mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 08:12:43 -04:00 
			
		
		
		
	reverse_proxy: Implement remaining TLS config for proxy to backend
This commit is contained in:
		
							parent
							
								
									ccfb12347b
								
							
						
					
					
						commit
						4a1e1649bc
					
				| @ -15,8 +15,13 @@ | |||||||
| package reverseproxy | package reverseproxy | ||||||
| 
 | 
 | ||||||
| import ( | import ( | ||||||
|  | 	"crypto/tls" | ||||||
|  | 	"crypto/x509" | ||||||
|  | 	"encoding/base64" | ||||||
|  | 	"fmt" | ||||||
| 	"net" | 	"net" | ||||||
| 	"net/http" | 	"net/http" | ||||||
|  | 	"reflect" | ||||||
| 	"time" | 	"time" | ||||||
| 
 | 
 | ||||||
| 	"github.com/caddyserver/caddy/v2" | 	"github.com/caddyserver/caddy/v2" | ||||||
| @ -76,7 +81,12 @@ func (h *HTTPTransport) Provision(ctx caddy.Context) error { | |||||||
| 
 | 
 | ||||||
| 	if h.TLS != nil { | 	if h.TLS != nil { | ||||||
| 		rt.TLSHandshakeTimeout = time.Duration(h.TLS.HandshakeTimeout) | 		rt.TLSHandshakeTimeout = time.Duration(h.TLS.HandshakeTimeout) | ||||||
| 		// TODO: rest of TLS config | 
 | ||||||
|  | 		var err error | ||||||
|  | 		rt.TLSClientConfig, err = h.TLS.MakeTLSClientConfig() | ||||||
|  | 		if err != nil { | ||||||
|  | 			return fmt.Errorf("making TLS client config: %v", err) | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	if h.KeepAlive != nil { | 	if h.KeepAlive != nil { | ||||||
| @ -103,13 +113,79 @@ func (h HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) { | |||||||
| 	return h.RoundTripper.RoundTrip(req) | 	return h.RoundTripper.RoundTrip(req) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | func defaultTLSConfig() *tls.Config { | ||||||
|  | 	return &tls.Config{ | ||||||
|  | 		NextProtos: []string{"h2", "http/1.1"}, // TODO: ensure this makes HTTP/2 work | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  | 
 | ||||||
| type TLSConfig struct { | type TLSConfig struct { | ||||||
| 	CAPool             []string       `json:"ca_pool,omitempty"` | 	RootCAPool []string `json:"root_ca_pool,omitempty"` | ||||||
| 	ClientCertificate  string         `json:"client_certificate,omitempty"` | 	// TODO: Should the client cert+key config use caddytls.CertificateLoader modules? | ||||||
|  | 	ClientCertificateFile    string         `json:"client_certificate_file,omitempty"` | ||||||
|  | 	ClientCertificateKeyFile string         `json:"client_certificate_key_file,omitempty"` | ||||||
| 	InsecureSkipVerify       bool           `json:"insecure_skip_verify,omitempty"` | 	InsecureSkipVerify       bool           `json:"insecure_skip_verify,omitempty"` | ||||||
| 	HandshakeTimeout         caddy.Duration `json:"handshake_timeout,omitempty"` | 	HandshakeTimeout         caddy.Duration `json:"handshake_timeout,omitempty"` | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. | ||||||
|  | // If there is no custom TLS configuration, a nil config may be returned. | ||||||
|  | func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) { | ||||||
|  | 	cfg := new(tls.Config) | ||||||
|  | 
 | ||||||
|  | 	// client auth | ||||||
|  | 	if t.ClientCertificateFile != "" && t.ClientCertificateKeyFile == "" { | ||||||
|  | 		return nil, fmt.Errorf("client_certificate_file specified without client_certificate_key_file") | ||||||
|  | 	} | ||||||
|  | 	if t.ClientCertificateFile == "" && t.ClientCertificateKeyFile != "" { | ||||||
|  | 		return nil, fmt.Errorf("client_certificate_key_file specified without client_certificate_file") | ||||||
|  | 	} | ||||||
|  | 	if t.ClientCertificateFile != "" && t.ClientCertificateKeyFile != "" { | ||||||
|  | 		cert, err := tls.LoadX509KeyPair(t.ClientCertificateFile, t.ClientCertificateKeyFile) | ||||||
|  | 		if err != nil { | ||||||
|  | 			return nil, fmt.Errorf("loading client certificate key pair: %v", err) | ||||||
|  | 		} | ||||||
|  | 		cfg.Certificates = []tls.Certificate{cert} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// trusted root CAs | ||||||
|  | 	if len(t.RootCAPool) > 0 { | ||||||
|  | 		rootPool := x509.NewCertPool() | ||||||
|  | 		for _, encodedCACert := range t.RootCAPool { | ||||||
|  | 			caCert, err := decodeBase64DERCert(encodedCACert) | ||||||
|  | 			if err != nil { | ||||||
|  | 				return nil, fmt.Errorf("parsing CA certificate: %v", err) | ||||||
|  | 			} | ||||||
|  | 			rootPool.AddCert(caCert) | ||||||
|  | 		} | ||||||
|  | 		cfg.RootCAs = rootPool | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// throw all security out the window | ||||||
|  | 	cfg.InsecureSkipVerify = t.InsecureSkipVerify | ||||||
|  | 
 | ||||||
|  | 	// only return a config if it's not empty | ||||||
|  | 	if reflect.DeepEqual(cfg, new(tls.Config)) { | ||||||
|  | 		return nil, nil | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	cfg.NextProtos = []string{"h2", "http/1.1"} // TODO: ensure that this actually enables HTTP/2 | ||||||
|  | 
 | ||||||
|  | 	return cfg, nil | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | // decodeBase64DERCert base64-decodes, then DER-decodes, certStr. | ||||||
|  | func decodeBase64DERCert(certStr string) (*x509.Certificate, error) { | ||||||
|  | 	// decode base64 | ||||||
|  | 	derBytes, err := base64.StdEncoding.DecodeString(certStr) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// parse the DER-encoded certificate | ||||||
|  | 	return x509.ParseCertificate(derBytes) | ||||||
|  | } | ||||||
|  | 
 | ||||||
| type KeepAlive struct { | type KeepAlive struct { | ||||||
| 	Enabled             *bool          `json:"enabled,omitempty"` | 	Enabled             *bool          `json:"enabled,omitempty"` | ||||||
| 	ProbeInterval       caddy.Duration `json:"probe_interval,omitempty"` | 	ProbeInterval       caddy.Duration `json:"probe_interval,omitempty"` | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user