support optional client certificate for proxy rule

2022-01-01 16:33:44 +00:00 · 2022-01-01 16:33:44 +00:00 · d49093c105
parent da2185f37f
commit d49093c105
5 changed files with 39 additions and 2 deletions
--- a/gmid.c
+++ b/gmid.c
@ -304,6 +304,9 @@ free_config(void)

 			free(l->proxy_host);

+			tls_unload_file(l->proxy_cert, l->proxy_cert_len);
+			tls_unload_file(l->proxy_key, l->proxy_key_len);
+
 			if (l->dirfd != -1)
 				close(l->dirfd);

--- a/gmid.h
+++ b/gmid.h
@ -113,6 +113,10 @@ struct location {

 	char		*proxy_host;
 	const char	*proxy_port;
+	uint8_t		*proxy_cert;
+	size_t		 proxy_cert_len;
+	uint8_t		*proxy_key;
+	size_t		 proxy_key_len;

 	const char	*dir;
 	int		 dirfd;
@ -238,6 +242,7 @@ struct client {
 	struct sockaddr_storage	 addr;
 	struct vhost	*host;	/* host they're talking to */
 	size_t		 loc;	/* location matched */
+	struct location	*l;

 	SPLAY_ENTRY(client) entry;
 };
--- a/parse.y
+++ b/parse.y
@ -353,7 +353,21 @@ proxy_opts	: /* empty */
 		| proxy_opts proxy_opt optnl
 		;

-proxy_opt	: RELAY_TO string {
+proxy_opt	: CERT string {
+			only_once(loc->proxy_cert, "proxy cert");
+			ensure_absolute_path($2);
+			loc->proxy_cert = tls_load_file($2, &loc->proxy_cert_len, NULL);
+			if (loc->proxy_cert == NULL)
+				yyerror("can't load cert %s", $2);
+		}
+		| KEY string {
+			only_once(loc->proxy_key, "proxy key");
+			ensure_absolute_path($2);
+			loc->proxy_key = tls_load_file($2, &loc->proxy_key_len, NULL);
+			if (loc->proxy_key == NULL)
+				yyerror("can't load key %s", $2);
+		}
+		| RELAY_TO string {
 			char		*at;
 			const char	*errstr;

--- a/proxy.c
+++ b/proxy.c
@ -292,9 +292,22 @@ proxy_init(struct client *c)
 		return -1;

 	/* TODO: tls_config_set_protocols here */
-	/* TODO: optionally load a client keypair here */
 	tls_config_insecure_noverifycert(conf);

+	if (c->l->proxy_cert != NULL) {
+		int r;
+
+		r = tls_config_set_cert_mem(conf, c->l->proxy_cert,
+		    c->l->proxy_cert_len);
+		if (r == -1)
+			goto err;
+
+		r = tls_config_set_key_mem(conf, c->l->proxy_key,
+		    c->l->proxy_key_len);
+		if (r == -1)
+			goto err;
+	}
+
 	if ((c->proxyctx = tls_client()) == NULL)
 		goto err;

--- a/server.c
+++ b/server.c
@ -636,6 +636,8 @@ apply_reverse_proxy(struct client *c)
 	if ((loc = vhost_reverse_proxy(c->host, c->iri.path)) == NULL)
 		return 0;

+	c->l = loc;
+
 	log_debug(c, "opening proxy connection for %s:%s",
 	    loc->proxy_host, loc->proxy_port);