mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-14 06:46:27 +03:00
reverseproxy: Skip TLS for certain configured ports (#4843)
* Make reverse proxy TLS server name replaceable for SNI upstreams.
* Reverted previous TLS server name replacement, and implemented thread safe version.
* Move TLS servername replacement into it's own function
* Moved SNI servername replacement into httptransport.
* Solve issue when dynamic upstreams use wrong protocol upstream.
* Revert previous commit.
Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream.
Id: 3c9806ccb6
* Added SkipTLSPorts option to http transport.
* Fix typo in test config file.
* Rename config option as suggested by Matt
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update code to match renamed config option.
* Fix typo in config option name.
* Fix another typo that I missed.
* Tests not completing because of apparent wrong ordering of options.
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
parent
56013934a4
commit
b6e96fa3c5
3 changed files with 33 additions and 1 deletions
|
@ -25,6 +25,7 @@ https://example.com {
|
|||
keepalive_idle_conns_per_host 2
|
||||
keepalive_interval 30s
|
||||
renegotiation freely
|
||||
except_ports 8181 8182
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -93,6 +94,10 @@ https://example.com {
|
|||
},
|
||||
"response_header_timeout": 8000000000,
|
||||
"tls": {
|
||||
"except_ports": [
|
||||
"8181",
|
||||
"8182"
|
||||
],
|
||||
"renegotiation": "freely"
|
||||
},
|
||||
"versions": [
|
||||
|
|
|
@ -1063,6 +1063,15 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
|||
}
|
||||
h.MaxConnsPerHost = num
|
||||
|
||||
case "except_ports":
|
||||
if h.TLS == nil {
|
||||
h.TLS = new(TLSConfig)
|
||||
}
|
||||
h.TLS.ExceptPorts = d.RemainingArgs()
|
||||
if len(h.TLS.ExceptPorts) == 0 {
|
||||
return d.ArgErr()
|
||||
}
|
||||
|
||||
default:
|
||||
return d.Errf("unrecognized subdirective %s", d.Val())
|
||||
}
|
||||
|
|
|
@ -296,9 +296,20 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
|
|||
// has the scheme set in its URL; the underlying
|
||||
// http.Transport requires a scheme to be set.
|
||||
func (h *HTTPTransport) SetScheme(req *http.Request) {
|
||||
skipTLSport := false
|
||||
if h.TLS.ExceptPorts != nil {
|
||||
port := req.URL.Port()
|
||||
for i := range h.TLS.ExceptPorts {
|
||||
if h.TLS.ExceptPorts[i] == port {
|
||||
skipTLSport = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if req.URL.Scheme == "" {
|
||||
req.URL.Scheme = "http"
|
||||
if h.TLS != nil {
|
||||
if h.TLS != nil && !skipTLSport {
|
||||
req.URL.Scheme = "https"
|
||||
}
|
||||
}
|
||||
|
@ -369,6 +380,13 @@ type TLSConfig struct {
|
|||
// - "once": allows a remote server to request renegotiation once per connection.
|
||||
// - "freely": allows a remote server to repeatedly request renegotiation.
|
||||
Renegotiation string `json:"renegotiation,omitempty"`
|
||||
|
||||
// Skip TLS ports specifies a list of upstream ports on which TLS should not be
|
||||
// attempted even if it is configured. Handy when using dynamic upstreams that
|
||||
// return HTTP and HTTPS endpoints too.
|
||||
// When specified, TLS will automatically be configured on the transport.
|
||||
// The value can be a list of any valid tcp port numbers, default empty.
|
||||
ExceptPorts []string `json:"except_ports,omitempty"`
|
||||
}
|
||||
|
||||
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
|
||||
|
|
Loading…
Reference in a new issue