diff options
author | Kiss Károly Pál <kiss.karoly@rackhost.hu> | 2022-06-20 19:51:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-20 11:51:42 -0600 |
commit | b6e96fa3c5fcb7601142b8ad569793a1b9c2c5eb (patch) | |
tree | 3b4e61cab7802bc66f35c7f524b129569f7fbfa2 | |
parent | 56013934a4544d092426a1437763dff198560141 (diff) |
reverseproxy: Skip TLS for certain configured ports (#4843)
* Make reverse proxy TLS server name replaceable for SNI upstreams.
* Reverted previous TLS server name replacement, and implemented thread safe version.
* Move TLS servername replacement into it's own function
* Moved SNI servername replacement into httptransport.
* Solve issue when dynamic upstreams use wrong protocol upstream.
* Revert previous commit.
Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream.
Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d
* Added SkipTLSPorts option to http transport.
* Fix typo in test config file.
* Rename config option as suggested by Matt
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update code to match renamed config option.
* Fix typo in config option name.
* Fix another typo that I missed.
* Tests not completing because of apparent wrong ordering of options.
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
-rw-r--r-- | caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt | 5 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/caddyfile.go | 9 | ||||
-rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 20 |
3 files changed, 33 insertions, 1 deletions
diff --git a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt index 29f6d23..ea740f6 100644 --- a/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt +++ b/caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt @@ -25,6 +25,7 @@ https://example.com { keepalive_idle_conns_per_host 2 keepalive_interval 30s renegotiation freely + except_ports 8181 8182 } } } @@ -93,6 +94,10 @@ https://example.com { }, "response_header_timeout": 8000000000, "tls": { + "except_ports": [ + "8181", + "8182" + ], "renegotiation": "freely" }, "versions": [ diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go index dfb30d8..b2bdf04 100644 --- a/modules/caddyhttp/reverseproxy/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/caddyfile.go @@ -1063,6 +1063,15 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { } h.MaxConnsPerHost = num + case "except_ports": + if h.TLS == nil { + h.TLS = new(TLSConfig) + } + h.TLS.ExceptPorts = d.RemainingArgs() + if len(h.TLS.ExceptPorts) == 0 { + return d.ArgErr() + } + default: return d.Errf("unrecognized subdirective %s", d.Val()) } diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index eefc04a..1fac420 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -296,9 +296,20 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) { // has the scheme set in its URL; the underlying // http.Transport requires a scheme to be set. func (h *HTTPTransport) SetScheme(req *http.Request) { + skipTLSport := false + if h.TLS.ExceptPorts != nil { + port := req.URL.Port() + for i := range h.TLS.ExceptPorts { + if h.TLS.ExceptPorts[i] == port { + skipTLSport = true + break + } + } + } + if req.URL.Scheme == "" { req.URL.Scheme = "http" - if h.TLS != nil { + if h.TLS != nil && !skipTLSport { req.URL.Scheme = "https" } } @@ -369,6 +380,13 @@ type TLSConfig struct { // - "once": allows a remote server to request renegotiation once per connection. // - "freely": allows a remote server to repeatedly request renegotiation. Renegotiation string `json:"renegotiation,omitempty"` + + // Skip TLS ports specifies a list of upstream ports on which TLS should not be + // attempted even if it is configured. Handy when using dynamic upstreams that + // return HTTP and HTTPS endpoints too. + // When specified, TLS will automatically be configured on the transport. + // The value can be a list of any valid tcp port numbers, default empty. + ExceptPorts []string `json:"except_ports,omitempty"` } // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. |