diff options
| author | Yaacov Akiba Slama <yaslama@gmail.com> | 2022-06-10 18:33:35 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-10 09:33:35 -0600 |
| commit | aaf6794b31ca790ecc501edf983ebf95a45b3897 (patch) | |
| tree | 2c86f30ada2ca95da96c0ad54760b087cf5deb18 /modules | |
| parent | 1498132ea3c4f01d3be41812dbd02364cb77d263 (diff) | |
reverseproxy: Add renegotiation param in TLS client (#4784)
* Add renegotiation option in reverseproxy tls client
* Update modules/caddyhttp/reverseproxy/httptransport.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/caddyhttp/reverseproxy/caddyfile.go | 14 | ||||
| -rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 20 |
2 files changed, 34 insertions, 0 deletions
diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go index ebea49e..dfb30d8 100644 --- a/modules/caddyhttp/reverseproxy/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/caddyfile.go @@ -922,6 +922,20 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { return d.ArgErr() } + case "renegotiation": + if h.TLS == nil { + h.TLS = new(TLSConfig) + } + if !d.NextArg() { + return d.ArgErr() + } + switch renegotiation := d.Val(); renegotiation { + case "never", "once", "freely": + h.TLS.Renegotiation = renegotiation + default: + return d.ArgErr() + } + case "tls": if h.TLS == nil { h.TLS = new(TLSConfig) diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 54cdb70..e6ff188 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -324,6 +324,14 @@ type TLSConfig struct { // support placeholders because the TLS config is not provisioned on each // connection, so a static value must be used. ServerName string `json:"server_name,omitempty"` + + // TLS renegotiation level. TLS renegotiation is the act of performing + // subsequent handshakes on a connection after the first. + // The level can be: + // - "never": (the default) disables renegotiation. + // - "once": allows a remote server to request renegotiation once per connection. + // - "freely": allows a remote server to repeatedly request renegotiation. + Renegotiation string `json:"renegotiation,omitempty"` } // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. @@ -393,6 +401,18 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { cfg.RootCAs = rootPool } + // Renegotiation + switch t.Renegotiation { + case "never": + cfg.Renegotiation = tls.RenegotiateNever + case "once": + cfg.Renegotiation = tls.RenegotiateOnceAsClient + case "freely": + cfg.Renegotiation = tls.RenegotiateFreelyAsClient + default: + return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation) + } + // override for the server name used verify the TLS handshake cfg.ServerName = t.ServerName |