mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-26 13:43:47 +03:00
reverseproxy: Add tls_curves
option to HTTP transport (#5851)
This commit is contained in:
parent
cc0c0cf03e
commit
f658fd05ac
2 changed files with 23 additions and 0 deletions
|
@ -1072,6 +1072,16 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
|||
}
|
||||
h.TLS.InsecureSkipVerify = true
|
||||
|
||||
case "tls_curves":
|
||||
args := d.RemainingArgs()
|
||||
if len(args) == 0 {
|
||||
return d.ArgErr()
|
||||
}
|
||||
if h.TLS == nil {
|
||||
h.TLS = new(TLSConfig)
|
||||
}
|
||||
h.TLS.Curves = args
|
||||
|
||||
case "tls_timeout":
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
|
|
|
@ -491,6 +491,10 @@ type TLSConfig struct {
|
|||
// When specified, TLS will automatically be configured on the transport.
|
||||
// The value can be a list of any valid tcp port numbers, default empty.
|
||||
ExceptPorts []string `json:"except_ports,omitempty"`
|
||||
|
||||
// The list of elliptic curves to support. Caddy's
|
||||
// defaults are modern and secure.
|
||||
Curves []string `json:"curves,omitempty"`
|
||||
}
|
||||
|
||||
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
|
||||
|
@ -579,6 +583,15 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
|
|||
// throw all security out the window
|
||||
cfg.InsecureSkipVerify = t.InsecureSkipVerify
|
||||
|
||||
curvesAdded := make(map[tls.CurveID]struct{})
|
||||
for _, curveName := range t.Curves {
|
||||
curveID := caddytls.SupportedCurves[curveName]
|
||||
if _, ok := curvesAdded[curveID]; !ok {
|
||||
curvesAdded[curveID] = struct{}{}
|
||||
cfg.CurvePreferences = append(cfg.CurvePreferences, curveID)
|
||||
}
|
||||
}
|
||||
|
||||
// only return a config if it's not empty
|
||||
if reflect.DeepEqual(cfg, new(tls.Config)) {
|
||||
return nil, nil
|
||||
|
|
Loading…
Reference in a new issue