reverseproxy: Add tls_curves option to HTTP transport (#5851)

This commit is contained in:
Bas Westerbaan 2024-01-13 21:56:23 +01:00 committed by GitHub
parent cc0c0cf03e
commit f658fd05ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 0 deletions

View file

@ -1072,6 +1072,16 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
}
h.TLS.InsecureSkipVerify = true
case "tls_curves":
args := d.RemainingArgs()
if len(args) == 0 {
return d.ArgErr()
}
if h.TLS == nil {
h.TLS = new(TLSConfig)
}
h.TLS.Curves = args
case "tls_timeout":
if !d.NextArg() {
return d.ArgErr()

View file

@ -491,6 +491,10 @@ type TLSConfig struct {
// When specified, TLS will automatically be configured on the transport.
// The value can be a list of any valid tcp port numbers, default empty.
ExceptPorts []string `json:"except_ports,omitempty"`
// The list of elliptic curves to support. Caddy's
// defaults are modern and secure.
Curves []string `json:"curves,omitempty"`
}
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
@ -579,6 +583,15 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
// throw all security out the window
cfg.InsecureSkipVerify = t.InsecureSkipVerify
curvesAdded := make(map[tls.CurveID]struct{})
for _, curveName := range t.Curves {
curveID := caddytls.SupportedCurves[curveName]
if _, ok := curvesAdded[curveID]; !ok {
curvesAdded[curveID] = struct{}{}
cfg.CurvePreferences = append(cfg.CurvePreferences, curveID)
}
}
// only return a config if it's not empty
if reflect.DeepEqual(cfg, new(tls.Config)) {
return nil, nil