serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-27 06:03:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

reverseproxy: Add renegotiation param in TLS client (#4784)

Browse source 
* Add renegotiation option in reverseproxy tls client

* Update modules/caddyhttp/reverseproxy/httptransport.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
Yaacov Akiba Slama 2022-06-10 18:33:35 +03:00 committed by GitHub
parent 1498132ea3
commit aaf6794b31
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
caddytest/integration/caddyfile_adapt/reverse_proxy_options.txt
View file

@ -24,6 +24,7 @@ https://example.com {
max_conns_per_host 5 max_conns_per_host 5
keepalive_idle_conns_per_host 2 keepalive_idle_conns_per_host 2
keepalive_interval 30s keepalive_interval 30s
renegotiation freely
} }
} }
} }
@ -91,7 +92,9 @@ https://example.com {
] ]
}, },
"response_header_timeout": 8000000000, "response_header_timeout": 8000000000,
"tls": {}, "tls": {
"renegotiation": "freely"
},
"versions": [ "versions": [
"h2c", "h2c",
"2" "2"

14
modules/caddyhttp/reverseproxy/caddyfile.go
View file

@ -922,6 +922,20 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr() return d.ArgErr()
} }
case "renegotiation":
if h.TLS == nil {
h.TLS = new(TLSConfig)
}
if !d.NextArg() {
return d.ArgErr()
}
switch renegotiation := d.Val(); renegotiation {
case "never", "once", "freely":
h.TLS.Renegotiation = renegotiation
default:
return d.ArgErr()
}
case "tls": case "tls":
if h.TLS == nil { if h.TLS == nil {
h.TLS = new(TLSConfig) h.TLS = new(TLSConfig)

20
modules/caddyhttp/reverseproxy/httptransport.go
View file

@ -324,6 +324,14 @@ type TLSConfig struct {
// support placeholders because the TLS config is not provisioned on each // support placeholders because the TLS config is not provisioned on each
// connection, so a static value must be used. // connection, so a static value must be used.
ServerName string `json:"server_name,omitempty"` ServerName string `json:"server_name,omitempty"`
// TLS renegotiation level. TLS renegotiation is the act of performing
// subsequent handshakes on a connection after the first.
// The level can be:
// - "never": (the default) disables renegotiation.
// - "once": allows a remote server to request renegotiation once per connection.
// - "freely": allows a remote server to repeatedly request renegotiation.
Renegotiation string `json:"renegotiation,omitempty"`
} }
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend. // MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
@ -393,6 +401,18 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
cfg.RootCAs = rootPool cfg.RootCAs = rootPool
} }
// Renegotiation
switch t.Renegotiation {
case "never":
cfg.Renegotiation = tls.RenegotiateNever
case "once":
cfg.Renegotiation = tls.RenegotiateOnceAsClient
case "freely":
cfg.Renegotiation = tls.RenegotiateFreelyAsClient
default:
return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation)
}
// override for the server name used verify the TLS handshake // override for the server name used verify the TLS handshake
cfg.ServerName = t.ServerName cfg.ServerName = t.ServerName