Commit e0efb027 authored by Danny Navarro's avatar Danny Navarro Committed by Matt Holt

proxy: Implement own CA certificates of backends (#2454)

By using option ca_certificates in proxy block it is possible now to select
CA against which backend certificates shall be checked.

Resolves #1550
Co-authored-by: default avatarDanny Navarro <navdgo@gmail.com>
parent 9e4a2919
...@@ -28,6 +28,7 @@ package proxy ...@@ -28,6 +28,7 @@ package proxy
import ( import (
"context" "context"
"crypto/tls" "crypto/tls"
"crypto/x509"
"fmt" "fmt"
"io" "io"
"net" "net"
...@@ -310,6 +311,25 @@ func (rp *ReverseProxy) UseInsecureTransport() { ...@@ -310,6 +311,25 @@ func (rp *ReverseProxy) UseInsecureTransport() {
} }
} }
// UseOwnCertificate is used to facilitate HTTPS proxying
// with locally provided certificate.
func (rp *ReverseProxy) UseOwnCACertificates(CaCertPool *x509.CertPool) {
if transport, ok := rp.Transport.(*http.Transport); ok {
if transport.TLSClientConfig == nil {
transport.TLSClientConfig = &tls.Config{}
}
transport.TLSClientConfig.RootCAs = CaCertPool
// No http2.ConfigureTransport() here.
// For now this is only added in places where
// an http.Transport is actually created.
} else if transport, ok := rp.Transport.(*h2quic.RoundTripper); ok {
if transport.TLSClientConfig == nil {
transport.TLSClientConfig = &tls.Config{}
}
transport.TLSClientConfig.RootCAs = CaCertPool
}
}
// ServeHTTP serves the proxied request to the upstream by performing a roundtrip. // ServeHTTP serves the proxied request to the upstream by performing a roundtrip.
// It is designed to handle websocket connection upgrades as well. // It is designed to handle websocket connection upgrades as well.
func (rp *ReverseProxy) ServeHTTP(rw http.ResponseWriter, outreq *http.Request, respUpdateFn respUpdateFn) error { func (rp *ReverseProxy) ServeHTTP(rw http.ResponseWriter, outreq *http.Request, respUpdateFn respUpdateFn) error {
......
...@@ -22,6 +22,8 @@ import ( ...@@ -22,6 +22,8 @@ import (
"strconv" "strconv"
"testing" "testing"
"time" "time"
"github.com/lucas-clemente/quic-go/h2quic"
) )
const ( const (
...@@ -30,6 +32,20 @@ const ( ...@@ -30,6 +32,20 @@ const (
) )
var upstreamHost *httptest.Server var upstreamHost *httptest.Server
var upstreamHostTLS *httptest.Server
func setupTLSServer() {
upstreamHostTLS = httptest.NewTLSServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/test-path" {
w.WriteHeader(expectedStatus)
w.Write([]byte(expectedResponse))
} else {
w.WriteHeader(404)
w.Write([]byte("Not found"))
}
}))
}
func setupTest() { func setupTest() {
upstreamHost = httptest.NewServer(http.HandlerFunc( upstreamHost = httptest.NewServer(http.HandlerFunc(
...@@ -44,10 +60,76 @@ func setupTest() { ...@@ -44,10 +60,76 @@ func setupTest() {
})) }))
} }
func tearDownTLSServer() {
upstreamHostTLS.Close()
}
func tearDownTest() { func tearDownTest() {
upstreamHost.Close() upstreamHost.Close()
} }
func TestReverseProxyWithOwnCACertificates(t *testing.T) {
setupTLSServer()
defer tearDownTLSServer()
// get http client from tls server
cl := upstreamHostTLS.Client()
// add certs from httptest tls server to reverse proxy
var transport *http.Transport
if tr, ok := cl.Transport.(*http.Transport); ok {
transport = tr
} else {
t.Error("could not parse transport from upstreamHostTLS")
}
pool := transport.TLSClientConfig.RootCAs
u := staticUpstream{}
u.CaCertPool = pool
upstreamURL, err := url.Parse(upstreamHostTLS.URL)
if err != nil {
t.Errorf("Failed to parse test server URL [%s]. %s", upstreamHost.URL, err.Error())
}
// setup host for reverse proxy
ups, err := u.NewHost(upstreamURL.String())
if err != nil {
t.Errorf("Creating new host failed. %v", err)
}
// UseOwnCACertificates called in NewHost sets the RootCAs based if the cert pool is set
if transport, ok := ups.ReverseProxy.Transport.(*http.Transport); ok {
if transport.TLSClientConfig.RootCAs == nil {
t.Errorf("RootCAs not set on TLSClientConfig.")
}
} else if transport, ok := ups.ReverseProxy.Transport.(*h2quic.RoundTripper); ok {
if transport.TLSClientConfig.RootCAs == nil {
t.Errorf("RootCAs not set on TLSClientConfig.")
}
}
resp := httptest.NewRecorder()
req, err := http.NewRequest("GET", "https://test.host/test-path", nil)
if err != nil {
t.Errorf("Failed to create new request. %s", err.Error())
}
err = ups.ReverseProxy.ServeHTTP(resp, req, nil)
if err != nil {
t.Errorf("Failed to perform reverse proxy to upstream host. %s", err.Error())
}
rBody := resp.Body.String()
if rBody != expectedResponse {
t.Errorf("Unexpected proxy response received. Expected: '%s', Got: '%s'", expectedResponse, resp.Body.String())
}
if resp.Code != expectedStatus {
t.Errorf("Unexpected proxy status. Expected: '%d', Got: '%d'", expectedStatus, resp.Code)
}
