rpcsrv: Allow to enable mTLS
If RootCA setting is enabled in the configuration, use it to verify client certificate. Signed-off-by: Evgenii Stratonikov <fyfyrchik@runbox.com>
This commit is contained in:
parent
5cbfe215a4
commit
90efaa4771
2 changed files with 28 additions and 3 deletions
|
@ -29,8 +29,10 @@ type (
|
|||
|
||||
// TLS describes SSL/TLS configuration.
|
||||
TLS struct {
|
||||
BasicService `yaml:",inline"`
|
||||
CertFile string `yaml:"CertFile"`
|
||||
KeyFile string `yaml:"KeyFile"`
|
||||
BasicService `yaml:",inline"`
|
||||
RootCA []string `yaml:"RootCAs"`
|
||||
InsecureSkipVerify bool `yaml:"InsecureSkipVerify"`
|
||||
CertFile string `yaml:"CertFile"`
|
||||
KeyFile string `yaml:"KeyFile"`
|
||||
}
|
||||
)
|
||||
|
|
|
@ -4,6 +4,8 @@ import (
|
|||
"bytes"
|
||||
"context"
|
||||
"crypto/elliptic"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
|
@ -13,6 +15,7 @@ import (
|
|||
"math/big"
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
|
@ -409,7 +412,27 @@ func (s *Server) Start() {
|
|||
}
|
||||
|
||||
if cfg := s.config.TLSConfig; cfg.Enabled {
|
||||
caCertPool := x509.NewCertPool()
|
||||
for _, f := range cfg.RootCA {
|
||||
data, err := os.ReadFile(f)
|
||||
if err != nil {
|
||||
s.errChan <- err
|
||||
return
|
||||
}
|
||||
|
||||
caCertPool.AppendCertsFromPEM(data)
|
||||
}
|
||||
|
||||
for _, srv := range s.https {
|
||||
if len(cfg.RootCA) == 0 {
|
||||
s.log.Warn("client CAs are not provided, mTLS is disabled")
|
||||
cfg.InsecureSkipVerify = true
|
||||
}
|
||||
srv.TLSConfig = &tls.Config{
|
||||
ClientCAs: caCertPool,
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
InsecureSkipVerify: cfg.InsecureSkipVerify,
|
||||
}
|
||||
srv.Handler = http.HandlerFunc(s.handleHTTPRequest)
|
||||
s.log.Info("starting rpc-server (https)", zap.String("endpoint", srv.Addr))
|
||||
|
||||
|
|
Loading…
Reference in a new issue