update RootCA

3 files changed, 52 insertions, 7 deletions

diff --git a/.rr.yaml b/.rr.yaml
index 8fd42314..ab2bb843 100644
--- a/.rr.yaml
+++ b/.rr.yaml
@@ -48,6 +48,9 @@ http:
     # ssl private key
     key:      server.key
 
+    # rootCA certificate
+    rootCa:   root.crt
+
   # HTTP service provides FastCGI as frontend
   fcgi:
     # FastCGI connection DSN. Supported TCP and Unix sockets.
diff --git a/service/http/config.go b/service/http/config.go
index 81fcd16c..b87b938f 100644
--- a/service/http/config.go
+++ b/service/http/config.go
@@ -77,6 +77,9 @@ type SSLConfig struct {
 
 	// Cert is https certificate.
 	Cert string
+
+	// Root CA file
+	RootCA string
 }
 
 // EnableHTTP is true when http server must run.
@@ -86,7 +89,7 @@ func (c *Config) EnableHTTP() bool {
 
 // EnableTLS returns true if rr must listen TLS connections.
 func (c *Config) EnableTLS() bool {
-	return c.SSL.Key != "" || c.SSL.Cert != ""
+	return c.SSL.Key != "" || c.SSL.Cert != "" || c.SSL.RootCA != ""
 }
 
 // EnableHTTP2 when HTTP/2 extension must be enabled (only with TSL).
@@ -244,6 +247,16 @@ func (c *Config) Valid() error {
 
 			return err
 		}
+
+		// RootCA is optional, but if provided - check it
+		if c.SSL.RootCA != "" {
+			if _, err := os.Stat(c.SSL.RootCA); err != nil {
+				if os.IsNotExist(err) {
+					return fmt.Errorf("root ca path provided, but key file '%s' does not exists", c.SSL.Key)
+				}
+				return err
+			}
+		}
 	}
 
 	return nil
diff --git a/service/http/service.go b/service/http/service.go
index 8ffc725a..d5f51cc9 100644
--- a/service/http/service.go
+++ b/service/http/service.go
@@ -3,6 +3,7 @@ package http
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/spiral/roadrunner"
@@ -12,6 +13,7 @@ import (
 	"github.com/spiral/roadrunner/util"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+	"io/ioutil"
 	"net/http"
 	"net/http/fcgi"
 	"net/url"
@@ -268,16 +270,43 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // Init https server.
 func (s *Service) initSSL() *http.Server {
-	server := &http.Server{
+	// it already checked on Valid step, that file exist
+	var server http.Server
+	server.TLSConfig.MinVersion = tls.VersionTLS12
+
+	if s.cfg.SSL.RootCA != "" {
+		rootCAs, err := x509.SystemCertPool()
+		if err != nil {
+			s.throw(EventInitSSL, nil)
+			return nil
+		}
+		if rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+
+		CA, err := ioutil.ReadFile(s.cfg.SSL.RootCA)
+		if err != nil {
+			s.throw(EventInitSSL, nil)
+			return nil
+		}
+
+		// should append our CA cert
+		rootCAs.AppendCertsFromPEM(CA)
+		config := &tls.Config{
+			InsecureSkipVerify: false,
+			RootCAs:            rootCAs,
+		}
+		server.TLSConfig = config
+	}
+
+	server = http.Server{
 		Addr:    s.tlsAddr(s.cfg.Address, true),
 		Handler: s,
-		TLSConfig: &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		},
 	}
-	s.throw(EventInitSSL, server)
 
-	return server
+	s.throw(EventInitSSL, &server)
+
+	return &server
 }
 
 // init http/2 server