internal: add custom proxy certificates support to embedded outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
d83d058a4b
commit
22a8603892
|
@ -88,17 +88,25 @@ func (ps *ProxyServer) Type() string {
|
||||||
|
|
||||||
func (ps *ProxyServer) TimerFlowCacheExpiry() {}
|
func (ps *ProxyServer) TimerFlowCacheExpiry() {}
|
||||||
|
|
||||||
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (ps *ProxyServer) GetCertificate(serverName string) *tls.Certificate {
|
||||||
app, ok := ps.apps[info.ServerName]
|
app, ok := ps.apps[serverName]
|
||||||
if !ok {
|
if !ok {
|
||||||
ps.log.WithField("server-name", info.ServerName).Debug("app does not exist")
|
ps.log.WithField("server-name", serverName).Debug("app does not exist")
|
||||||
return &ps.defaultCert, nil
|
return nil
|
||||||
}
|
}
|
||||||
if app.Cert == nil {
|
if app.Cert == nil {
|
||||||
ps.log.WithField("server-name", info.ServerName).Debug("app does not have a certificate")
|
ps.log.WithField("server-name", serverName).Debug("app does not have a certificate")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return app.Cert
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
appCert := ps.GetCertificate(info.ServerName)
|
||||||
|
if appCert == nil {
|
||||||
return &ps.defaultCert, nil
|
return &ps.defaultCert, nil
|
||||||
}
|
}
|
||||||
return app.Cert, nil
|
return appCert, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
|
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
|
||||||
|
|
|
@ -9,16 +9,29 @@ import (
|
||||||
"goauthentik.io/internal/crypto"
|
"goauthentik.io/internal/crypto"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
func (ws *WebServer) listenTLS() {
|
|
||||||
cert, err := crypto.GenerateSelfSignedCert()
|
cert, err := crypto.GenerateSelfSignedCert()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ws.log.WithError(err).Error("failed to generate default cert")
|
ws.log.WithError(err).Error("failed to generate default cert")
|
||||||
}
|
}
|
||||||
|
return func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
if ws.ProxyServer != nil {
|
||||||
|
appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
|
||||||
|
if appCert != nil {
|
||||||
|
return appCert, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ws.log.Trace("using default, self-signed certificate")
|
||||||
|
return &cert, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||||
|
func (ws *WebServer) listenTLS() {
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := &tls.Config{
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
MaxVersion: tls.VersionTLS12,
|
MaxVersion: tls.VersionTLS12,
|
||||||
Certificates: []tls.Certificate{cert},
|
GetCertificate: ws.GetCertificate(),
|
||||||
}
|
}
|
||||||
|
|
||||||
ln, err := net.Listen("tcp", config.G.Web.ListenTLS)
|
ln, err := net.Listen("tcp", config.G.Web.ListenTLS)
|
Reference in a new issue