trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

internal: add custom proxy certificates support to embedded outpost 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-22 10:16:01 +01:00
parent d83d058a4b
commit 22a8603892
2 changed files with 32 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
internal/outpost/proxyv2/proxyv2.go
View File

@ -88,17 +88,25 @@ func (ps *ProxyServer) Type() string {
func (ps *ProxyServer) TimerFlowCacheExpiry() {} func (ps *ProxyServer) TimerFlowCacheExpiry() {}
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) { func (ps *ProxyServer) GetCertificate(serverName string) *tls.Certificate {
app, ok := ps.apps[info.ServerName] app, ok := ps.apps[serverName]
if !ok { if !ok {
ps.log.WithField("server-name", info.ServerName).Debug("app does not exist") ps.log.WithField("server-name", serverName).Debug("app does not exist")
return &ps.defaultCert, nil return nil
} }
if app.Cert == nil { if app.Cert == nil {
ps.log.WithField("server-name", info.ServerName).Debug("app does not have a certificate") ps.log.WithField("server-name", serverName).Debug("app does not have a certificate")
return nil
}
return app.Cert
}
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
appCert := ps.GetCertificate(info.ServerName)
if appCert == nil {
return &ps.defaultCert, nil return &ps.defaultCert, nil
} }
return app.Cert, nil return appCert, nil
} }
// ServeHTTP constructs a net.Listener and starts handling HTTP requests // ServeHTTP constructs a net.Listener and starts handling HTTP requests

23
internal/web/ssl.go → internal/web/tls.go
View File

@ -9,16 +9,29 @@ import (
"goauthentik.io/internal/crypto" "goauthentik.io/internal/crypto"
) )
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
func (ws *WebServer) listenTLS() {
cert, err := crypto.GenerateSelfSignedCert() cert, err := crypto.GenerateSelfSignedCert()
if err != nil { if err != nil {
ws.log.WithError(err).Error("failed to generate default cert") ws.log.WithError(err).Error("failed to generate default cert")
} }
return func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
if ws.ProxyServer != nil {
appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
if appCert != nil {
return appCert, nil
}
}
ws.log.Trace("using default, self-signed certificate")
return &cert, nil
}
}
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
func (ws *WebServer) listenTLS() {
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{cert}, GetCertificate: ws.GetCertificate(),
} }
ln, err := net.Listen("tcp", config.G.Web.ListenTLS) ln, err := net.Listen("tcp", config.G.Web.ListenTLS)