2019-03-14 11:30:04 +03:00
package tls
import (
2019-09-13 20:28:04 +03:00
"context"
2019-03-14 11:30:04 +03:00
"crypto/tls"
"crypto/x509"
2019-07-12 18:50:04 +03:00
"errors"
2019-03-14 11:30:04 +03:00
"fmt"
"sync"
2019-08-03 04:58:23 +03:00
"github.com/containous/traefik/v2/pkg/log"
"github.com/containous/traefik/v2/pkg/tls/generate"
"github.com/containous/traefik/v2/pkg/types"
"github.com/go-acme/lego/v3/challenge/tlsalpn01"
2019-03-14 11:30:04 +03:00
"github.com/sirupsen/logrus"
)
2019-11-14 18:40:05 +03:00
// DefaultTLSOptions the default TLS options.
var DefaultTLSOptions = Options { }
2020-05-11 13:06:07 +03:00
// Manager is the TLS option/store/configuration factory.
2019-03-14 11:30:04 +03:00
type Manager struct {
storesConfig map [ string ] Store
stores map [ string ] * CertificateStore
2019-06-28 00:58:03 +03:00
configs map [ string ] Options
certs [ ] * CertAndStores
2019-03-14 11:30:04 +03:00
TLSAlpnGetter func ( string ) ( * tls . Certificate , error )
lock sync . RWMutex
}
2020-05-11 13:06:07 +03:00
// NewManager creates a new Manager.
2019-03-14 11:30:04 +03:00
func NewManager ( ) * Manager {
2019-11-14 18:40:05 +03:00
return & Manager {
stores : map [ string ] * CertificateStore { } ,
configs : map [ string ] Options {
"default" : DefaultTLSOptions ,
} ,
}
2019-03-14 11:30:04 +03:00
}
2020-05-11 13:06:07 +03:00
// UpdateConfigs updates the TLS* configuration options.
2019-09-13 20:28:04 +03:00
func ( m * Manager ) UpdateConfigs ( ctx context . Context , stores map [ string ] Store , configs map [ string ] Options , certs [ ] * CertAndStores ) {
2019-03-14 11:30:04 +03:00
m . lock . Lock ( )
defer m . lock . Unlock ( )
m . configs = configs
m . storesConfig = stores
m . certs = certs
m . stores = make ( map [ string ] * CertificateStore )
for storeName , storeConfig := range m . storesConfig {
2019-09-13 20:28:04 +03:00
ctxStore := log . With ( ctx , log . Str ( log . TLSStoreName , storeName ) )
store , err := buildCertificateStore ( ctxStore , storeConfig )
2019-03-14 11:30:04 +03:00
if err != nil {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctxStore ) . Errorf ( "Error while creating certificate store: %v" , err )
2019-06-21 17:32:04 +03:00
continue
2019-03-14 11:30:04 +03:00
}
2019-06-21 17:32:04 +03:00
m . stores [ storeName ] = store
2019-03-14 11:30:04 +03:00
}
storesCertificates := make ( map [ string ] map [ string ] * tls . Certificate )
for _ , conf := range certs {
if len ( conf . Stores ) == 0 {
if log . GetLevel ( ) >= logrus . DebugLevel {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctx ) . Debugf ( "No store is defined to add the certificate %s, it will be added to the default store." ,
2019-03-14 11:30:04 +03:00
conf . Certificate . GetTruncatedCertificateName ( ) )
}
conf . Stores = [ ] string { "default" }
}
for _ , store := range conf . Stores {
2019-09-13 20:28:04 +03:00
ctxStore := log . With ( ctx , log . Str ( log . TLSStoreName , store ) )
2019-04-15 13:32:03 +03:00
if err := conf . Certificate . AppendCertificate ( storesCertificates , store ) ; err != nil {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctxStore ) . Errorf ( "Unable to append certificate %s to store: %v" , conf . Certificate . GetTruncatedCertificateName ( ) , err )
2019-03-14 11:30:04 +03:00
}
}
}
for storeName , certs := range storesCertificates {
m . getStore ( storeName ) . DynamicCerts . Set ( certs )
}
}
2020-05-11 13:06:07 +03:00
// Get gets the TLS configuration to use for a given store / configuration.
