reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)

Allows specifying ca certs with by filename in `reverse_proxy.transport`. Example ``` reverse_proxy /api api:443 { transport http { tls tls_trusted_ca_certs certs/rootCA.pem } } ```
author: Zaq? Wiedmann <zaquestion@gmail.com> 2020-01-07 11:07:42 -0800
committer: Matt Holt <mholt@users.noreply.github.com> 2020-01-07 12:07:42 -0700
commit: 21f1f95e7b4d37786c34eff8965a284340c2164a (patch)
tree: 747d3cc74208e747887804bb35c3dedc5aca5f6a /modules/caddyhttp/reverseproxy/httptransport.go
parent: 78e98c40d35c0b3bc933886ce11cbf2d0cf44c99 (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 1dd1d14..75f2786 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -20,6 +20,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"reflect"
@@ -166,6 +167,9 @@ func (h *HTTPTransport) setScheme(req *http.Request) {
 
 // Cleanup implements caddy.CleanerUpper and closes any idle connections.
 func (h HTTPTransport) Cleanup() error {
+	if h.Transport == nil {
+		return nil
+	}
 	h.Transport.CloseIdleConnections()
 	return nil
 }
@@ -174,6 +178,8 @@ func (h HTTPTransport) Cleanup() error {
 // TLS configuration for the transport/client.
 type TLSConfig struct {
 	RootCAPool []string `json:"root_ca_pool,omitempty"`
+	// Added to the same pool as above, but brought in from files
+	RootCAPemFiles []string `json:"root_ca_pem_files,omitempty"`
 	// TODO: Should the client cert+key config use caddytls.CertificateLoader modules?
 	ClientCertificateFile    string         `json:"client_certificate_file,omitempty"`
 	ClientCertificateKeyFile string         `json:"client_certificate_key_file,omitempty"`
@@ -203,7 +209,7 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
 	}
 
 	// trusted root CAs
-	if len(t.RootCAPool) > 0 {
+	if len(t.RootCAPool) > 0 || len(t.RootCAPemFiles) > 0 {
 		rootPool := x509.NewCertPool()
 		for _, encodedCACert := range t.RootCAPool {
 			caCert, err := decodeBase64DERCert(encodedCACert)
@@ -212,6 +218,14 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
 			}
 			rootPool.AddCert(caCert)
 		}
+		for _, pemFile := range t.RootCAPemFiles {
+			pemData, err := ioutil.ReadFile(pemFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed reading ca cert: %v", err)
+			}
+			rootPool.AppendCertsFromPEM(pemData)
+
+		}
 		cfg.RootCAs = rootPool
 	}
author	Zaq? Wiedmann <zaquestion@gmail.com>	2020-01-07 11:07:42 -0800
committer	Matt Holt <mholt@users.noreply.github.com>	2020-01-07 12:07:42 -0700
commit	21f1f95e7b4d37786c34eff8965a284340c2164a (patch)
tree	747d3cc74208e747887804bb35c3dedc5aca5f6a /modules/caddyhttp/reverseproxy/httptransport.go
parent	78e98c40d35c0b3bc933886ce11cbf2d0cf44c99 (diff)