internal: add custom proxy certificates support to embedded outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
parent
d83d058a4b
commit
22a8603892
|
|
@ -88,17 +88,25 @@ func (ps *ProxyServer) Type() string {
|
|||
|
||||
func (ps *ProxyServer) TimerFlowCacheExpiry() {}
|
||||
|
||||
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
app, ok := ps.apps[info.ServerName]
|
||||
func (ps *ProxyServer) GetCertificate(serverName string) *tls.Certificate {
|
||||
app, ok := ps.apps[serverName]
|
||||
if !ok {
|
||||
ps.log.WithField("server-name", info.ServerName).Debug("app does not exist")
|
||||
return &ps.defaultCert, nil
|
||||
ps.log.WithField("server-name", serverName).Debug("app does not exist")
|
||||
return nil
|
||||
}
|
||||
if app.Cert == nil {
|
||||
ps.log.WithField("server-name", info.ServerName).Debug("app does not have a certificate")
|
||||
ps.log.WithField("server-name", serverName).Debug("app does not have a certificate")
|
||||
return nil
|
||||
}
|
||||
return app.Cert
|
||||
}
|
||||
|
||||
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
appCert := ps.GetCertificate(info.ServerName)
|
||||
if appCert == nil {
|
||||
return &ps.defaultCert, nil
|
||||
}
|
||||
return app.Cert, nil
|
||||
return appCert, nil
|
||||
}
|
||||
|
||||
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
|
||||
|
|
|
|||
|
|
@ -9,16 +9,29 @@ import (
|
|||
"goauthentik.io/internal/crypto"
|
||||
)
|
||||
|
||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||
func (ws *WebServer) listenTLS() {
|
||||
func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
cert, err := crypto.GenerateSelfSignedCert()
|
||||
if err != nil {
|
||||
ws.log.WithError(err).Error("failed to generate default cert")
|
||||
}
|
||||
return func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
if ws.ProxyServer != nil {
|
||||
appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
|
||||
if appCert != nil {
|
||||
return appCert, nil
|
||||
}
|
||||
}
|
||||
ws.log.Trace("using default, self-signed certificate")
|
||||
return &cert, nil
|
||||
}
|
||||
}
|
||||
|
||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||
func (ws *WebServer) listenTLS() {
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
GetCertificate: ws.GetCertificate(),
|
||||
}
|
||||
|
||||
ln, err := net.Listen("tcp", config.G.Web.ListenTLS)
|
||||
Reference in New Issue