reverseproxy: Skip TLS for certain configured ports (#4843)

* Make reverse proxy TLS server name replaceable for SNI upstreams. * Reverted previous TLS server name replacement, and implemented thread safe version. * Move TLS servername replacement into it's own function * Moved SNI servername replacement into httptransport. * Solve issue when dynamic upstreams use wrong protocol upstream. * Revert previous commit. Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream. Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d * Added SkipTLSPorts option to http transport. * Fix typo in test config file. * Rename config option as suggested by Matt Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update code to match renamed config option. * Fix typo in config option name. * Fix another typo that I missed. * Tests not completing because of apparent wrong ordering of options. Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2025-10-30 18:22:49 -04:00 · 2022-06-20 19:51:42 +02:00 · 2022-06-20 19:51:42 +02:00 · b6e96fa3c5
commit b6e96fa3c5
parent 56013934a4
3 changed files with 33 additions and 1 deletions
--- a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt
+++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt
@ -25,6 +25,7 @@ https://example.com {
 			keepalive_idle_conns_per_host 2
 			keepalive_interval 30s
 			renegotiation freely
+			except_ports 8181 8182
 		}
 	}
 }
@ -93,6 +94,10 @@ https://example.com {
 														},
 														"response_header_timeout": 8000000000,
 														"tls": {
+															"except_ports": [
+																"8181",
+																"8182"
+															],
 															"renegotiation": "freely"
 														},
 														"versions": [
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@ -1063,6 +1063,15 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				}
 				h.MaxConnsPerHost = num

+			case "except_ports":
+				if h.TLS == nil {
+					h.TLS = new(TLSConfig)
+				}
+				h.TLS.ExceptPorts = d.RemainingArgs()
+				if len(h.TLS.ExceptPorts) == 0 {
+					return d.ArgErr()
+				}
+
 			default:
 				return d.Errf("unrecognized subdirective %s", d.Val())
 			}
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@ -296,9 +296,20 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 // has the scheme set in its URL; the underlying
 // http.Transport requires a scheme to be set.
 func (h *HTTPTransport) SetScheme(req *http.Request) {
+	skipTLSport := false
+	if h.TLS.ExceptPorts != nil {
+		port := req.URL.Port()
+		for i := range h.TLS.ExceptPorts {
+			if h.TLS.ExceptPorts[i] == port {
+				skipTLSport = true
+				break
+			}
+		}
+	}
+
 	if req.URL.Scheme == "" {
 		req.URL.Scheme = "http"
-		if h.TLS != nil {
+		if h.TLS != nil && !skipTLSport {
 			req.URL.Scheme = "https"
 		}
 	}
@ -369,6 +380,13 @@ type TLSConfig struct {
 	//  - "once": allows a remote server to request renegotiation once per connection.
 	//  - "freely": allows a remote server to repeatedly request renegotiation.
 	Renegotiation string `json:"renegotiation,omitempty"`
+
+	// Skip TLS ports specifies a list of upstream ports on which TLS should not be
+	// attempted even if it is configured. Handy when using dynamic upstreams that
+	// return HTTP and HTTPS endpoints too.
+	// When specified, TLS will automatically be configured on the transport.
+	// The value can be a list of any valid tcp port numbers, default empty.
+	ExceptPorts []string `json:"except_ports,omitempty"`
 }

 // MakeTLSClientConfig returns a tls.Config usable by a client to a backend.