diff options
author | Zaq? Wiedmann <zaquestion@gmail.com> | 2020-01-07 11:07:42 -0800 |
---|---|---|
committer | Matt Holt <mholt@users.noreply.github.com> | 2020-01-07 12:07:42 -0700 |
commit | 21f1f95e7b4d37786c34eff8965a284340c2164a (patch) | |
tree | 747d3cc74208e747887804bb35c3dedc5aca5f6a /modules/caddyhttp/reverseproxy/httptransport.go | |
parent | 78e98c40d35c0b3bc933886ce11cbf2d0cf44c99 (diff) |
reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)
Allows specifying ca certs with by filename in
`reverse_proxy.transport`.
Example
```
reverse_proxy /api api:443 {
transport http {
tls
tls_trusted_ca_certs certs/rootCA.pem
}
}
```
Diffstat (limited to 'modules/caddyhttp/reverseproxy/httptransport.go')
-rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 1dd1d14..75f2786 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -20,6 +20,7 @@ import ( "crypto/x509" "encoding/base64" "fmt" + "io/ioutil" "net" "net/http" "reflect" @@ -166,6 +167,9 @@ func (h *HTTPTransport) setScheme(req *http.Request) { // Cleanup implements caddy.CleanerUpper and closes any idle connections. func (h HTTPTransport) Cleanup() error { + if h.Transport == nil { + return nil + } h.Transport.CloseIdleConnections() return nil } @@ -174,6 +178,8 @@ func (h HTTPTransport) Cleanup() error { // TLS configuration for the transport/client. type TLSConfig struct { RootCAPool []string `json:"root_ca_pool,omitempty"` + // Added to the same pool as above, but brought in from files + RootCAPemFiles []string `json:"root_ca_pem_files,omitempty"` // TODO: Should the client cert+key config use caddytls.CertificateLoader modules? ClientCertificateFile string `json:"client_certificate_file,omitempty"` ClientCertificateKeyFile string `json:"client_certificate_key_file,omitempty"` @@ -203,7 +209,7 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) { } // trusted root CAs - if len(t.RootCAPool) > 0 { + if len(t.RootCAPool) > 0 || len(t.RootCAPemFiles) > 0 { rootPool := x509.NewCertPool() for _, encodedCACert := range t.RootCAPool { caCert, err := decodeBase64DERCert(encodedCACert) @@ -212,6 +218,14 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) { } rootPool.AddCert(caCert) } + for _, pemFile := range t.RootCAPemFiles { + pemData, err := ioutil.ReadFile(pemFile) + if err != nil { + return nil, fmt.Errorf("failed reading ca cert: %v", err) + } + rootPool.AppendCertsFromPEM(pemData) + + } cfg.RootCAs = rootPool } |