aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/reverseproxy/httptransport.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/reverseproxy/httptransport.go')
-rw-r--r--modules/caddyhttp/reverseproxy/httptransport.go22
1 files changed, 22 insertions, 0 deletions
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index dd8ece251..895873b9d 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -19,6 +19,7 @@ import (
"crypto/tls"
"crypto/x509"
"encoding/base64"
+ "encoding/json"
"fmt"
weakrand "math/rand"
"net"
@@ -472,9 +473,14 @@ func (h HTTPTransport) Cleanup() error {
// TLSConfig holds configuration related to the TLS configuration for the
// transport/client.
type TLSConfig struct {
+ // Certificate authority module which provides the certificate pool of trusted certificates
+ CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
+
+ // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
// Optional list of base64-encoded DER-encoded CA certificates to trust.
RootCAPool []string `json:"root_ca_pool,omitempty"`
+ // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
// List of PEM-encoded CA certificate files to add to the same trust
// store as RootCAPool (or root_ca_pool in the JSON).
RootCAPEMFiles []string `json:"root_ca_pem_files,omitempty"`
@@ -576,6 +582,7 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
// trusted root CAs
if len(t.RootCAPool) > 0 || len(t.RootCAPEMFiles) > 0 {
+ ctx.Logger().Warn("root_ca_pool and root_ca_pem_files are deprecated. Use one of the tls.ca_pool.source modules instead")
rootPool := x509.NewCertPool()
for _, encodedCACert := range t.RootCAPool {
caCert, err := decodeBase64DERCert(encodedCACert)
@@ -594,6 +601,21 @@ func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
cfg.RootCAs = rootPool
}
+ if t.CARaw != nil {
+ if len(t.RootCAPool) > 0 || len(t.RootCAPEMFiles) > 0 {
+ return nil, fmt.Errorf("conflicting config for Root CA pool")
+ }
+ caRaw, err := ctx.LoadModule(t, "CARaw")
+ if err != nil {
+ return nil, fmt.Errorf("failed to load ca module: %v", err)
+ }
+ ca, ok := caRaw.(caddytls.CA)
+ if !ok {
+ return nil, fmt.Errorf("CA module '%s' is not a certificate pool provider", ca)
+ }
+ cfg.RootCAs = ca.CertPool()
+ }
+
// Renegotiation
switch t.Renegotiation {
case "never", "":