summaryrefslogtreecommitdiff
path: root/modules/caddyhttp
diff options
context:
space:
mode:
authorKiss Károly Pál <kiss.karoly@rackhost.hu>2022-06-20 19:51:42 +0200
committerGitHub <noreply@github.com>2022-06-20 11:51:42 -0600
commitb6e96fa3c5fcb7601142b8ad569793a1b9c2c5eb (patch)
tree3b4e61cab7802bc66f35c7f524b129569f7fbfa2 /modules/caddyhttp
parent56013934a4544d092426a1437763dff198560141 (diff)
reverseproxy: Skip TLS for certain configured ports (#4843)
* Make reverse proxy TLS server name replaceable for SNI upstreams. * Reverted previous TLS server name replacement, and implemented thread safe version. * Move TLS servername replacement into it's own function * Moved SNI servername replacement into httptransport. * Solve issue when dynamic upstreams use wrong protocol upstream. * Revert previous commit. Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream. Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d * Added SkipTLSPorts option to http transport. * Fix typo in test config file. * Rename config option as suggested by Matt Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update code to match renamed config option. * Fix typo in config option name. * Fix another typo that I missed. * Tests not completing because of apparent wrong ordering of options. Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules/caddyhttp')
-rw-r--r--modules/caddyhttp/reverseproxy/caddyfile.go9
-rw-r--r--modules/caddyhttp/reverseproxy/httptransport.go20
2 files changed, 28 insertions, 1 deletions
diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go
index dfb30d8..b2bdf04 100644
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@@ -1063,6 +1063,15 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
}
h.MaxConnsPerHost = num
+ case "except_ports":
+ if h.TLS == nil {
+ h.TLS = new(TLSConfig)
+ }
+ h.TLS.ExceptPorts = d.RemainingArgs()
+ if len(h.TLS.ExceptPorts) == 0 {
+ return d.ArgErr()
+ }
+
default:
return d.Errf("unrecognized subdirective %s", d.Val())
}
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index eefc04a..1fac420 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -296,9 +296,20 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
// has the scheme set in its URL; the underlying
// http.Transport requires a scheme to be set.
func (h *HTTPTransport) SetScheme(req *http.Request) {
+ skipTLSport := false
+ if h.TLS.ExceptPorts != nil {
+ port := req.URL.Port()
+ for i := range h.TLS.ExceptPorts {
+ if h.TLS.ExceptPorts[i] == port {
+ skipTLSport = true
+ break
+ }
+ }
+ }
+
if req.URL.Scheme == "" {
req.URL.Scheme = "http"
- if h.TLS != nil {
+ if h.TLS != nil && !skipTLSport {
req.URL.Scheme = "https"
}
}
@@ -369,6 +380,13 @@ type TLSConfig struct {
// - "once": allows a remote server to request renegotiation once per connection.
// - "freely": allows a remote server to repeatedly request renegotiation.
Renegotiation string `json:"renegotiation,omitempty"`
+
+ // Skip TLS ports specifies a list of upstream ports on which TLS should not be
+ // attempted even if it is configured. Handy when using dynamic upstreams that
+ // return HTTP and HTTPS endpoints too.
+ // When specified, TLS will automatically be configured on the transport.
+ // The value can be a list of any valid tcp port numbers, default empty.
+ ExceptPorts []string `json:"except_ports,omitempty"`
}
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.