From 21f1f95e7b4d37786c34eff8965a284340c2164a Mon Sep 17 00:00:00 2001
From: Zaq? Wiedmann <zaquestion@gmail.com>
Date: Tue, 7 Jan 2020 11:07:42 -0800
Subject: reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)

Allows specifying ca certs with by filename in
`reverse_proxy.transport`.

Example
```
reverse_proxy /api api:443 {
    transport http {
        tls
        tls_trusted_ca_certs certs/rootCA.pem
    }
}
```
---
 modules/caddyhttp/reverseproxy/caddyfile.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'modules/caddyhttp/reverseproxy/caddyfile.go')

diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go
index c9afa2a..99b6bfe 100644
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@@ -425,6 +425,7 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 //         tls_client_auth <cert_file> <key_file>
 //         tls_insecure_skip_verify
 //         tls_timeout <duration>
+//         tls_trusted_ca_certs <cert_files...>
 //         keepalive [off|<duration>]
 //         keepalive_idle_conns <max_count>
 //     }
@@ -501,6 +502,17 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				}
 				h.TLS.HandshakeTimeout = caddy.Duration(dur)
 
+			case "tls_trusted_ca_certs":
+				args := d.RemainingArgs()
+				if len(args) == 0 {
+					return d.ArgErr()
+				}
+				if h.TLS == nil {
+					h.TLS = new(TLSConfig)
+				}
+
+				h.TLS.RootCAPemFiles = args
+
 			case "keepalive":
 				if !d.NextArg() {
 					return d.ArgErr()
-- 
cgit v1.2.3