diff options
Diffstat (limited to 'service')
| -rw-r--r-- | service/http/config.go | 15 | ||||
| -rw-r--r-- | service/http/service.go | 44 |
2 files changed, 57 insertions, 2 deletions
diff --git a/service/http/config.go b/service/http/config.go index 81fcd16c..b87b938f 100644 --- a/service/http/config.go +++ b/service/http/config.go @@ -77,6 +77,9 @@ type SSLConfig struct { // Cert is https certificate. Cert string + + // Root CA file + RootCA string } // EnableHTTP is true when http server must run. @@ -86,7 +89,7 @@ func (c *Config) EnableHTTP() bool { // EnableTLS returns true if rr must listen TLS connections. func (c *Config) EnableTLS() bool { - return c.SSL.Key != "" || c.SSL.Cert != "" + return c.SSL.Key != "" || c.SSL.Cert != "" || c.SSL.RootCA != "" } // EnableHTTP2 when HTTP/2 extension must be enabled (only with TSL). @@ -244,6 +247,16 @@ func (c *Config) Valid() error { return err } + + // RootCA is optional, but if provided - check it + if c.SSL.RootCA != "" { + if _, err := os.Stat(c.SSL.RootCA); err != nil { + if os.IsNotExist(err) { + return fmt.Errorf("root ca path provided, but key file '%s' does not exists", c.SSL.Key) + } + return err + } + } } return nil diff --git a/service/http/service.go b/service/http/service.go index 8ffc725a..b260008c 100644 --- a/service/http/service.go +++ b/service/http/service.go @@ -3,6 +3,8 @@ package http import ( "context" "crypto/tls" + "crypto/x509" + "errors" "fmt" "github.com/sirupsen/logrus" "github.com/spiral/roadrunner" @@ -12,6 +14,7 @@ import ( "github.com/spiral/roadrunner/util" "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" + "io/ioutil" "net/http" "net/http/fcgi" "net/url" @@ -27,6 +30,8 @@ const ( EventInitSSL = 750 ) +var couldNotAppendPemError = errors.New("could not append Certs from PEM") + // http middleware type. type middleware func(f http.HandlerFunc) http.HandlerFunc @@ -124,6 +129,12 @@ func (s *Service) Serve() error { if s.cfg.EnableTLS() { s.https = s.initSSL() + if s.cfg.SSL.RootCA != "" { + err := s.appendRootCa() + if err != nil { + return err + } + } if s.cfg.EnableHTTP2() { if err := s.initHTTP2(); err != nil { @@ -266,7 +277,38 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) { f(w, r) } -// Init https server. +// append RootCA to the https server TLS config +func (s *Service) appendRootCa() error { + rootCAs, err := x509.SystemCertPool() + if err != nil { + s.throw(EventInitSSL, nil) + return nil + } + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } + + CA, err := ioutil.ReadFile(s.cfg.SSL.RootCA) + if err != nil { + s.throw(EventInitSSL, nil) + return err + } + + // should append our CA cert + ok := rootCAs.AppendCertsFromPEM(CA) + if !ok { + return couldNotAppendPemError + } + config := &tls.Config{ + InsecureSkipVerify: false, + RootCAs: rootCAs, + } + s.http.TLSConfig = config + + return nil +} + +// Init https server func (s *Service) initSSL() *http.Server { server := &http.Server{ Addr: s.tlsAddr(s.cfg.Address, true), |