Merge #323

323: Add RootCA support r=48d90782 a=48d90782

This PR adds RootCA support by the RR

Co-authored-by: Valery Piashchynski <[email protected]>

3 files changed, 60 insertions, 2 deletions

diff --git a/.rr.yaml b/.rr.yaml
index 8fd42314..ab2bb843 100644
--- a/.rr.yaml
+++ b/.rr.yaml
@@ -48,6 +48,9 @@ http:
     # ssl private key
     key:      server.key
 
+    # rootCA certificate
+    rootCa:   root.crt
+
   # HTTP service provides FastCGI as frontend
   fcgi:
     # FastCGI connection DSN. Supported TCP and Unix sockets.
diff --git a/service/http/config.go b/service/http/config.go
index 81fcd16c..b87b938f 100644
--- a/service/http/config.go
+++ b/service/http/config.go
@@ -77,6 +77,9 @@ type SSLConfig struct {
 
 	// Cert is https certificate.
 	Cert string
+
+	// Root CA file
+	RootCA string
 }
 
 // EnableHTTP is true when http server must run.
@@ -86,7 +89,7 @@ func (c *Config) EnableHTTP() bool {
 
 // EnableTLS returns true if rr must listen TLS connections.
 func (c *Config) EnableTLS() bool {
-	return c.SSL.Key != "" || c.SSL.Cert != ""
+	return c.SSL.Key != "" || c.SSL.Cert != "" || c.SSL.RootCA != ""
 }
 
 // EnableHTTP2 when HTTP/2 extension must be enabled (only with TSL).
@@ -244,6 +247,16 @@ func (c *Config) Valid() error {
 
 			return err
 		}
+
+		// RootCA is optional, but if provided - check it
+		if c.SSL.RootCA != "" {
+			if _, err := os.Stat(c.SSL.RootCA); err != nil {
+				if os.IsNotExist(err) {
+					return fmt.Errorf("root ca path provided, but key file '%s' does not exists", c.SSL.Key)
+				}
+				return err
+			}
+		}
 	}
 
 	return nil
diff --git a/service/http/service.go b/service/http/service.go
index 8ffc725a..b260008c 100644
--- a/service/http/service.go
+++ b/service/http/service.go
@@ -3,6 +3,8 @@ package http
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/spiral/roadrunner"
@@ -12,6 +14,7 @@ import (
 	"github.com/spiral/roadrunner/util"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+	"io/ioutil"
 	"net/http"
 	"net/http/fcgi"
 	"net/url"
@@ -27,6 +30,8 @@ const (
 	EventInitSSL = 750
 )
 
+var couldNotAppendPemError = errors.New("could not append Certs from PEM")
+
 // http middleware type.
 type middleware func(f http.HandlerFunc) http.HandlerFunc
 
@@ -124,6 +129,12 @@ func (s *Service) Serve() error {
 
 	if s.cfg.EnableTLS() {
 		s.https = s.initSSL()
+		if s.cfg.SSL.RootCA != "" {
+			err := s.appendRootCa()
+			if err != nil {
+				return err
+			}
+		}
 
 		if s.cfg.EnableHTTP2() {
 			if err := s.initHTTP2(); err != nil {
@@ -266,7 +277,38 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	f(w, r)
 }
 
-// Init https server.
+// append RootCA to the https server TLS config
+func (s *Service) appendRootCa() error {
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		s.throw(EventInitSSL, nil)
+		return nil
+	}
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	CA, err := ioutil.ReadFile(s.cfg.SSL.RootCA)
+	if err != nil {
+		s.throw(EventInitSSL, nil)
+		return err
+	}
+
+	// should append our CA cert
+	ok := rootCAs.AppendCertsFromPEM(CA)
+	if !ok {
+		return couldNotAppendPemError
+	}
+	config := &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            rootCAs,
+	}
+	s.http.TLSConfig = config
+
+	return nil
+}
+
+// Init https server
 func (s *Service) initSSL() *http.Server {
 	server := &http.Server{
 		Addr:    s.tlsAddr(s.cfg.Address, true),