mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-30 22:34:15 -05:00
reverseproxy: Add renegotiation param in TLS client (#4784)
* Add renegotiation option in reverseproxy tls client * Update modules/caddyhttp/reverseproxy/httptransport.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
parent
1498132ea3
commit
aaf6794b31
3 changed files with 38 additions and 1 deletions
|
@ -24,6 +24,7 @@ https://example.com {
|
||||||
max_conns_per_host 5
|
max_conns_per_host 5
|
||||||
keepalive_idle_conns_per_host 2
|
keepalive_idle_conns_per_host 2
|
||||||
keepalive_interval 30s
|
keepalive_interval 30s
|
||||||
|
renegotiation freely
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -91,7 +92,9 @@ https://example.com {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"response_header_timeout": 8000000000,
|
"response_header_timeout": 8000000000,
|
||||||
"tls": {},
|
"tls": {
|
||||||
|
"renegotiation": "freely"
|
||||||
|
},
|
||||||
"versions": [
|
"versions": [
|
||||||
"h2c",
|
"h2c",
|
||||||
"2"
|
"2"
|
||||||
|
|
|
@ -922,6 +922,20 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
return d.ArgErr()
|
return d.ArgErr()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case "renegotiation":
|
||||||
|
if h.TLS == nil {
|
||||||
|
h.TLS = new(TLSConfig)
|
||||||
|
}
|
||||||
|
if !d.NextArg() {
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
switch renegotiation := d.Val(); renegotiation {
|
||||||
|
case "never", "once", "freely":
|
||||||
|
h.TLS.Renegotiation = renegotiation
|
||||||
|
default:
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
|
||||||
case "tls":
|
case "tls":
|
||||||
if h.TLS == nil {
|
if h.TLS == nil {
|
||||||
h.TLS = new(TLSConfig)
|
h.TLS = new(TLSConfig)
|
||||||
|
|
|
@ -324,6 +324,14 @@ type TLSConfig struct {
|
||||||
// support placeholders because the TLS config is not provisioned on each
|
// support placeholders because the TLS config is not provisioned on each
|
||||||
// connection, so a static value must be used.
|
// connection, so a static value must be used.
|
||||||
ServerName string `json:"server_name,omitempty"`
|
ServerName string `json:"server_name,omitempty"`
|
||||||
|
|
||||||
|
// TLS renegotiation level. TLS renegotiation is the act of performing
|
||||||
|
// subsequent handshakes on a connection after the first.
|
||||||
|
// The level can be:
|
||||||
|
// - "never": (the default) disables renegotiation.
|
||||||
|
// - "once": allows a remote server to request renegotiation once per connection.
|
||||||
|
// - "freely": allows a remote server to repeatedly request renegotiation.
|
||||||
|
Renegotiation string `json:"renegotiation,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
|
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
|
||||||
|
@ -393,6 +401,18 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
|
||||||
cfg.RootCAs = rootPool
|
cfg.RootCAs = rootPool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Renegotiation
|
||||||
|
switch t.Renegotiation {
|
||||||
|
case "never":
|
||||||
|
cfg.Renegotiation = tls.RenegotiateNever
|
||||||
|
case "once":
|
||||||
|
cfg.Renegotiation = tls.RenegotiateOnceAsClient
|
||||||
|
case "freely":
|
||||||
|
cfg.Renegotiation = tls.RenegotiateFreelyAsClient
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation)
|
||||||
|
}
|
||||||
|
|
||||||
// override for the server name used verify the TLS handshake
|
// override for the server name used verify the TLS handshake
|
||||||
cfg.ServerName = t.ServerName
|
cfg.ServerName = t.ServerName
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue