cmd/stdiscosrv: Support deploying behind Caddyserver (#8092)
This commit is contained in:
Kebin Liu
GitHub
parent
c00c6b3957
commit
083fa1803a
|
|
@ -10,8 +10,10 @@ import (
|
|||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"math/rand"
|
||||
|
|
@ -229,10 +231,10 @@ func (s *apiSrv) handleGET(ctx context.Context, w http.ResponseWriter, req *http
|
|||
func (s *apiSrv) handlePOST(ctx context.Context, remoteAddr *net.TCPAddr, w http.ResponseWriter, req *http.Request) {
|
||||
reqID := ctx.Value(idKey).(requestID)
|
||||
|
||||
rawCert := certificateBytes(req)
|
||||
if rawCert == nil {
|
||||
rawCert, err := certificateBytes(req)
|
||||
if err != nil {
|
||||
if debug {
|
||||
log.Println(reqID, "no certificates")
|
||||
log.Println(reqID, "no certificates:", err)
|
||||
}
|
||||
announceRequestsTotal.WithLabelValues("no_certificate").Inc()
|
||||
w.Header().Set("Retry-After", errorRetryAfterString())
|
||||
|
|
@ -304,9 +306,9 @@ func handlePing(w http.ResponseWriter, r *http.Request) {
|
|||
w.WriteHeader(204)
|
||||
}
|
||||
|
||||
func certificateBytes(req *http.Request) []byte {
|
||||
func certificateBytes(req *http.Request) ([]byte, error) {
|
||||
if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 {
|
||||
return req.TLS.PeerCertificates[0].Raw
|
||||
return req.TLS.PeerCertificates[0].Raw, nil
|
||||
}
|
||||
|
||||
var bs []byte
|
||||
|
|
@ -319,7 +321,7 @@ func certificateBytes(req *http.Request) []byte {
|
|||
hdr, err := url.QueryUnescape(hdr)
|
||||
if err != nil {
|
||||
// Decoding failed
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
bs = []byte(hdr)
|
||||
|
|
@ -338,6 +340,15 @@ func certificateBytes(req *http.Request) []byte {
|
|||
}
|
||||
}
|
||||
}
|
||||
} else if hdr := req.Header.Get("X-Tls-Client-Cert-Der-Base64"); hdr != "" {
|
||||
// Caddy {tls_client_certificate_der_base64}
|
||||
hdr, err := base64.StdEncoding.DecodeString(hdr)
|
||||
if err != nil {
|
||||
// Decoding failed
|
||||
return nil, err
|
||||
}
|
||||
|
||||
bs = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: hdr})
|
||||
} else if hdr := req.Header.Get("X-Forwarded-Tls-Client-Cert"); hdr != "" {
|
||||
// Traefik 2 passtlsclientcert
|
||||
// The certificate is in PEM format with url encoding but without newlines
|
||||
|
|
@ -346,7 +357,7 @@ func certificateBytes(req *http.Request) []byte {
|
|||
hdr, err := url.QueryUnescape(hdr)
|
||||
if err != nil {
|
||||
// Decoding failed
|
||||
return nil
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for i := 64; i < len(hdr); i += 65 {
|
||||
|
|
@ -359,16 +370,16 @@ func certificateBytes(req *http.Request) []byte {
|
|||
}
|
||||
|
||||
if bs == nil {
|
||||
return nil
|
||||
return nil, errors.New("empty certificate header")
|
||||
}
|
||||
|
||||
block, _ := pem.Decode(bs)
|
||||
if block == nil {
|
||||
// Decoding failed
|
||||
return nil
|
||||
return nil, errors.New("certificate decode result is empty")
|
||||
}
|
||||
|
||||
return block.Bytes
|
||||
return block.Bytes, nil
|
||||
}
|
||||
|
||||
// fixupAddresses checks the list of addresses, removing invalid ones and
|
||||
|
|
|
|||
Loading…
Reference in New Issue