diff options
Diffstat (limited to 'cmd/tlsrouter')
| -rw-r--r-- | cmd/tlsrouter/acme.go | 101 | ||||
| -rw-r--r-- | cmd/tlsrouter/config.go | 9 | ||||
| -rw-r--r-- | cmd/tlsrouter/e2e_test.go | 10 |
3 files changed, 1 insertions, 119 deletions
diff --git a/cmd/tlsrouter/acme.go b/cmd/tlsrouter/acme.go deleted file mode 100644 index ab8d59a..0000000 --- a/cmd/tlsrouter/acme.go +++ /dev/null @@ -1,101 +0,0 @@ -// Copyright 2016 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "context" - "crypto/tls" - "net" - "time" -) - -type acmeCacheEntry struct { - backend string - expires time.Time -} - -// ACME locates backends that are attempting ACME SNI-based validation. -type ACME struct { - backends []string - // *.acme.invalid domain to cache entry - cache map[string]acmeCacheEntry -} - -// Match returns the backend for hostname, if one is found. -func (s *ACME) Match(hostname string) string { - c := s.cache[hostname] - if time.Now().Before(c.expires) { - return c.backend - } - - // Cache entry is either expired or invalid, need to figure out - // which backend is the right one. - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - defer cancel() - - ch := make(chan string, len(s.backends)) - for _, backend := range s.backends { - go tryAcme(ctx, ch, backend, hostname) - } - for range s.backends { - backend := <-ch - if backend != "" { - s.cache[hostname] = acmeCacheEntry{backend, time.Now().Add(5 * time.Second)} - return backend - } - } - - // No usable backends found :( - s.cache[hostname] = acmeCacheEntry{"", time.Now().Add(5 * time.Second)} - return "" -} - -func tryAcme(ctx context.Context, ch chan string, backend, hostname string) { - var res string - var err error - defer func() { ch <- res }() - - dialer := net.Dialer{Timeout: 10 * time.Second} - conn, err := dialer.DialContext(ctx, "tcp", backend) - if err != nil { - return - } - defer conn.Close() - - deadline, ok := ctx.Deadline() - if ok { - conn.SetDeadline(deadline) - } - client := tls.Client(conn, &tls.Config{ - ServerName: hostname, - InsecureSkipVerify: true, - }) - if err != nil { - return - } - if err = client.Handshake(); err != nil { - return - } - - certs := client.ConnectionState().PeerCertificates - if len(certs) == 0 { - return - } - if err = certs[0].VerifyHostname(hostname); err != nil { - return - } - - res = backend -} diff --git a/cmd/tlsrouter/config.go b/cmd/tlsrouter/config.go index 1c8151f..692b04b 100644 --- a/cmd/tlsrouter/config.go +++ b/cmd/tlsrouter/config.go @@ -37,7 +37,6 @@ type Route struct { type Config struct { mu sync.Mutex routes []Route - acme *ACME } func dnsRegex(s string) (*regexp.Regexp, error) { @@ -64,10 +63,6 @@ func (c *Config) Match(hostname string) (string, bool) { c.mu.Lock() defer c.mu.Unlock() - if strings.HasSuffix(hostname, ".acme.invalid") { - return c.acme.Match(hostname), false - } - for _, r := range c.routes { if r.match.MatchString(hostname) { return r.backend, r.proxyInfo @@ -123,10 +118,6 @@ func (c *Config) Read(r io.Reader) error { c.mu.Lock() defer c.mu.Unlock() c.routes = routes - c.acme = &ACME{ - backends: backends, - cache: make(map[string]acmeCacheEntry), - } return nil } diff --git a/cmd/tlsrouter/e2e_test.go b/cmd/tlsrouter/e2e_test.go index 92551e2..6e54021 100644 --- a/cmd/tlsrouter/e2e_test.go +++ b/cmd/tlsrouter/e2e_test.go @@ -34,12 +34,6 @@ func TestRouting(t *testing.T) { } defer s2.Close() - s3, err := serveTLS(t, "server3", false, "blarghblargh.acme.invalid") - if err != nil { - t.Fatalf("server TLS server3: %s", err) - } - defer s3.Close() - s4, err := serveTLS(t, "server4", true, "proxy.design") if err != nil { t.Fatalf("server TLS server4: %s", err) @@ -58,9 +52,8 @@ func TestRouting(t *testing.T) { if err := p.Config.ReadString(fmt.Sprintf(` test.com %s foo.net %s -borkbork.tf %s proxy.design %s PROXY -`, s1.Addr(), s2.Addr(), s3.Addr(), s4.Addr())); err != nil { +`, s1.Addr(), s2.Addr(), s4.Addr())); err != nil { t.Fatalf("configure proxy: %s", err) } @@ -73,7 +66,6 @@ proxy.design %s PROXY {"test.com", "server1", s1.Pool, true, false}, {"foo.net", "server2", s2.Pool, true, false}, {"bar.org", "", s1.Pool, false, false}, - {"blarghblargh.acme.invalid", "server3", s3.Pool, true, false}, {"proxy.design", "server4", s4.Pool, true, true}, } { res, transparent, err := getTLS(l.Addr().String(), test.N, test.P) |