summaryrefslogtreecommitdiff
path: root/modules/caddyhttp/reverseproxy
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/reverseproxy')
-rw-r--r--modules/caddyhttp/reverseproxy/caddyfile.go12
-rw-r--r--modules/caddyhttp/reverseproxy/httptransport.go16
2 files changed, 27 insertions, 1 deletions
diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go
index c9afa2a..99b6bfe 100644
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@@ -425,6 +425,7 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
// tls_client_auth <cert_file> <key_file>
// tls_insecure_skip_verify
// tls_timeout <duration>
+// tls_trusted_ca_certs <cert_files...>
// keepalive [off|<duration>]
// keepalive_idle_conns <max_count>
// }
@@ -501,6 +502,17 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
}
h.TLS.HandshakeTimeout = caddy.Duration(dur)
+ case "tls_trusted_ca_certs":
+ args := d.RemainingArgs()
+ if len(args) == 0 {
+ return d.ArgErr()
+ }
+ if h.TLS == nil {
+ h.TLS = new(TLSConfig)
+ }
+
+ h.TLS.RootCAPemFiles = args
+
case "keepalive":
if !d.NextArg() {
return d.ArgErr()
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 1dd1d14..75f2786 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -20,6 +20,7 @@ import (
"crypto/x509"
"encoding/base64"
"fmt"
+ "io/ioutil"
"net"
"net/http"
"reflect"
@@ -166,6 +167,9 @@ func (h *HTTPTransport) setScheme(req *http.Request) {
// Cleanup implements caddy.CleanerUpper and closes any idle connections.
func (h HTTPTransport) Cleanup() error {
+ if h.Transport == nil {
+ return nil
+ }
h.Transport.CloseIdleConnections()
return nil
}
@@ -174,6 +178,8 @@ func (h HTTPTransport) Cleanup() error {
// TLS configuration for the transport/client.
type TLSConfig struct {
RootCAPool []string `json:"root_ca_pool,omitempty"`
+ // Added to the same pool as above, but brought in from files
+ RootCAPemFiles []string `json:"root_ca_pem_files,omitempty"`
// TODO: Should the client cert+key config use caddytls.CertificateLoader modules?
ClientCertificateFile string `json:"client_certificate_file,omitempty"`
ClientCertificateKeyFile string `json:"client_certificate_key_file,omitempty"`
@@ -203,7 +209,7 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
}
// trusted root CAs
- if len(t.RootCAPool) > 0 {
+ if len(t.RootCAPool) > 0 || len(t.RootCAPemFiles) > 0 {
rootPool := x509.NewCertPool()
for _, encodedCACert := range t.RootCAPool {
caCert, err := decodeBase64DERCert(encodedCACert)
@@ -212,6 +218,14 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
}
rootPool.AddCert(caCert)
}
+ for _, pemFile := range t.RootCAPemFiles {
+ pemData, err := ioutil.ReadFile(pemFile)
+ if err != nil {
+ return nil, fmt.Errorf("failed reading ca cert: %v", err)
+ }
+ rootPool.AppendCertsFromPEM(pemData)
+
+ }
cfg.RootCAs = rootPool
}