reverseproxy: Skip TLS for certain configured ports (#4843)

* Make reverse proxy TLS server name replaceable for SNI upstreams.

* Reverted previous TLS server name replacement, and implemented thread safe version.

* Move TLS servername replacement into it's own function

* Moved SNI servername replacement into httptransport.

* Solve issue when dynamic upstreams use wrong protocol upstream.

* Revert previous commit.

Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream.
Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d

* Added SkipTLSPorts option to http transport.

* Fix typo in test config file.

* Rename config option as suggested by Matt

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Update code to match renamed config option.

* Fix typo in config option name.

* Fix another typo that I missed.

* Tests not completing because of apparent wrong ordering of options.

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt

@@ -25,6 +25,7 @@ https://example.com {
 			keepalive_idle_conns_per_host 2
 			keepalive_interval 30s
 			renegotiation freely
+			except_ports 8181 8182
 		}
 	}
 }
@@ -93,6 +94,10 @@ https://example.com {
 														},
 														"response_header_timeout": 8000000000,
 														"tls": {
+															"except_ports": [
+																"8181",
+																"8182"
+															],
 															"renegotiation": "freely"
 														},
 														"versions": [

modules/caddyhttp/reverseproxy/caddyfile.go

@@ -1063,6 +1063,15 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				}
 				h.MaxConnsPerHost = num
 
+			case "except_ports":
+				if h.TLS == nil {
+					h.TLS = new(TLSConfig)
+				}
+				h.TLS.ExceptPorts = d.RemainingArgs()
+				if len(h.TLS.ExceptPorts) == 0 {
+					return d.ArgErr()
+				}
+
 			default:
 				return d.Errf("unrecognized subdirective %s", d.Val())
 			}

modules/caddyhttp/reverseproxy/httptransport.go

@@ -296,9 +296,20 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 // has the scheme set in its URL; the underlying
 // http.Transport requires a scheme to be set.
 func (h *HTTPTransport) SetScheme(req *http.Request) {
+	skipTLSport := false
+	if h.TLS.ExceptPorts != nil {
+		port := req.URL.Port()
+		for i := range h.TLS.ExceptPorts {
+			if h.TLS.ExceptPorts[i] == port {
+				skipTLSport = true
+				break
+			}
+		}
+	}
+
 	if req.URL.Scheme == "" {
 		req.URL.Scheme = "http"
-		if h.TLS != nil {
+		if h.TLS != nil && !skipTLSport {
 			req.URL.Scheme = "https"
 		}
 	}
@@ -369,6 +380,13 @@ type TLSConfig struct {
 	//  - "once": allows a remote server to request renegotiation once per connection.
 	//  - "freely": allows a remote server to repeatedly request renegotiation.
 	Renegotiation string `json:"renegotiation,omitempty"`
+
+	// Skip TLS ports specifies a list of upstream ports on which TLS should not be
+	// attempted even if it is configured. Handy when using dynamic upstreams that
+	// return HTTP and HTTPS endpoints too.
+	// When specified, TLS will automatically be configured on the transport.
+	// The value can be a list of any valid tcp port numbers, default empty.
+	ExceptPorts []string `json:"except_ports,omitempty"`
 }
 
 // MakeTLSClientConfig returns a tls.Config usable by a client to a backend.