diff options
| author | Bas Westerbaan <[email protected]> | 2024-01-13 21:56:23 +0100 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-01-13 20:56:23 +0000 |
| commit | f658fd05ace8f01727bc733e46657d2f6218db87 (patch) | |
| tree | e036bf7bac64d0cfad8d8745a83e1f90541024d1 | |
| parent | cc0c0cf03e3ebdd1377aaa0b8ad6c0b39e880955 (diff) | |
| download | caddy-f658fd05ace8f01727bc733e46657d2f6218db87.tar.gz caddy-f658fd05ace8f01727bc733e46657d2f6218db87.zip | |
reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
| -rw-r--r-- | modules/caddyhttp/reverseproxy/caddyfile.go | 10 | ||||
| -rw-r--r-- | modules/caddyhttp/reverseproxy/httptransport.go | 13 |
2 files changed, 23 insertions, 0 deletions
diff --git a/modules/caddyhttp/reverseproxy/caddyfile.go b/modules/caddyhttp/reverseproxy/caddyfile.go index bcbe74419..4e01c7a1b 100644 --- a/modules/caddyhttp/reverseproxy/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/caddyfile.go @@ -1072,6 +1072,16 @@ func (h *HTTPTransport) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { } h.TLS.InsecureSkipVerify = true + case "tls_curves": + args := d.RemainingArgs() + if len(args) == 0 { + return d.ArgErr() + } + if h.TLS == nil { + h.TLS = new(TLSConfig) + } + h.TLS.Curves = args + case "tls_timeout": if !d.NextArg() { return d.ArgErr() diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 187bccc66..5993b7b11 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -491,6 +491,10 @@ type TLSConfig struct { // When specified, TLS will automatically be configured on the transport. // The value can be a list of any valid tcp port numbers, default empty. ExceptPorts []string `json:"except_ports,omitempty"` + + // The list of elliptic curves to support. Caddy's + // defaults are modern and secure. + Curves []string `json:"curves,omitempty"` } // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. @@ -579,6 +583,15 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { // throw all security out the window cfg.InsecureSkipVerify = t.InsecureSkipVerify + curvesAdded := make(map[tls.CurveID]struct{}) + for _, curveName := range t.Curves { + curveID := caddytls.SupportedCurves[curveName] + if _, ok := curvesAdded[curveID]; !ok { + curvesAdded[curveID] = struct{}{} + cfg.CurvePreferences = append(cfg.CurvePreferences, curveID) + } + } + // only return a config if it's not empty if reflect.DeepEqual(cfg, new(tls.Config)) { return nil, nil |