diff options
author | Yaacov Akiba Slama <yaslama@gmail.com> | 2022-06-10 18:33:35 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-10 09:33:35 -0600 |
commit | aaf6794b31ca790ecc501edf983ebf95a45b3897 (patch) | |
tree | 2c86f30ada2ca95da96c0ad54760b087cf5deb18 | |
parent | 1498132ea3c4f01d3be41812dbd02364cb77d263 (diff) |
reverseproxy: Add renegotiation param in TLS client (#4784)
* Add renegotiation option in reverseproxy tls client
* Update modules/caddyhttp/reverseproxy/httptransport.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
-rw-r--r-- | caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt | 5 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/caddyfile.go | 14 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 20 |
3 files changed, 38 insertions, 1 deletions
diff --git a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt index fc07698..29f6d23 100644 --- a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt +++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt @@ -24,6 +24,7 @@ https://example.com { max_conns_per_host 5 keepalive_idle_conns_per_host 2 keepalive_interval 30s + renegotiation freely } } } @@ -91,7 +92,9 @@ https://example.com { ] }, "response_header_timeout": 8000000000, - "tls": {}, + "tls": { + "renegotiation": "freely" + }, "versions": [ "h2c", "2" diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go index ebea49e..dfb30d8 100644 --- a/modules/caddyhttp/reverseproxy/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/caddyfile.go @@ -922,6 +922,20 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { return d.ArgErr() } + case "renegotiation": + if h.TLS == nil { + h.TLS = new(TLSConfig) + } + if !d.NextArg() { + return d.ArgErr() + } + switch renegotiation := d.Val(); renegotiation { + case "never", "once", "freely": + h.TLS.Renegotiation = renegotiation + default: + return d.ArgErr() + } + case "tls": if h.TLS == nil { h.TLS = new(TLSConfig) diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 54cdb70..e6ff188 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -324,6 +324,14 @@ type TLSConfig struct { // support placeholders because the TLS config is not provisioned on each // connection, so a static value must be used. ServerName string `json:"server_name,omitempty"` + + // TLS renegotiation level. TLS renegotiation is the act of performing + // subsequent handshakes on a connection after the first. + // The level can be: + // - "never": (the default) disables renegotiation. + // - "once": allows a remote server to request renegotiation once per connection. + // - "freely": allows a remote server to repeatedly request renegotiation. + Renegotiation string `json:"renegotiation,omitempty"` } // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. @@ -393,6 +401,18 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { cfg.RootCAs = rootPool } + // Renegotiation + switch t.Renegotiation { + case "never": + cfg.Renegotiation = tls.RenegotiateNever + case "once": + cfg.Renegotiation = tls.RenegotiateOnceAsClient + case "freely": + cfg.Renegotiation = tls.RenegotiateFreelyAsClient + default: + return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation) + } + // override for the server name used verify the TLS handshake cfg.ServerName = t.ServerName |