3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-26 13:09:47 +02:00
Code Issues Projects Releases Packages Wiki Activity

core/autocert: fix filter chain, handshake

Browse source
This commit is contained in:
Caleb Doxsey 2024-06-25 16:30:13 -06:00
parent d9c6afc168
commit 21a4fa6e29
2 changed files with 41 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/envoyconfig/listeners.go
View file

@ -150,6 +150,8 @@ func (b *Builder) buildMainListener(
li.Address = buildAddress(cfg.Options.Addr, 443) li.Address = buildAddress(cfg.Options.Addr, 443)
li.ListenerFilters = append(li.ListenerFilters, TLSInspectorFilter()) li.ListenerFilters = append(li.ListenerFilters, TLSInspectorFilter())
li.FilterChains = append(li.FilterChains, b.buildACMETLSALPNFilterChain())
allCertificates, err := getAllCertificates(cfg) allCertificates, err := getAllCertificates(cfg)
if err != nil { if err != nil {
return nil, err return nil, err

52
internal/autocert/manager.go
View file

@ -46,12 +46,15 @@ type Manager struct {
src config.Source src config.Source
acmeTemplate certmagic.ACMEIssuer acmeTemplate certmagic.ACMEIssuer
mu sync.RWMutex mu sync.RWMutex
config *config.Config config *config.Config
certmagic *certmagic.Config certmagic *certmagic.Config
acmeMgr atomic.Pointer[certmagic.ACMEIssuer] acmeMgr atomic.Pointer[certmagic.ACMEIssuer]
srv *http.Server srv *http.Server
acmeTLSALPNListener net.Listener
acmeTLSALPNLock sync.Mutex
acmeTLSALPNPort string
acmeTLSALPNConfig *tls.Config
*ocspCache *ocspCache
@ -155,6 +158,7 @@ func (mgr *Manager) getCertMagicConfig(ctx context.Context, cfg *config.Config)
} }
} }
acmeMgr := certmagic.NewACMEIssuer(mgr.certmagic, mgr.acmeTemplate) acmeMgr := certmagic.NewACMEIssuer(mgr.certmagic, mgr.acmeTemplate)
acmeMgr.DisableHTTPChallenge = cfg.Options.HTTPRedirectAddr == ""
err = configureCertificateAuthority(acmeMgr, cfg.Options.AutocertOptions) err = configureCertificateAuthority(acmeMgr, cfg.Options.AutocertOptions)
if err != nil { if err != nil {
return nil, err return nil, err
@ -342,20 +346,28 @@ func (mgr *Manager) updateServer(ctx context.Context, cfg *config.Config) {
} }
func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Config) { func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Config) {
addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort) mgr.acmeTLSALPNLock.Lock()
if mgr.acmeTLSALPNListener != nil { defer mgr.acmeTLSALPNLock.Unlock()
_ = mgr.acmeTLSALPNListener.Close()
mgr.acmeTLSALPNListener = nil // store the updated TLS config
mgr.acmeTLSALPNConfig = mgr.certmagic.TLSConfig().Clone()
// if the port hasn't changed, we're done
if mgr.acmeTLSALPNPort == cfg.ACMETLSALPNPort {
return
} }
tlsConfig := mgr.certmagic.TLSConfig() // store the updated port
ln, err := tls.Listen("tcp", addr, tlsConfig) mgr.acmeTLSALPNPort = cfg.ACMETLSALPNPort
// start the listener
addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort)
ln, err := net.Listen("tcp", addr)
if err != nil { if err != nil {
log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server") log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server")
return return
} }
mgr.acmeTLSALPNListener = ln
// accept connections
go func() { go func() {
for { for {
conn, err := ln.Accept() conn, err := ln.Accept()
@ -364,6 +376,20 @@ func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Con
} else if err != nil { } else if err != nil {
continue continue
} }
// initiate the TLS handshake
mgr.acmeTLSALPNLock.Lock()
tlsConfig := mgr.acmeTLSALPNConfig.Clone()
mgr.acmeTLSALPNLock.Unlock()
orig := tlsConfig.GetCertificate
tlsConfig.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
log.Info(ctx).Str("server-name", chi.ServerName).
Msg("received request for ACME TLS ALPN certificate")
return orig(chi)
}
_ = tls.Server(conn, tlsConfig).HandshakeContext(ctx)
_ = conn.Close() _ = conn.Close()
} }
}() }()