Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
dd393ce3
Commit
dd393ce3
authored
Dec 05, 2018
by
Łukasz Nowak
Committed by
Łukasz Nowak
Dec 06, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implement own CA certificates of backends
/reviewed-on
!1
parent
527de186
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
51 additions
and
0 deletions
+51
-0
caddyhttp/proxy/reverseproxy.go
caddyhttp/proxy/reverseproxy.go
+20
-0
caddyhttp/proxy/upstream.go
caddyhttp/proxy/upstream.go
+31
-0
No files found.
caddyhttp/proxy/reverseproxy.go
View file @
dd393ce3
...
...
@@ -28,6 +28,7 @@ package proxy
import
(
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"net"
...
...
@@ -310,6 +311,25 @@ func (rp *ReverseProxy) UseInsecureTransport() {
}
}
// UseOwnCertificate is used to facilitate HTTPS proxying
// with locally provided certificate.
func
(
rp
*
ReverseProxy
)
UseOwnCACertificates
(
CaCertPool
*
x509
.
CertPool
)
{
if
transport
,
ok
:=
rp
.
Transport
.
(
*
http
.
Transport
);
ok
{
if
transport
.
TLSClientConfig
==
nil
{
transport
.
TLSClientConfig
=
&
tls
.
Config
{}
}
transport
.
TLSClientConfig
.
RootCAs
=
CaCertPool
// No http2.ConfigureTransport() here.
// For now this is only added in places where
// an http.Transport is actually created.
}
else
if
transport
,
ok
:=
rp
.
Transport
.
(
*
h2quic
.
RoundTripper
);
ok
{
if
transport
.
TLSClientConfig
==
nil
{
transport
.
TLSClientConfig
=
&
tls
.
Config
{}
}
transport
.
TLSClientConfig
.
RootCAs
=
CaCertPool
}
}
// ServeHTTP serves the proxied request to the upstream by performing a roundtrip.
// It is designed to handle websocket connection upgrades as well.
func
(
rp
*
ReverseProxy
)
ServeHTTP
(
rw
http
.
ResponseWriter
,
outreq
*
http
.
Request
,
respUpdateFn
respUpdateFn
)
error
{
...
...
caddyhttp/proxy/upstream.go
View file @
dd393ce3
...
...
@@ -17,6 +17,7 @@ package proxy
import
(
"bytes"
"context"
"crypto/x509"
"fmt"
"io"
"io/ioutil"
...
...
@@ -73,6 +74,7 @@ type staticUpstream struct {
resolver
srvResolver
upstreamHeaderReplacements
headerReplacements
downstreamHeaderReplacements
headerReplacements
CaCertPool
*
x509
.
CertPool
}
type
srvResolver
interface
{
...
...
@@ -259,6 +261,9 @@ func (u *staticUpstream) NewHost(host string) (*UpstreamHost, error) {
if
u
.
insecureSkipVerify
{
uh
.
ReverseProxy
.
UseInsecureTransport
()
}
if
u
.
CaCertPool
!=
nil
{
uh
.
ReverseProxy
.
UseOwnCACertificates
(
u
.
CaCertPool
)
}
return
uh
,
nil
}
...
...
@@ -515,6 +520,32 @@ func parseBlock(c *caddyfile.Dispenser, u *staticUpstream, hasSrv bool) error {
u
.
IgnoredSubPaths
=
ignoredPaths
case
"insecure_skip_verify"
:
u
.
insecureSkipVerify
=
true
case
"ca_certificates"
:
caCertificates
:=
c
.
RemainingArgs
()
if
len
(
caCertificates
)
==
0
{
return
c
.
ArgErr
()
}
pool
:=
x509
.
NewCertPool
()
caCertificatesAdded
:=
make
(
map
[
string
]
struct
{})
for
_
,
caFile
:=
range
caCertificates
{
// don't add cert to pool more than once
if
_
,
ok
:=
caCertificatesAdded
[
caFile
];
ok
{
continue
}
caCertificatesAdded
[
caFile
]
=
struct
{}{}
// Any client with a certificate from this CA will be allowed to connect
caCrt
,
err
:=
ioutil
.
ReadFile
(
caFile
)
if
err
!=
nil
{
return
err
}
if
!
pool
.
AppendCertsFromPEM
(
caCrt
)
{
return
fmt
.
Errorf
(
"error loading CA certificate '%s': no certificates were successfully parsed"
,
caFile
)
}
}
u
.
CaCertPool
=
pool
case
"keepalive"
:
if
!
c
.
NextArg
()
{
return
c
.
ArgErr
()
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment