internal: add custom proxy certificates support to embedded outpost

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-22 10:16:01 +01:00
parent d83d058a4b
commit 22a8603892
2 changed files with 32 additions and 11 deletions

View file

@ -88,17 +88,25 @@ func (ps *ProxyServer) Type() string {
func (ps *ProxyServer) TimerFlowCacheExpiry() {}
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
app, ok := ps.apps[info.ServerName]
func (ps *ProxyServer) GetCertificate(serverName string) *tls.Certificate {
app, ok := ps.apps[serverName]
if !ok {
ps.log.WithField("server-name", info.ServerName).Debug("app does not exist")
return &ps.defaultCert, nil
ps.log.WithField("server-name", serverName).Debug("app does not exist")
return nil
}
if app.Cert == nil {
ps.log.WithField("server-name", info.ServerName).Debug("app does not have a certificate")
ps.log.WithField("server-name", serverName).Debug("app does not have a certificate")
return nil
}
return app.Cert
}
func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
appCert := ps.GetCertificate(info.ServerName)
if appCert == nil {
return &ps.defaultCert, nil
}
return app.Cert, nil
return appCert, nil
}
// ServeHTTP constructs a net.Listener and starts handling HTTP requests

View file

@ -9,16 +9,29 @@ import (
"goauthentik.io/internal/crypto"
)
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
func (ws *WebServer) listenTLS() {
func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, err := crypto.GenerateSelfSignedCert()
if err != nil {
ws.log.WithError(err).Error("failed to generate default cert")
}
return func(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
if ws.ProxyServer != nil {
appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
if appCert != nil {
return appCert, nil
}
}
ws.log.Trace("using default, self-signed certificate")
return &cert, nil
}
}
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
func (ws *WebServer) listenTLS() {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{cert},
GetCertificate: ws.GetCertificate(),
}
ln, err := net.Listen("tcp", config.G.Web.ListenTLS)