From a9267791c4b34b06cfb71d7cf8bee203545a3677 Mon Sep 17 00:00:00 2001 From: Alexander M <3055245+varianone@users.noreply.github.com> Date: Sun, 29 May 2022 23:33:01 +0300 Subject: [PATCH] reverseproxy: Add --internal-certs CLI flag #3589 (#4817) added flag --internal-certs when set, for non-local domains the internal CA will be used for cert generation --- modules/caddyhttp/reverseproxy/command.go | 24 +++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/modules/caddyhttp/reverseproxy/command.go b/modules/caddyhttp/reverseproxy/command.go index 121142c1..6153b6ec 100644 --- a/modules/caddyhttp/reverseproxy/command.go +++ b/modules/caddyhttp/reverseproxy/command.go @@ -27,6 +27,7 @@ import ( caddycmd "github.com/caddyserver/caddy/v2/cmd" "github.com/caddyserver/caddy/v2/modules/caddyhttp" "github.com/caddyserver/caddy/v2/modules/caddyhttp/headers" + "github.com/caddyserver/caddy/v2/modules/caddytls" ) func init() { @@ -59,6 +60,7 @@ default, all incoming headers are passed through unmodified.) fs.String("to", "", "Upstream address to which traffic should be sent") fs.Bool("change-host-header", false, "Set upstream Host header to address of upstream") fs.Bool("insecure", false, "Disable TLS verification (WARNING: DISABLES SECURITY BY NOT VERIFYING SSL CERTIFICATES!)") + fs.Bool("internal-certs", false, "Use internal CA for issuing certs") return fs }(), }) @@ -71,6 +73,7 @@ func cmdReverseProxy(fs caddycmd.Flags) (int, error) { to := fs.String("to") changeHost := fs.Bool("change-host-header") insecure := fs.Bool("insecure") + internalCerts := fs.Bool("internal-certs") httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort) httpsPort := strconv.Itoa(caddyhttp.DefaultHTTPSPort) @@ -154,11 +157,24 @@ func cmdReverseProxy(fs caddycmd.Flags) (int, error) { Servers: map[string]*caddyhttp.Server{"proxy": server}, } + appsRaw := caddy.ModuleMap{ + "http": caddyconfig.JSON(httpApp, nil), + } + if internalCerts && fromAddr.Host != "" { + tlsApp := caddytls.TLS{ + Automation: &caddytls.AutomationConfig{ + Policies: []*caddytls.AutomationPolicy{{ + Subjects: []string{fromAddr.Host}, + IssuersRaw: []json.RawMessage{json.RawMessage(`{"module":"internal"}`)}, + }}, + }, + } + appsRaw["tls"] = caddyconfig.JSON(tlsApp, nil) + } + cfg := &caddy.Config{ - Admin: &caddy.AdminConfig{Disabled: true}, - AppsRaw: caddy.ModuleMap{ - "http": caddyconfig.JSON(httpApp, nil), - }, + Admin: &caddy.AdminConfig{Disabled: true}, + AppsRaw: appsRaw, } err = caddy.Run(cfg)