From 21f1f95e7b4d37786c34eff8965a284340c2164a Mon Sep 17 00:00:00 2001
From: Zaq? Wiedmann <zaquestion@gmail.com>
Date: Tue, 7 Jan 2020 11:07:42 -0800
Subject: reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)

Allows specifying ca certs with by filename in
`reverse_proxy.transport`.

Example
```
reverse_proxy /api api:443 {
    transport http {
        tls
        tls_trusted_ca_certs certs/rootCA.pem
    }
}
```
---
 modules/caddyhttp/reverseproxy/caddyfile.go     | 12 ++++++++++++
 modules/caddyhttp/reverseproxy/httptransport.go | 16 +++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go
index c9afa2a..99b6bfe 100644
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@@ -425,6 +425,7 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 //         tls_client_auth <cert_file> <key_file>
 //         tls_insecure_skip_verify
 //         tls_timeout <duration>
+//         tls_trusted_ca_certs <cert_files...>
 //         keepalive [off|<duration>]
 //         keepalive_idle_conns <max_count>
 //     }
@@ -501,6 +502,17 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				}
 				h.TLS.HandshakeTimeout = caddy.Duration(dur)
 
+			case "tls_trusted_ca_certs":
+				args := d.RemainingArgs()
+				if len(args) == 0 {
+					return d.ArgErr()
+				}
+				if h.TLS == nil {
+					h.TLS = new(TLSConfig)
+				}
+
+				h.TLS.RootCAPemFiles = args
+
 			case "keepalive":
 				if !d.NextArg() {
 					return d.ArgErr()
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 1dd1d14..75f2786 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -20,6 +20,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"reflect"
@@ -166,6 +167,9 @@ func (h *HTTPTransport) setScheme(req *http.Request) {
 
 // Cleanup implements caddy.CleanerUpper and closes any idle connections.
 func (h HTTPTransport) Cleanup() error {
+	if h.Transport == nil {
+		return nil
+	}
 	h.Transport.CloseIdleConnections()
 	return nil
 }
@@ -174,6 +178,8 @@ func (h HTTPTransport) Cleanup() error {
 // TLS configuration for the transport/client.
 type TLSConfig struct {
 	RootCAPool []string `json:"root_ca_pool,omitempty"`
+	// Added to the same pool as above, but brought in from files
+	RootCAPemFiles []string `json:"root_ca_pem_files,omitempty"`
 	// TODO: Should the client cert+key config use caddytls.CertificateLoader modules?
 	ClientCertificateFile    string         `json:"client_certificate_file,omitempty"`
 	ClientCertificateKeyFile string         `json:"client_certificate_key_file,omitempty"`
@@ -203,7 +209,7 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
 	}
 
 	// trusted root CAs
-	if len(t.RootCAPool) > 0 {
+	if len(t.RootCAPool) > 0 || len(t.RootCAPemFiles) > 0 {
 		rootPool := x509.NewCertPool()
 		for _, encodedCACert := range t.RootCAPool {
 			caCert, err := decodeBase64DERCert(encodedCACert)
@@ -212,6 +218,14 @@ func (t TLSConfig) MakeTLSClientConfig() (*tls.Config, error) {
 			}
 			rootPool.AddCert(caCert)
 		}
+		for _, pemFile := range t.RootCAPemFiles {
+			pemData, err := ioutil.ReadFile(pemFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed reading ca cert: %v", err)
+			}
+			rootPool.AppendCertsFromPEM(pemData)
+
+		}
 		cfg.RootCAs = rootPool
 	}
 
-- 
cgit v1.2.3