mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-24 03:59:49 +02:00
core/autocert: fix filter chain, handshake
This commit is contained in:
parent
d9c6afc168
commit
21a4fa6e29
2 changed files with 41 additions and 13 deletions
|
@ -150,6 +150,8 @@ func (b *Builder) buildMainListener(
|
||||||
li.Address = buildAddress(cfg.Options.Addr, 443)
|
li.Address = buildAddress(cfg.Options.Addr, 443)
|
||||||
li.ListenerFilters = append(li.ListenerFilters, TLSInspectorFilter())
|
li.ListenerFilters = append(li.ListenerFilters, TLSInspectorFilter())
|
||||||
|
|
||||||
|
li.FilterChains = append(li.FilterChains, b.buildACMETLSALPNFilterChain())
|
||||||
|
|
||||||
allCertificates, err := getAllCertificates(cfg)
|
allCertificates, err := getAllCertificates(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -46,12 +46,15 @@ type Manager struct {
|
||||||
src config.Source
|
src config.Source
|
||||||
acmeTemplate certmagic.ACMEIssuer
|
acmeTemplate certmagic.ACMEIssuer
|
||||||
|
|
||||||
mu sync.RWMutex
|
mu sync.RWMutex
|
||||||
config *config.Config
|
config *config.Config
|
||||||
certmagic *certmagic.Config
|
certmagic *certmagic.Config
|
||||||
acmeMgr atomic.Pointer[certmagic.ACMEIssuer]
|
acmeMgr atomic.Pointer[certmagic.ACMEIssuer]
|
||||||
srv *http.Server
|
srv *http.Server
|
||||||
acmeTLSALPNListener net.Listener
|
|
||||||
|
acmeTLSALPNLock sync.Mutex
|
||||||
|
acmeTLSALPNPort string
|
||||||
|
acmeTLSALPNConfig *tls.Config
|
||||||
|
|
||||||
*ocspCache
|
*ocspCache
|
||||||
|
|
||||||
|
@ -155,6 +158,7 @@ func (mgr *Manager) getCertMagicConfig(ctx context.Context, cfg *config.Config)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
acmeMgr := certmagic.NewACMEIssuer(mgr.certmagic, mgr.acmeTemplate)
|
acmeMgr := certmagic.NewACMEIssuer(mgr.certmagic, mgr.acmeTemplate)
|
||||||
|
acmeMgr.DisableHTTPChallenge = cfg.Options.HTTPRedirectAddr == ""
|
||||||
err = configureCertificateAuthority(acmeMgr, cfg.Options.AutocertOptions)
|
err = configureCertificateAuthority(acmeMgr, cfg.Options.AutocertOptions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -342,20 +346,28 @@ func (mgr *Manager) updateServer(ctx context.Context, cfg *config.Config) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Config) {
|
func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Config) {
|
||||||
addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort)
|
mgr.acmeTLSALPNLock.Lock()
|
||||||
if mgr.acmeTLSALPNListener != nil {
|
defer mgr.acmeTLSALPNLock.Unlock()
|
||||||
_ = mgr.acmeTLSALPNListener.Close()
|
|
||||||
mgr.acmeTLSALPNListener = nil
|
// store the updated TLS config
|
||||||
|
mgr.acmeTLSALPNConfig = mgr.certmagic.TLSConfig().Clone()
|
||||||
|
// if the port hasn't changed, we're done
|
||||||
|
if mgr.acmeTLSALPNPort == cfg.ACMETLSALPNPort {
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsConfig := mgr.certmagic.TLSConfig()
|
// store the updated port
|
||||||
ln, err := tls.Listen("tcp", addr, tlsConfig)
|
mgr.acmeTLSALPNPort = cfg.ACMETLSALPNPort
|
||||||
|
|
||||||
|
// start the listener
|
||||||
|
addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort)
|
||||||
|
ln, err := net.Listen("tcp", addr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server")
|
log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
mgr.acmeTLSALPNListener = ln
|
|
||||||
|
|
||||||
|
// accept connections
|
||||||
go func() {
|
go func() {
|
||||||
for {
|
for {
|
||||||
conn, err := ln.Accept()
|
conn, err := ln.Accept()
|
||||||
|
@ -364,6 +376,20 @@ func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Con
|
||||||
} else if err != nil {
|
} else if err != nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// initiate the TLS handshake
|
||||||
|
mgr.acmeTLSALPNLock.Lock()
|
||||||
|
tlsConfig := mgr.acmeTLSALPNConfig.Clone()
|
||||||
|
mgr.acmeTLSALPNLock.Unlock()
|
||||||
|
|
||||||
|
orig := tlsConfig.GetCertificate
|
||||||
|
tlsConfig.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
log.Info(ctx).Str("server-name", chi.ServerName).
|
||||||
|
Msg("received request for ACME TLS ALPN certificate")
|
||||||
|
return orig(chi)
|
||||||
|
}
|
||||||
|
|
||||||
|
_ = tls.Server(conn, tlsConfig).HandshakeContext(ctx)
|
||||||
_ = conn.Close()
|
_ = conn.Close()
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue