snowflake
websocket server transport plugin.
https://bugs.torproject.org/25346

fmt.Sprintf("%.g", 86400.4) → "9e+04"
fmt.Sprintf("%.f", 86400.4) → "86400"

The time interval was being reset every time a new connection came in.

This is a sanity check against any catastrophic failure of our parsing
code.

Current versions of tor accept USERADDR with or without a port number,
but future versions may become more strict and require the port number.
https://bugs.torproject.org/23080

This way, we don't lose state of certificates every time the process is
restarted. There's a possibility, otherwise, that if you have to restart
the server rapidly, you might run into Let's Encrypt rate limits and be
unable to create a cert for a while.
https://godoc.org/rsc.io/letsencrypt#hdr-Persistent_Storage

This removes the --tls-cert and --tls-keys options and replaces them
with --acme-hostname and (optional) --acme-email. It uses
https://godoc.org/golang.org/x/crypto/acme/autocert, which is kind of a
successor to https://godoc.org/rsc.io/letsencrypt.

The autocert package only works when the listener runs on port 443. For
that reason, if TOR_PT_SERVER_BINDADDR asks for a port other than 443,
the program will open an *additional* listening port on 443. If there is
an error opening the listener, it is reported through an SMETHOD-ERROR
for the requested address.

The inspiration for this code came from George Tankersley's patch for
meek-server:
https://bugs.torproject.org/18655#comment:8
https://github.com/gtank/meek/tree/letsencrypt

This was a bug added in 8378f859 when
this code was moved out of a switch.

Might make this controlled by ServerTransportOptions instead of the
--disable-tls command line option.

This was only needed for very very old Firefox before WebSockets were
properly standardized.

Recommend ServerTransportListenAddr in torrc instead.

pt-spec no longer talks about SIGINT.