diff options
author | Alexandre Stein <astein58@gmail.com> | 2019-09-03 17:35:36 +0200 |
---|---|---|
committer | Matt Holt <mholt@users.noreply.github.com> | 2019-09-03 09:35:36 -0600 |
commit | 50961ecc77eb7e6a33f823da1d9eea6554a14b43 (patch) | |
tree | ddab36b2122e6b5bbacb8c2b5a45731e74f0696e /modules/caddyhttp/server.go | |
parent | 8e821b5039bd6983814a6b1d11894a649c44f74a (diff) |
Initial implementation of TLS client authentication (#2731)
* Add support for client TLS authentication
Signed-off-by: Alexandre Stein <alexandre_stein@interlab-net.com>
* make and use client authentication struct
* force StrictSNIHost if TLSConnPolicies is not empty
* Implement leafs verification
* Fixes issue when using multiple verification
* applies the comments from maintainers
* Apply comment
* Refactor/cleanup initial TLS client auth implementation
Diffstat (limited to 'modules/caddyhttp/server.go')
-rw-r--r-- | modules/caddyhttp/server.go | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index f820f71..c1d2683 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -40,7 +40,7 @@ type Server struct { TLSConnPolicies caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"` AutoHTTPS *AutoHTTPSConfig `json:"automatic_https,omitempty"` MaxRehandles *int `json:"max_rehandles,omitempty"` - StrictSNIHost bool `json:"strict_sni_host,omitempty"` // TODO: see if we can turn this on by default when clientauth is configured + StrictSNIHost bool `json:"strict_sni_host,omitempty"` tlsApp *caddytls.TLS } @@ -181,6 +181,15 @@ func (s *Server) listenersUseAnyPortOtherThan(otherPort int) bool { return false } +func (s *Server) hasTLSClientAuth() bool { + for _, cp := range s.TLSConnPolicies { + if cp.Active() { + return true + } + } + return false +} + // AutoHTTPSConfig is used to disable automatic HTTPS // or certain aspects of it for a specific server. type AutoHTTPSConfig struct { |