2ce8e18bab
* centralise config for listeners to use same config system everywhere Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #3360 * add docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
57 lines
1.5 KiB
Go
57 lines
1.5 KiB
Go
package ldap
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net"
|
|
|
|
"github.com/pires/go-proxyproto"
|
|
"goauthentik.io/internal/config"
|
|
)
|
|
|
|
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
if len(ls.providers) == 1 {
|
|
if ls.providers[0].cert != nil {
|
|
ls.log.WithField("server-name", info.ServerName).Debug("We only have a single provider, using their cert")
|
|
return ls.providers[0].cert, nil
|
|
}
|
|
}
|
|
for _, provider := range ls.providers {
|
|
if provider.tlsServerName == &info.ServerName {
|
|
if provider.cert == nil {
|
|
ls.log.WithField("server-name", info.ServerName).Debug("Handler does not have a certificate")
|
|
return ls.defaultCert, nil
|
|
}
|
|
return provider.cert, nil
|
|
}
|
|
}
|
|
ls.log.WithField("server-name", info.ServerName).Debug("Fallback to default cert")
|
|
return ls.defaultCert, nil
|
|
}
|
|
|
|
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
|
listen := config.Get().Listen.LDAPS
|
|
tlsConfig := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
MaxVersion: tls.VersionTLS12,
|
|
GetCertificate: ls.getCertificates,
|
|
}
|
|
|
|
ln, err := net.Listen("tcp", listen)
|
|
if err != nil {
|
|
ls.log.WithField("listen", listen).WithError(err).Fatalf("listen failed")
|
|
}
|
|
|
|
proxyListener := &proxyproto.Listener{Listener: ln}
|
|
defer proxyListener.Close()
|
|
|
|
tln := tls.NewListener(proxyListener, tlsConfig)
|
|
|
|
ls.log.WithField("listen", listen).Info("Starting LDAP SSL server")
|
|
err = ls.s.Serve(tln)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
ls.log.WithField("listen", listen).Info("Stopping LDAP SSL Server")
|
|
return nil
|
|
}
|