2019-06-17 19:14:08 +03:00
func ( m * Manager ) Get ( storeName string , configName string ) ( * tls . Config , error ) {
2019-03-14 11:30:04 +03:00
m . lock . RLock ( )
defer m . lock . RUnlock ( )
2019-07-19 12:52:04 +03:00
var tlsConfig * tls . Config
var err error
2019-06-17 19:14:08 +03:00
config , ok := m . configs [ configName ]
2019-06-21 18:18:05 +03:00
if ! ok {
2019-07-19 12:52:04 +03:00
err = fmt . Errorf ( "unknown TLS options: %s" , configName )
tlsConfig = & tls . Config { }
2019-06-17 19:14:08 +03:00
}
2019-03-14 11:30:04 +03:00
store := m . getStore ( storeName )
2019-07-19 12:52:04 +03:00
if err == nil {
tlsConfig , err = buildTLSConfig ( config )
if err != nil {
tlsConfig = & tls . Config { }
}
2019-03-14 11:30:04 +03:00
}
tlsConfig . GetCertificate = func ( clientHello * tls . ClientHelloInfo ) ( * tls . Certificate , error ) {
domainToCheck := types . CanonicalDomain ( clientHello . ServerName )
if m . TLSAlpnGetter != nil {
cert , err := m . TLSAlpnGetter ( domainToCheck )
if err != nil {
return nil , err
}
if cert != nil {
return cert , nil
}
}
bestCertificate := store . GetBestCertificate ( clientHello )
if bestCertificate != nil {
return bestCertificate , nil
}
if m . configs [ configName ] . SniStrict {
return nil , fmt . Errorf ( "strict SNI enabled - No certificate found for domain: %q, closing connection" , domainToCheck )
}
log . WithoutContext ( ) . Debugf ( "Serving default certificate for request: %q" , domainToCheck )
return store . DefaultCertificate , nil
}
2019-07-19 12:52:04 +03:00
return tlsConfig , err
2019-03-14 11:30:04 +03:00
}
func ( m * Manager ) getStore ( storeName string ) * CertificateStore {
_ , ok := m . stores [ storeName ]
if ! ok {
2019-09-13 20:28:04 +03:00
m . stores [ storeName ] , _ = buildCertificateStore ( context . Background ( ) , Store { } )
2019-03-14 11:30:04 +03:00
}
return m . stores [ storeName ]
}
2020-05-11 13:06:07 +03:00
// GetStore gets the certificate store of a given name.
2019-03-14 11:30:04 +03:00
func ( m * Manager ) GetStore ( storeName string ) * CertificateStore {
m . lock . RLock ( )
defer m . lock . RUnlock ( )
return m . getStore ( storeName )
}
2019-09-13 20:28:04 +03:00
func buildCertificateStore ( ctx context . Context , tlsStore Store ) ( * CertificateStore , error ) {
2019-03-14 11:30:04 +03:00
certificateStore := NewCertificateStore ( )
certificateStore . DynamicCerts . Set ( make ( map [ string ] * tls . Certificate ) )
if tlsStore . DefaultCertificate != nil {
cert , err := buildDefaultCertificate ( tlsStore . DefaultCertificate )
if err != nil {
2019-06-21 17:32:04 +03:00
return certificateStore , err
2019-03-14 11:30:04 +03:00
}
certificateStore . DefaultCertificate = cert
} else {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctx ) . Debug ( "No default certificate, generating one" )
2019-03-14 11:30:04 +03:00
cert , err := generate . DefaultCertificate ( )
if err != nil {
2019-06-21 17:32:04 +03:00
return certificateStore , err
2019-03-14 11:30:04 +03:00
}
certificateStore . DefaultCertificate = cert
}
return certificateStore , nil
}
2020-05-11 13:06:07 +03:00
// creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
2019-06-28 00:58:03 +03:00
func buildTLSConfig ( tlsOption Options ) ( * tls . Config , error ) {
2019-03-14 11:30:04 +03:00
conf := & tls . Config { }
// ensure http2 enabled
conf . NextProtos = [ ] string { "h2" , "http/1.1" , tlsalpn01 . ACMETLS1Protocol }
2019-07-12 18:50:04 +03:00
if len ( tlsOption . ClientAuth . CAFiles ) > 0 {
2019-03-14 11:30:04 +03:00
pool := x509 . NewCertPool ( )
2019-07-12 18:50:04 +03:00
for _ , caFile := range tlsOption . ClientAuth . CAFiles {
2019-03-14 11:30:04 +03:00
data , err := caFile . Read ( )
if err != nil {
return nil , err
}
ok := pool . AppendCertsFromPEM ( data )
