mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-25 15:52:45 -04:00 
			
		
		
		
	reverseproxy: Add tls_curves option to HTTP transport (#5851)
				
					
				
			This commit is contained in:
		
							parent
							
								
									cc0c0cf03e
								
							
						
					
					
						commit
						f658fd05ac
					
				| @ -1072,6 +1072,16 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 				} | ||||
| 				h.TLS.InsecureSkipVerify = true | ||||
| 
 | ||||
| 			case "tls_curves": | ||||
| 				args := d.RemainingArgs() | ||||
| 				if len(args) == 0 { | ||||
| 					return d.ArgErr() | ||||
| 				} | ||||
| 				if h.TLS == nil { | ||||
| 					h.TLS = new(TLSConfig) | ||||
| 				} | ||||
| 				h.TLS.Curves = args | ||||
| 
 | ||||
| 			case "tls_timeout": | ||||
| 				if !d.NextArg() { | ||||
| 					return d.ArgErr() | ||||
|  | ||||
| @ -491,6 +491,10 @@ type TLSConfig struct { | ||||
| 	// When specified, TLS will automatically be configured on the transport. | ||||
| 	// The value can be a list of any valid tcp port numbers, default empty. | ||||
| 	ExceptPorts []string `json:"except_ports,omitempty"` | ||||
| 
 | ||||
| 	// The list of elliptic curves to support. Caddy's | ||||
| 	// defaults are modern and secure. | ||||
| 	Curves []string `json:"curves,omitempty"` | ||||
| } | ||||
| 
 | ||||
| // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. | ||||
| @ -579,6 +583,15 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { | ||||
| 	// throw all security out the window | ||||
| 	cfg.InsecureSkipVerify = t.InsecureSkipVerify | ||||
| 
 | ||||
| 	curvesAdded := make(map[tls.CurveID]struct{}) | ||||
| 	for _, curveName := range t.Curves { | ||||
| 		curveID := caddytls.SupportedCurves[curveName] | ||||
| 		if _, ok := curvesAdded[curveID]; !ok { | ||||
| 			curvesAdded[curveID] = struct{}{} | ||||
| 			cfg.CurvePreferences = append(cfg.CurvePreferences, curveID) | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	// only return a config if it's not empty | ||||
| 	if reflect.DeepEqual(cfg, new(tls.Config)) { | ||||
| 		return nil, nil | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user