Commit a687e49b authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Verify proxy on request

As the the feature ssl_proxy_ca_crt is not implemented serve immediately
501 Not Implemented.
parent 5468fe8e
...@@ -50,7 +50,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b ...@@ -50,7 +50,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = fa822e94cf39d94297604d8a499b4557 md5sum = 838652253957f1d9b89beeecacded7f9
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
......
...@@ -19,6 +19,9 @@ ...@@ -19,6 +19,9 @@
{{ https_host_list|join(', ') }} { {{ https_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
# TODO-Caddy bind {{ local_ipv6 }} # TODO-Caddy bind {{ local_ipv6 }}
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %}
tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{%- if slave_parameter.get('path_to_ssl_ca_crt') %} {%- if slave_parameter.get('path_to_ssl_ca_crt') %}
clients {{ slave_parameter.get('path_to_ssl_ca_crt') }} clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
...@@ -30,14 +33,6 @@ ...@@ -30,14 +33,6 @@
log / {{ slave_parameter.get('access_log') }} {combined} log / {{ slave_parameter.get('access_log') }} {combined}
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
{% endif %}
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3 # TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 # TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on # TODO-Caddy SSLHonorCipherOrder on
...@@ -67,6 +62,14 @@ ...@@ -67,6 +62,14 @@
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{%- endif %}
{%- else %}
insecure_skip_verify
{%- endif %}
} }
{% if 'default-path' in slave_parameter %} {% if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
...@@ -94,7 +97,12 @@ ...@@ -94,7 +97,12 @@
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
transparent transparent
timeout 600s timeout 600s
{%- if not ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{%- endif %}
{%- else %}
insecure_skip_verify insecure_skip_verify
{%- endif %} {%- endif %}
} }
...@@ -105,19 +113,13 @@ ...@@ -105,19 +113,13 @@
{{ http_host_list|join(', ') }} { {{ http_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
# TODO-Caddy bind {{ local_ipv6 }} # TODO-Caddy bind {{ local_ipv6 }}
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %}
log / {{ slave_parameter.get('access_log') }} {combined} log / {{ slave_parameter.get('access_log') }} {combined}
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
{% endif %}
{% if disable_via_header %} {% if disable_via_header %}
# TODO-Caddy Header unset Via # TODO-Caddy Header unset Via
{% endif -%} {% endif -%}
...@@ -155,6 +157,14 @@ ...@@ -155,6 +157,14 @@
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{%- endif %}
{%- else %}
insecure_skip_verify
{%- endif %}
} }
{% if 'default-path' in slave_parameter %} {% if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
...@@ -177,7 +187,12 @@ ...@@ -177,7 +187,12 @@
proxy / {{ slave_parameter.get('url', '') }} { proxy / {{ slave_parameter.get('url', '') }} {
transparent transparent
timeout 600s timeout 600s
{%- if not ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{%- if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{%- endif %}
{%- else %}
insecure_skip_verify insecure_skip_verify
{%- endif %} {%- endif %}
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment