3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: fix usage of codec_type with alpn (#2277)

Browse source
This commit is contained in:
Caleb Doxsey 2021-06-07 14:26:20 -06:00 committed by GitHub
parent 2c48f7fd95
commit 02d9460765
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 79 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
config/envoyconfig/listeners.go
View file

@ -642,12 +642,22 @@ func (b *Builder) buildDownstreamTLSContext(ctx context.Context,
return nil return nil
} }
var alpnProtocols []string
switch cfg.Options.GetCodecType() {
case config.CodecTypeHTTP1:
alpnProtocols = []string{"http/1.1"}
case config.CodecTypeHTTP2:
alpnProtocols = []string{"h2"}
default:
alpnProtocols = []string{"h2", "http/1.1"}
}
envoyCert := b.envoyTLSCertificateFromGoTLSCertificate(ctx, cert) envoyCert := b.envoyTLSCertificateFromGoTLSCertificate(ctx, cert)
return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{ return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{
CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{ CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
TlsParams: tlsParams, TlsParams: tlsParams,
TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert}, TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert},
AlpnProtocols: []string{"h2", "http/1.1"}, AlpnProtocols: alpnProtocols,
ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg, domain), ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg, domain),
}, },
} }

68
config/envoyconfig/listeners_test.go
View file

@ -640,6 +640,74 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
} }
}`, downstreamTLSContext) }`, downstreamTLSContext)
}) })
t.Run("http1", func(t *testing.T) {
downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{
Cert: aExampleComCert,
Key: aExampleComKey,
CodecType: config.CodecTypeHTTP1,
}}, "a.example.com")
testutil.AssertProtoJSONEqual(t, `{
"commonTlsContext": {
"tlsParams": {
"cipherSuites": [
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305"
],
"tlsMinimumProtocolVersion": "TLSv1_2"
},
"alpnProtocols": ["http/1.1"],
"tlsCertificates": [
{
"certificateChain": {
"filename": "`+certFileName+`"
},
"privateKey": {
"filename": "`+keyFileName+`"
}
}
]
}
}`, downstreamTLSContext)
})
t.Run("http2", func(t *testing.T) {
downstreamTLSContext := b.buildDownstreamTLSContext(context.Background(), &config.Config{Options: &config.Options{
Cert: aExampleComCert,
Key: aExampleComKey,
CodecType: config.CodecTypeHTTP2,
}}, "a.example.com")
testutil.AssertProtoJSONEqual(t, `{
"commonTlsContext": {
"tlsParams": {
"cipherSuites": [
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305"
],
"tlsMinimumProtocolVersion": "TLSv1_2"
},
"alpnProtocols": ["h2"],
"tlsCertificates": [
{
"certificateChain": {
"filename": "`+certFileName+`"
},
"privateKey": {
"filename": "`+keyFileName+`"
}
}
]
}
}`, downstreamTLSContext)
})
} }
func Test_getAllDomains(t *testing.T) { func Test_getAllDomains(t *testing.T) {