if ! ok {
2019-07-12 18:50:04 +03:00
if caFile . IsPath ( ) {
return nil , fmt . Errorf ( "invalid certificate(s) in %s" , caFile )
}
return nil , errors . New ( "invalid certificate(s) content" )
2019-03-14 11:30:04 +03:00
}
}
conf . ClientCAs = pool
2019-07-12 18:50:04 +03:00
conf . ClientAuth = tls . RequireAndVerifyClientCert
}
clientAuthType := tlsOption . ClientAuth . ClientAuthType
if len ( clientAuthType ) > 0 {
if conf . ClientCAs == nil && ( clientAuthType == "VerifyClientCertIfGiven" ||
clientAuthType == "RequireAndVerifyClientCert" ) {
return nil , fmt . Errorf ( "invalid clientAuthType: %s, CAFiles is required" , clientAuthType )
}
switch clientAuthType {
case "NoClientCert" :
conf . ClientAuth = tls . NoClientCert
case "RequestClientCert" :
conf . ClientAuth = tls . RequestClientCert
case "RequireAnyClientCert" :
conf . ClientAuth = tls . RequireAnyClientCert
case "VerifyClientCertIfGiven" :
2019-03-14 11:30:04 +03:00
conf . ClientAuth = tls . VerifyClientCertIfGiven
2019-07-12 18:50:04 +03:00
case "RequireAndVerifyClientCert" :
2019-03-14 11:30:04 +03:00
conf . ClientAuth = tls . RequireAndVerifyClientCert
2019-07-12 18:50:04 +03:00
default :
return nil , fmt . Errorf ( "unknown client auth type %q" , clientAuthType )
2019-03-14 11:30:04 +03:00
}
}
2020-02-12 20:06:04 +03:00
// Set PreferServerCipherSuites.
conf . PreferServerCipherSuites = tlsOption . PreferServerCipherSuites
2019-11-03 17:54:04 +03:00
// Set the minimum TLS version if set in the config
2019-03-14 11:30:04 +03:00
if minConst , exists := MinVersion [ tlsOption . MinVersion ] ; exists {
conf . PreferServerCipherSuites = true
conf . MinVersion = minConst
}
2019-10-29 14:58:05 +03:00
// Set the maximum TLS version if set in the config TOML
if maxConst , exists := MaxVersion [ tlsOption . MaxVersion ] ; exists {
conf . PreferServerCipherSuites = true
conf . MaxVersion = maxConst
}
2019-11-03 17:54:04 +03:00
// Set the list of CipherSuites if set in the config
2019-03-14 11:30:04 +03:00
if tlsOption . CipherSuites != nil {
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
conf . CipherSuites = make ( [ ] uint16 , 0 )
for _ , cipher := range tlsOption . CipherSuites {
if cipherConst , exists := CipherSuites [ cipher ] ; exists {
conf . CipherSuites = append ( conf . CipherSuites , cipherConst )
} else {
// CipherSuite listed in the toml does not exist in our listed
return nil , fmt . Errorf ( "invalid CipherSuite: %s" , cipher )
}
}
}
2019-11-03 17:54:04 +03:00
// Set the list of CurvePreferences/CurveIDs if set in the config
if tlsOption . CurvePreferences != nil {
conf . CurvePreferences = make ( [ ] tls . CurveID , 0 )
// if our list of CurvePreferences/CurveIDs is defined in the config, we can re-initialize the list as empty
for _ , curve := range tlsOption . CurvePreferences {
if curveID , exists := CurveIDs [ curve ] ; exists {
conf . CurvePreferences = append ( conf . CurvePreferences , curveID )
} else {
// CurveID listed in the toml does not exist in our listed
return nil , fmt . Errorf ( "invalid CurveID in curvePreferences: %s" , curve )
}
}
}
2019-03-14 11:30:04 +03:00
return conf , nil
}
func buildDefaultCertificate ( defaultCertificate * Certificate ) ( * tls . Certificate , error ) {
certFile , err := defaultCertificate . CertFile . Read ( )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to get cert file content: %w" , err )
2019-03-14 11:30:04 +03:00
}
keyFile , err := defaultCertificate . KeyFile . Read ( )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to get key file content: %w" , err )
2019-03-14 11:30:04 +03:00
}
cert , err := tls . X509KeyPair ( certFile , keyFile )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to load X509 key pair: %w" , err )
2019-03-14 11:30:04 +03:00
}
return & cert , nil
}