From 200872b3b4df3ad018e82a6525feb89716ca0dc9 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 2 Dec 2020 14:59:44 +0100 Subject: [PATCH 1/3] make insecure upstream servers configurable --- changelog/unreleased/proxy-allow-insecure-upstreams.md | 8 ++++++++ proxy/pkg/config/config.go | 1 + proxy/pkg/flagset/flagset.go | 7 +++++++ proxy/pkg/proxy/proxy.go | 7 +++++++ 4 files changed, 23 insertions(+) create mode 100644 changelog/unreleased/proxy-allow-insecure-upstreams.md diff --git a/changelog/unreleased/proxy-allow-insecure-upstreams.md b/changelog/unreleased/proxy-allow-insecure-upstreams.md new file mode 100644 index 000000000..ed098e39d --- /dev/null +++ b/changelog/unreleased/proxy-allow-insecure-upstreams.md @@ -0,0 +1,8 @@ +Change: Proxy allow insecure upstreams + +Tags: proxy + +We can now configure the proxy if insecure upstream servers are allowed. +This was added since you need to disable certificate checks fore some situations like testing. + +https://github.com/owncloud/ocis/pull/1007 diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index 388d81914..09d86626f 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -106,6 +106,7 @@ type Config struct { PreSignedURL PreSignedURL AutoprovisionAccounts bool EnableBasicAuth bool + Insecure bool } // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 3a1371a40..91a313570 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -185,6 +185,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"PROXY_REVA_GATEWAY_ADDR"}, Destination: &cfg.Reva.Address, }, + &cli.BoolFlag{ + Name: "insecure", + Value: false, + Usage: "allow insecure communication to upstream servers", + EnvVars: []string{"PROXY_INSECURE"}, + Destination: &cfg.Insecure, + }, // OIDC diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go index 54fb95a3b..fe057f11a 100644 --- a/proxy/pkg/proxy/proxy.go +++ b/proxy/pkg/proxy/proxy.go @@ -2,6 +2,7 @@ package proxy import ( "context" + "crypto/tls" "net/http" "net/http/httputil" "net/url" @@ -37,6 +38,12 @@ func NewMultiHostReverseProxy(opts ...Option) *MultiHostReverseProxy { } rp.Director = rp.directorSelectionDirector + rp.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: options.Config.Insecure, + }, + } + if options.Config.Policies == nil { rp.logger.Info().Str("source", "runtime").Msg("Policies") options.Config.Policies = defaultPolicies() From 4c9d9904781337c1058484ee0551cdec99bf6c3e Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 3 Dec 2020 13:55:10 +0100 Subject: [PATCH 2/3] tage default values from http.DefaultTransport --- proxy/pkg/proxy/proxy.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go index fe057f11a..fa25b2d34 100644 --- a/proxy/pkg/proxy/proxy.go +++ b/proxy/pkg/proxy/proxy.go @@ -3,11 +3,13 @@ package proxy import ( "context" "crypto/tls" + "net" "net/http" "net/http/httputil" "net/url" "regexp" "strings" + "time" "github.com/owncloud/ocis/proxy/pkg/proxy/policy" "go.opencensus.io/plugin/ochttp/propagation/tracecontext" @@ -38,7 +40,19 @@ func NewMultiHostReverseProxy(opts ...Option) *MultiHostReverseProxy { } rp.Director = rp.directorSelectionDirector + // equals http.DefaultTransport except TLSClientConfig rp.Transport = &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + ForceAttemptHTTP2: true, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, TLSClientConfig: &tls.Config{ InsecureSkipVerify: options.Config.Insecure, }, From fe2efc3c466be8c68a273d83da26da9b4bc0b593 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 3 Dec 2020 13:57:19 +0100 Subject: [PATCH 3/3] change to InsecureBackends flag --- proxy/pkg/config/config.go | 2 +- proxy/pkg/flagset/flagset.go | 4 ++-- proxy/pkg/proxy/proxy.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go index 09d86626f..4da46e006 100644 --- a/proxy/pkg/config/config.go +++ b/proxy/pkg/config/config.go @@ -106,7 +106,7 @@ type Config struct { PreSignedURL PreSignedURL AutoprovisionAccounts bool EnableBasicAuth bool - Insecure bool + InsecureBackends bool } // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go index 91a313570..b8e3fb870 100644 --- a/proxy/pkg/flagset/flagset.go +++ b/proxy/pkg/flagset/flagset.go @@ -189,8 +189,8 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag { Name: "insecure", Value: false, Usage: "allow insecure communication to upstream servers", - EnvVars: []string{"PROXY_INSECURE"}, - Destination: &cfg.Insecure, + EnvVars: []string{"PROXY_INSECURE_BACKENDS"}, + Destination: &cfg.InsecureBackends, }, // OIDC diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go index fa25b2d34..b4c2e7193 100644 --- a/proxy/pkg/proxy/proxy.go +++ b/proxy/pkg/proxy/proxy.go @@ -54,7 +54,7 @@ func NewMultiHostReverseProxy(opts ...Option) *MultiHostReverseProxy { TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, TLSClientConfig: &tls.Config{ - InsecureSkipVerify: options.Config.Insecure, + InsecureSkipVerify: options.Config.InsecureBackends, }, }