}
func TestSingleSRVHostReverseProxy(t *testing.T) { func TestSingleSRVHostReverseProxy(t *testing.T) {
setupTest() setupTest()
defer tearDownTest() defer tearDownTest()
......
...@@ -17,6 +17,7 @@ package proxy ...@@ -17,6 +17,7 @@ package proxy
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/x509"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
...@@ -69,6 +70,7 @@ type staticUpstream struct { ...@@ -69,6 +70,7 @@ type staticUpstream struct {
insecureSkipVerify bool insecureSkipVerify bool
MaxFails int32 MaxFails int32
resolver srvResolver resolver srvResolver
CaCertPool *x509.CertPool
} }
type srvResolver interface { type srvResolver interface {
...@@ -233,6 +235,10 @@ func (u *staticUpstream) NewHost(host string) (*UpstreamHost, error) { ...@@ -233,6 +235,10 @@ func (u *staticUpstream) NewHost(host string) (*UpstreamHost, error) {
uh.ReverseProxy.UseInsecureTransport() uh.ReverseProxy.UseInsecureTransport()
} }
if u.CaCertPool != nil {
uh.ReverseProxy.UseOwnCACertificates(u.CaCertPool)
}
return uh, nil return uh, nil
} }
...@@ -465,6 +471,34 @@ func parseBlock(c *caddyfile.Dispenser, u *staticUpstream, hasSrv bool) error { ...@@ -465,6 +471,34 @@ func parseBlock(c *caddyfile.Dispenser, u *staticUpstream, hasSrv bool) error {
u.IgnoredSubPaths = ignoredPaths u.IgnoredSubPaths = ignoredPaths
case "insecure_skip_verify": case "insecure_skip_verify":
u.insecureSkipVerify = true u.insecureSkipVerify = true
case "ca_certificates":
caCertificates := c.RemainingArgs()
if len(caCertificates) == 0 {
return c.ArgErr()
}
pool := x509.NewCertPool()
caCertificatesAdded := make(map[string]struct{})
for _, caFile := range caCertificates {
// don't add cert to pool more than once
if _, ok := caCertificatesAdded[caFile]; ok {
continue
}
caCertificatesAdded[caFile] = struct{}{}
// any client with a certificate from this CA will be allowed to connect
caCrt, err := ioutil.ReadFile(caFile)
if err != nil {
return c.Err(err.Error())
}
// attempt to parse pem and append to cert pool
if ok := pool.AppendCertsFromPEM(caCrt); !ok {
return c.Errf("loading CA certificate '%s': no certificates were successfully parsed", caFile)
}
}
u.CaCertPool = pool
case "keepalive": case "keepalive":
if !c.NextArg() { if !c.NextArg() {
return c.ArgErr() return c.ArgErr()
...@@ -489,6 +523,13 @@ func parseBlock(c *caddyfile.Dispenser, u *staticUpstream, hasSrv bool) error { ...@@ -489,6 +523,13 @@ func parseBlock(c *caddyfile.Dispenser, u *staticUpstream, hasSrv bool) error {
default: default:
return c.Errf("unknown property '%s'", c.Val()) return c.Errf("unknown property '%s'", c.Val())
} }
// these settings are at odds with one another. insecure_skip_verify disables security features over HTTPS
// which is what we are trying to achieve with ca_certificates
if u.insecureSkipVerify && u.CaCertPool != nil {
return c.Errf("both insecure_skip_verify and ca_certificates cannot be set in the proxy directive")
}
return nil return nil
} }
......
...@@ -163,6 +163,61 @@ func TestAllowedPaths(t *testing.T) { ...@@ -163,6 +163,61 @@ func TestAllowedPaths(t *testing.T) {
} }
} }
func TestParseBlockCACertificates(t *testing.T) {
tests := []struct {
config string
shouldPass bool
subjectLength int
}{
// Test #1: ca_certificates set but invalid file path provided
{"ca_certificates ./test.pem\n", false, 0},
// Test #2: ca_certificates set but no arguments provided
{"ca_certificates \n", false, 0},
// Test #3 valid ca_certificate (fullchain) and invalid public cert passed (privkey). CACertPool should not be set
{"ca_certificates ./testdata/fullchain.pem ./testdata/privkey.pem", false, 0},
// Test #4 valid ca_certificate section
{"ca_certificates ./testdata/fullchain.pem", true, 2},
// Test #5 ca_certificates and insecure_skip_verify cannot both be set
{"ca_certificates ./testdata/fullchain.pem\ninsecure_skip_verify", false, 0},
}
for i, test := range tests {
u := staticUpstream{}
c := caddyfile.NewDispenser("Testfile", strings.NewReader(test.config))
for c.Next() {
err := parseBlock(&c, &u, false)
if err != nil && test.shouldPass {
t.Errorf(
"Test %d: Could not parse CACertificates. %v.",
i+1,
err,
)
}
}
if test.shouldPass && u.CaCertPool == nil {
t.Errorf(
"Test %d: CACertificates not parsed correctly. CaCertPool %v. Expected value to be set.",
i+1,
u.CaCertPool,
)
}
if test.shouldPass && test.subjectLength != len(u.CaCertPool.Subjects()) {
t.Errorf(
"Test %d: CACertPool subject length incorrect. Got %v. Expected %v.",
i+1,
len(u.CaCertPool.Subjects()),
test.subjectLength,
)
}
}
}
func TestParseBlockHealthCheck(t *testing.T) { func TestParseBlockHealthCheck(t *testing.T) {
tests := []struct { tests := []struct {
config string config string
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment