diff options
author | Alexander M <3055245+varianone@users.noreply.github.com> | 2022-05-29 23:33:01 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-29 14:33:01 -0600 |
commit | a9267791c4b34b06cfb71d7cf8bee203545a3677 (patch) | |
tree | 155d29cb604ba40a47fdb00c3259fa711163bb8b | |
parent | ef0aaca0d6ca3f4aece20e4d97d546e0d48d17fe (diff) |
reverseproxy: Add --internal-certs CLI flag #3589 (#4817)
added flag --internal-certs
when set, for non-local domains the internal CA will be used for cert generation
-rw-r--r-- | modules/caddyhttp/reverseproxy/command.go | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/modules/caddyhttp/reverseproxy/command.go b/modules/caddyhttp/reverseproxy/command.go index 121142c..6153b6e 100644 --- a/modules/caddyhttp/reverseproxy/command.go +++ b/modules/caddyhttp/reverseproxy/command.go @@ -27,6 +27,7 @@ import ( caddycmd "github.com/caddyserver/caddy/v2/cmd" "github.com/caddyserver/caddy/v2/modules/caddyhttp" "github.com/caddyserver/caddy/v2/modules/caddyhttp/headers" + "github.com/caddyserver/caddy/v2/modules/caddytls" ) func init() { @@ -59,6 +60,7 @@ default, all incoming headers are passed through unmodified.) fs.String("to", "", "Upstream address to which traffic should be sent") fs.Bool("change-host-header", false, "Set upstream Host header to address of upstream") fs.Bool("insecure", false, "Disable TLS verification (WARNING: DISABLES SECURITY BY NOT VERIFYING SSL CERTIFICATES!)") + fs.Bool("internal-certs", false, "Use internal CA for issuing certs") return fs }(), }) @@ -71,6 +73,7 @@ func cmdReverseProxy(fs caddycmd.Flags) (int, error) { to := fs.String("to") changeHost := fs.Bool("change-host-header") insecure := fs.Bool("insecure") + internalCerts := fs.Bool("internal-certs") httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort) httpsPort := strconv.Itoa(caddyhttp.DefaultHTTPSPort) @@ -154,11 +157,24 @@ func cmdReverseProxy(fs caddycmd.Flags) (int, error) { Servers: map[string]*caddyhttp.Server{"proxy": server}, } + appsRaw := caddy.ModuleMap{ + "http": caddyconfig.JSON(httpApp, nil), + } + if internalCerts && fromAddr.Host != "" { + tlsApp := caddytls.TLS{ + Automation: &caddytls.AutomationConfig{ + Policies: []*caddytls.AutomationPolicy{{ + Subjects: []string{fromAddr.Host}, + IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)}, + }}, + }, + } + appsRaw["tls"] = caddyconfig.JSON(tlsApp, nil) + } + cfg := &caddy.Config{ - Admin: &caddy.AdminConfig{Disabled: true}, - AppsRaw: caddy.ModuleMap{ - "http": caddyconfig.JSON(httpApp, nil), - }, + Admin: &caddy.AdminConfig{Disabled: true}, + AppsRaw: appsRaw, } err = caddy.Run(cfg) |