summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZaq? Wiedmann <zaquestion@gmail.com>2020-01-07 11:07:42 -0800
committerMatt Holt <mholt@users.noreply.github.com>2020-01-07 12:07:42 -0700
commit21f1f95e7b4d37786c34eff8965a284340c2164a (patch)
tree747d3cc74208e747887804bb35c3dedc5aca5f6a
parent78e98c40d35c0b3bc933886ce11cbf2d0cf44c99 (diff)
reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)
Allows specifying ca certs with by filename in `reverse_proxy.transport`. Example ``` reverse_proxy /api api:443 { transport http { tls tls_trusted_ca_certs certs/rootCA.pem } } ```
-rw-r--r--modules/caddyhttp/reverseproxy/caddyfile.go12
-rw-r--r--modules/caddyhttp/reverseproxy/httptransport.go16
2 files changed, 27 insertions, 1 deletions
diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go
index c9afa2a..99b6bfe 100644
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@@ -425,6 +425,7 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
// tls_client_auth <cert_file> <key_file>
// tls_insecure_skip_verify
// tls_timeout <duration>
+// tls_trusted_ca_certs <cert_files...>
// keepalive [off|<duration>]
// keepalive_idle_conns <max_count>
// }
@@ -501,6 +502,17 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
}
h.TLS.HandshakeTimeout = caddy.Duration(dur)
+ case "tls_trusted_ca_certs":
+ args := d.RemainingArgs()
+ if len(args) == 0 {
+ return d.ArgErr()
+ }
+ if h.TLS == nil {
+ h.TLS = new(TLSConfig)
+ }
+
+ h.TLS.RootCAPemFiles = args
+
case "keepalive":
if !d.NextArg() {
return d.ArgErr()
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 1dd1d14..75f2786 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -20,6 +20,7 @@ import (
"crypto/x509"
"encoding/base64"
"fmt"
+ "io/ioutil"
"net"
"net/http"
"reflect"
@@ -166,6 +167,9 @@ func (h *HTTPTransport) setScheme(req *http.Request) {
// Cleanup implements caddy.CleanerUpper and closes any idle connections.
func (h HTTPTransport) Cleanup() error {
+ if h.Transport == nil {
+ return nil
+ }
h.Transport.CloseIdleConnections()
return nil
}
@@ -174,6 +178,8 @@ func (h HTTPTransport) Cleanup() error {
// TLS configuration for the transport/client.
type TLSConfig struct {
RootCAPool []string `json:"root_ca_pool,omitempty"`
+ // Added to the same pool as above, but brought in from files
+ RootCAPemFiles []string `json:"root_ca_pem_files,omitempty"`
// TODO: Should the client cert+key config use caddytls.CertificateLoader modules?
ClientCertificateFile string `json:"client_certificate_file,omitempty"`
ClientCertificateKeyFile string `json:"client_certificate_key_file,omitempty"`
@@ -203,7 +209,7 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
}
// trusted root CAs
- if len(t.RootCAPool) > 0 {
+ if len(t.RootCAPool) > 0 || len(t.RootCAPemFiles) > 0 {
rootPool := x509.NewCertPool()
for _, encodedCACert := range t.RootCAPool {
caCert, err := decodeBase64DERCert(encodedCACert)
@@ -212,6 +218,14 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
}
rootPool.AddCert(caCert)
}
+ for _, pemFile := range t.RootCAPemFiles {
+ pemData, err := ioutil.ReadFile(pemFile)
+ if err != nil {
+ return nil, fmt.Errorf("failed reading ca cert: %v", err)
+ }
+ rootPool.AppendCertsFromPEM(pemData)
+
+ }
cfg.RootCAs = rootPool
}