caddy-frontend: Verify proxy on request

As the the feature ssl_proxy_ca_crt is not implemented serve immediately 501 Not Implemented.

caddy-frontend: Verify proxy on request
As the the feature ssl_proxy_ca_crt is not implemented serve immediately 501 Not Implemented.
a687e49b · Łukasz Nowak · 5468fe8e · a687e49b · a687e49b
Commit a687e49b authored May 14, 2018 by Łukasz Nowak
Showing with 37 additions and 22 deletions

software/caddy-frontend/buildout.hash.cfg software/caddy-frontend/buildout.hash.cfg +1 -1

software/caddy-frontend/templates/default-virtualhost.conf.in ...ware/caddy-frontend/templates/default-virtualhost.conf.in +36 -21

No files found.
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -50,7 +50,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = fa822e94cf39d94297604d8a499b4557
+md5sum = 838652253957f1d9b89beeecacded7f9
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in

--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -19,6 +19,9 @@
 {{ https_host_list|join(', ') }} {
  bind {{ local_ipv4 }}
 # TODO-Caddy  bind {{ local_ipv6 }}
+{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
+    status 501 /
+{%- endif %}
  tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
 {%- if slave_parameter.get('path_to_ssl_ca_crt') %}
    clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
@@ -30,14 +33,6 @@
  log / {{ slave_parameter.get('access_log') }} {combined}
  errors {{ slave_parameter.get('error_log') }}
-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-# TODO-Caddy   SSLProxyVerify require
-# TODO-Caddy   #SSLProxyCheckPeerCN on
-# TODO-Caddy   SSLProxyCheckPeerExpire on
-{% endif %}
 # TODO-Caddy   SSLProtocol all -SSLv2 -SSLv3
 # TODO-Caddy   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
 # TODO-Caddy   SSLHonorCipherOrder on
@@ -67,6 +62,14 @@
  proxy / {{ backend_url }} {
    transparent
    timeout 600s
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
+{%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
  }
  {% if 'default-path' in slave_parameter %}
  redir 301 {
@@ -94,9 +97,14 @@
  proxy / {{ backend_url }} {
    transparent
    timeout 600s
-{%- if not ssl_proxy_verify %}
+{%- if ssl_proxy_verify %}
-    insecure_skip_verify
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
  }
  {%-   endif %}
 {% endif -%}
@@ -105,19 +113,13 @@
 {{ http_host_list|join(', ') }} {
  bind {{ local_ipv4 }}
 # TODO-Caddy  bind {{ local_ipv6 }}
+{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
+    status 501 /
+{%- endif %}
  log / {{ slave_parameter.get('access_log') }} {combined}
  errors {{ slave_parameter.get('error_log') }}
-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-# TODO-Caddy   SSLProxyVerify require
-# TODO-Caddy   #SSLProxyCheckPeerCN on
-# TODO-Caddy   SSLProxyCheckPeerExpire on
-{% endif %}
 {% if disable_via_header %}
 # TODO-Caddy   Header unset Via
 {% endif -%}
@@ -155,6 +157,14 @@
  proxy / {{ backend_url }} {
    transparent
    timeout 600s
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
+{%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
  }
  {% if 'default-path' in slave_parameter %}
  redir 301 {
@@ -177,9 +187,14 @@
  proxy / {{ slave_parameter.get('url', '') }} {
    transparent
    timeout 600s
-{%- if not ssl_proxy_verify %}
+{%- if ssl_proxy_verify %}
-    insecure_skip_verify
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
  }
 {% endif -%}
 {% endif -%}