Commit Diff
Diff:
da2185f37f70f8665c4d800f8f9bbf4027fd7b81
d49093c105e7e9af2638bce945374ac0036b3498
Commit:
d49093c105e7e9af2638bce945374ac0036b3498
Tree:
813102bedbdfb4ead9fe520c2dea30b966a02578
Author:
Omar Polo <op@omarpolo.com>
Date:
Sat Jan 1 16:33:44 2022 UTC
Message:
support optional client certificate for proxy rule
commit - da2185f37f70f8665c4d800f8f9bbf4027fd7b81
commit + d49093c105e7e9af2638bce945374ac0036b3498
blob - 7c2c7bd55cf93fa423b2c8e3a3144fd402eddfd0
blob + b86359b6d2484f209e48c7bb38e7ad3dd899e198
--- gmid.c
+++ gmid.c
@@ -304,6 +304,9 @@ free_config(void)
free(l->proxy_host);
+ tls_unload_file(l->proxy_cert, l->proxy_cert_len);
+ tls_unload_file(l->proxy_key, l->proxy_key_len);
+
if (l->dirfd != -1)
close(l->dirfd);
blob - 6798800929649345dc3aea95169a0a0aa01a4710
blob + 54328015a570ee65214ab23440a4eca5ce304a71
--- gmid.h
+++ gmid.h
@@ -113,6 +113,10 @@ struct location {
char *proxy_host;
const char *proxy_port;
+ uint8_t *proxy_cert;
+ size_t proxy_cert_len;
+ uint8_t *proxy_key;
+ size_t proxy_key_len;
const char *dir;
int dirfd;
@@ -238,6 +242,7 @@ struct client {
struct sockaddr_storage addr;
struct vhost *host; /* host they're talking to */
size_t loc; /* location matched */
+ struct location *l;
SPLAY_ENTRY(client) entry;
};
blob - 6fe205d8e071aa0e2b98b9821859871d4d4b9442
blob + 154e3a5ba32d9397625ac08f91479e7f8e3f36ad
--- parse.y
+++ parse.y
@@ -353,7 +353,21 @@ proxy_opt : RELAY_TO string {
| proxy_opts proxy_opt optnl
;
-proxy_opt : RELAY_TO string {
+proxy_opt : CERT string {
+ only_once(loc->proxy_cert, "proxy cert");
+ ensure_absolute_path($2);
+ loc->proxy_cert = tls_load_file($2, &loc->proxy_cert_len, NULL);
+ if (loc->proxy_cert == NULL)
+ yyerror("can't load cert %s", $2);
+ }
+ | KEY string {
+ only_once(loc->proxy_key, "proxy key");
+ ensure_absolute_path($2);
+ loc->proxy_key = tls_load_file($2, &loc->proxy_key_len, NULL);
+ if (loc->proxy_key == NULL)
+ yyerror("can't load key %s", $2);
+ }
+ | RELAY_TO string {
char *at;
const char *errstr;
blob - 72ce9f7b14d8c082b0354ade2730b96b46c3f480
blob + 4c5d475f8a799fdfb2b42f9b47cc347825cb72dd
--- proxy.c
+++ proxy.c
@@ -292,9 +292,22 @@ proxy_init(struct client *c)
return -1;
/* TODO: tls_config_set_protocols here */
- /* TODO: optionally load a client keypair here */
tls_config_insecure_noverifycert(conf);
+ if (c->l->proxy_cert != NULL) {
+ int r;
+
+ r = tls_config_set_cert_mem(conf, c->l->proxy_cert,
+ c->l->proxy_cert_len);
+ if (r == -1)
+ goto err;
+
+ r = tls_config_set_key_mem(conf, c->l->proxy_key,
+ c->l->proxy_key_len);
+ if (r == -1)
+ goto err;
+ }
+
if ((c->proxyctx = tls_client()) == NULL)
goto err;
blob - c2967dae7efe1e6fd1da12cd108d3dba192601c6
blob + 48453c1d9c58a20a12861a40db1f91b9157dc2f5
--- server.c
+++ server.c
@@ -635,6 +635,8 @@ apply_reverse_proxy(struct client *c)
if ((loc = vhost_reverse_proxy(c->host, c->iri.path)) == NULL)
return 0;
+
+ c->l = loc;
log_debug(c, "opening proxy connection for %s:%s",
loc->proxy_host, loc->proxy_port);
Omar Polo