proxy: Implement own CA certificates of backends (#2454)

By using option ca_certificates in proxy block it is possible now to select CA against which backend certificates shall be checked. Resolves #1550 Co-authored-by: Danny Navarro <navdgo@gmail.com>
2026-06-07 06:25:24 -04:00 · 2019-02-05 12:16:08 -05:00
parent 9e4a29191c
commit e0efb027da
4 changed files with 198 additions and 0 deletions
@@ -28,6 +28,7 @@ package proxy
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net"
@@ -310,6 +311,25 @@ func (rp *ReverseProxy) UseInsecureTransport() {
 	}
 }

+// UseOwnCertificate is used to facilitate HTTPS proxying
+// with locally provided certificate.
+func (rp *ReverseProxy) UseOwnCACertificates(CaCertPool *x509.CertPool) {
+	if transport, ok := rp.Transport.(*http.Transport); ok {
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+		transport.TLSClientConfig.RootCAs = CaCertPool
+		// No http2.ConfigureTransport() here.
+		// For now this is only added in places where
+		// an http.Transport is actually created.
+	} else if transport, ok := rp.Transport.(*h2quic.RoundTripper); ok {
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+		transport.TLSClientConfig.RootCAs = CaCertPool
+	}
+}
+
 // ServeHTTP serves the proxied request to the upstream by performing a roundtrip.
 // It is designed to handle websocket connection upgrades as well.
 func (rp *ReverseProxy) ServeHTTP(rw http.ResponseWriter, outreq *http.Request, respUpdateFn respUpdateFn) error {