commit d49093c105e7e9af2638bce945374ac0036b3498
from: Omar Polo <op@omarpolo.com>
date: Sat Jan 01 16:33:44 2022 UTC

support optional client certificate for proxy rule

commit - da2185f37f70f8665c4d800f8f9bbf4027fd7b81
commit + d49093c105e7e9af2638bce945374ac0036b3498
blob - 7c2c7bd55cf93fa423b2c8e3a3144fd402eddfd0
blob + b86359b6d2484f209e48c7bb38e7ad3dd899e198
--- gmid.c
+++ gmid.c
@@ -304,6 +304,9 @@ free_config(void)
 
 			free(l->proxy_host);
 
+			tls_unload_file(l->proxy_cert, l->proxy_cert_len);
+			tls_unload_file(l->proxy_key, l->proxy_key_len);
+
 			if (l->dirfd != -1)
 				close(l->dirfd);
 
blob - 6798800929649345dc3aea95169a0a0aa01a4710
blob + 54328015a570ee65214ab23440a4eca5ce304a71
--- gmid.h
+++ gmid.h
@@ -113,6 +113,10 @@ struct location {
 
 	char		*proxy_host;
 	const char	*proxy_port;
+	uint8_t		*proxy_cert;
+	size_t		 proxy_cert_len;
+	uint8_t		*proxy_key;
+	size_t		 proxy_key_len;
 
 	const char	*dir;
 	int		 dirfd;
@@ -238,6 +242,7 @@ struct client {
 	struct sockaddr_storage	 addr;
 	struct vhost	*host;	/* host they're talking to */
 	size_t		 loc;	/* location matched */
+	struct location	*l;
 
 	SPLAY_ENTRY(client) entry;
 };
blob - 6fe205d8e071aa0e2b98b9821859871d4d4b9442
blob + 154e3a5ba32d9397625ac08f91479e7f8e3f36ad
--- parse.y
+++ parse.y
@@ -353,7 +353,21 @@ proxy_opts	: /* empty */
 		| proxy_opts proxy_opt optnl
 		;
 
-proxy_opt	: RELAY_TO string {
+proxy_opt	: CERT string {
+			only_once(loc->proxy_cert, "proxy cert");
+			ensure_absolute_path($2);
+			loc->proxy_cert = tls_load_file($2, &loc->proxy_cert_len, NULL);
+			if (loc->proxy_cert == NULL)
+				yyerror("can't load cert %s", $2);
+		}
+		| KEY string {
+			only_once(loc->proxy_key, "proxy key");
+			ensure_absolute_path($2);
+			loc->proxy_key = tls_load_file($2, &loc->proxy_key_len, NULL);
+			if (loc->proxy_key == NULL)
+				yyerror("can't load key %s", $2);
+		}
+		| RELAY_TO string {
 			char		*at;
 			const char	*errstr;
 
blob - 72ce9f7b14d8c082b0354ade2730b96b46c3f480
blob + 4c5d475f8a799fdfb2b42f9b47cc347825cb72dd
--- proxy.c
+++ proxy.c
@@ -292,9 +292,22 @@ proxy_init(struct client *c)
 		return -1;
 
 	/* TODO: tls_config_set_protocols here */
-	/* TODO: optionally load a client keypair here */
 	tls_config_insecure_noverifycert(conf);
 
+	if (c->l->proxy_cert != NULL) {
+		int r;
+
+		r = tls_config_set_cert_mem(conf, c->l->proxy_cert,
+		    c->l->proxy_cert_len);
+		if (r == -1)
+			goto err;
+
+		r = tls_config_set_key_mem(conf, c->l->proxy_key,
+		    c->l->proxy_key_len);
+		if (r == -1)
+			goto err;
+	}
+
 	if ((c->proxyctx = tls_client()) == NULL)
 		goto err;
 
blob - c2967dae7efe1e6fd1da12cd108d3dba192601c6
blob + 48453c1d9c58a20a12861a40db1f91b9157dc2f5
--- server.c
+++ server.c
@@ -635,6 +635,8 @@ apply_reverse_proxy(struct client *c)
 
 	if ((loc = vhost_reverse_proxy(c->host, c->iri.path)) == NULL)
 		return 0;
+
+	c->l = loc;
 
 	log_debug(c, "opening proxy connection for %s:%s",
 	    loc->proxy_host, loc->proxy_port);