mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-04 10:28:10 +02:00
only enable http challenges on port 80
This commit is contained in:
parent
21a4fa6e29
commit
1e155ac3f4
2 changed files with 44 additions and 4 deletions
|
@ -54,6 +54,7 @@ type Manager struct {
|
|||
|
||||
acmeTLSALPNLock sync.Mutex
|
||||
acmeTLSALPNPort string
|
||||
acmeTLSALPNListener net.Listener
|
||||
acmeTLSALPNConfig *tls.Config
|
||||
|
||||
*ocspCache
|
||||
|
@ -158,7 +159,7 @@ func (mgr *Manager) getCertMagicConfig(ctx context.Context, cfg *config.Config)
|
|||
}
|
||||
}
|
||||
acmeMgr := certmagic.NewACMEIssuer(mgr.certmagic, mgr.acmeTemplate)
|
||||
acmeMgr.DisableHTTPChallenge = cfg.Options.HTTPRedirectAddr == ""
|
||||
acmeMgr.DisableHTTPChallenge = !shouldEnableHTTPChallenge(cfg)
|
||||
err = configureCertificateAuthority(acmeMgr, cfg.Options.AutocertOptions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -359,6 +360,11 @@ func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Con
|
|||
// store the updated port
|
||||
mgr.acmeTLSALPNPort = cfg.ACMETLSALPNPort
|
||||
|
||||
if mgr.acmeTLSALPNListener != nil {
|
||||
_ = mgr.acmeTLSALPNListener.Close()
|
||||
mgr.acmeTLSALPNListener = nil
|
||||
}
|
||||
|
||||
// start the listener
|
||||
addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort)
|
||||
ln, err := net.Listen("tcp", addr)
|
||||
|
@ -366,6 +372,7 @@ func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Con
|
|||
log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server")
|
||||
return
|
||||
}
|
||||
mgr.acmeTLSALPNListener = ln
|
||||
|
||||
// accept connections
|
||||
go func() {
|
||||
|
@ -495,3 +502,16 @@ func sourceHostnames(cfg *config.Config) []string {
|
|||
|
||||
return h
|
||||
}
|
||||
|
||||
func shouldEnableHTTPChallenge(cfg *config.Config) bool {
|
||||
if cfg == nil || cfg.Options == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
_, p, err := net.SplitHostPort(cfg.Options.HTTPRedirectAddr)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return p == "80"
|
||||
}
|
||||
|
|
|
@ -630,3 +630,23 @@ func Test_configureTrustedRoots(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestShouldEnableHTTPChallenge(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
assert.False(t, shouldEnableHTTPChallenge(nil))
|
||||
assert.False(t, shouldEnableHTTPChallenge(&config.Config{}))
|
||||
assert.False(t, shouldEnableHTTPChallenge(&config.Config{Options: &config.Options{}}))
|
||||
assert.False(t, shouldEnableHTTPChallenge(&config.Config{Options: &config.Options{
|
||||
HTTPRedirectAddr: ":8080",
|
||||
}}))
|
||||
assert.False(t, shouldEnableHTTPChallenge(&config.Config{Options: &config.Options{
|
||||
HTTPRedirectAddr: "127.0.0.1:8080",
|
||||
}}))
|
||||
assert.True(t, shouldEnableHTTPChallenge(&config.Config{Options: &config.Options{
|
||||
HTTPRedirectAddr: ":80",
|
||||
}}))
|
||||
assert.True(t, shouldEnableHTTPChallenge(&config.Config{Options: &config.Options{
|
||||
HTTPRedirectAddr: "127.0.0.1:80",
|
||||
}}))
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue