summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.rr.yaml3
-rw-r--r--service/http/config.go15
-rw-r--r--service/http/service.go44
3 files changed, 60 insertions, 2 deletions
diff --git a/.rr.yaml b/.rr.yaml
index 8fd42314..ab2bb843 100644
--- a/.rr.yaml
+++ b/.rr.yaml
@@ -48,6 +48,9 @@ http:
# ssl private key
key: server.key
+ # rootCA certificate
+ rootCa: root.crt
+
# HTTP service provides FastCGI as frontend
fcgi:
# FastCGI connection DSN. Supported TCP and Unix sockets.
diff --git a/service/http/config.go b/service/http/config.go
index 81fcd16c..b87b938f 100644
--- a/service/http/config.go
+++ b/service/http/config.go
@@ -77,6 +77,9 @@ type SSLConfig struct {
// Cert is https certificate.
Cert string
+
+ // Root CA file
+ RootCA string
}
// EnableHTTP is true when http server must run.
@@ -86,7 +89,7 @@ func (c *Config) EnableHTTP() bool {
// EnableTLS returns true if rr must listen TLS connections.
func (c *Config) EnableTLS() bool {
- return c.SSL.Key != "" || c.SSL.Cert != ""
+ return c.SSL.Key != "" || c.SSL.Cert != "" || c.SSL.RootCA != ""
}
// EnableHTTP2 when HTTP/2 extension must be enabled (only with TSL).
@@ -244,6 +247,16 @@ func (c *Config) Valid() error {
return err
}
+
+ // RootCA is optional, but if provided - check it
+ if c.SSL.RootCA != "" {
+ if _, err := os.Stat(c.SSL.RootCA); err != nil {
+ if os.IsNotExist(err) {
+ return fmt.Errorf("root ca path provided, but key file '%s' does not exists", c.SSL.Key)
+ }
+ return err
+ }
+ }
}
return nil
diff --git a/service/http/service.go b/service/http/service.go
index 8ffc725a..b260008c 100644
--- a/service/http/service.go
+++ b/service/http/service.go
@@ -3,6 +3,8 @@ package http
import (
"context"
"crypto/tls"
+ "crypto/x509"
+ "errors"
"fmt"
"github.com/sirupsen/logrus"
"github.com/spiral/roadrunner"
@@ -12,6 +14,7 @@ import (
"github.com/spiral/roadrunner/util"
"golang.org/x/net/http2"
"golang.org/x/net/http2/h2c"
+ "io/ioutil"
"net/http"
"net/http/fcgi"
"net/url"
@@ -27,6 +30,8 @@ const (
EventInitSSL = 750
)
+var couldNotAppendPemError = errors.New("could not append Certs from PEM")
+
// http middleware type.
type middleware func(f http.HandlerFunc) http.HandlerFunc
@@ -124,6 +129,12 @@ func (s *Service) Serve() error {
if s.cfg.EnableTLS() {
s.https = s.initSSL()
+ if s.cfg.SSL.RootCA != "" {
+ err := s.appendRootCa()
+ if err != nil {
+ return err
+ }
+ }
if s.cfg.EnableHTTP2() {
if err := s.initHTTP2(); err != nil {
@@ -266,7 +277,38 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
f(w, r)
}
-// Init https server.
+// append RootCA to the https server TLS config
+func (s *Service) appendRootCa() error {
+ rootCAs, err := x509.SystemCertPool()
+ if err != nil {
+ s.throw(EventInitSSL, nil)
+ return nil
+ }
+ if rootCAs == nil {
+ rootCAs = x509.NewCertPool()
+ }
+
+ CA, err := ioutil.ReadFile(s.cfg.SSL.RootCA)
+ if err != nil {
+ s.throw(EventInitSSL, nil)
+ return err
+ }
+
+ // should append our CA cert
+ ok := rootCAs.AppendCertsFromPEM(CA)
+ if !ok {
+ return couldNotAppendPemError
+ }
+ config := &tls.Config{
+ InsecureSkipVerify: false,
+ RootCAs: rootCAs,
+ }
+ s.http.TLSConfig = config
+
+ return nil
+}
+
+// Init https server
func (s *Service) initSSL() *http.Server {
server := &http.Server{
Addr: s.tlsAddr(s.cfg.Address, true),