mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-13 23:59:41 -06:00
0f7dba53fb
* use min tls 1.2 Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add changelog Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
106 lines
3.0 KiB
Go
106 lines
3.0 KiB
Go
package proxy
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"time"
|
|
|
|
chimiddleware "github.com/go-chi/chi/v5/middleware"
|
|
|
|
"go.opentelemetry.io/otel/attribute"
|
|
|
|
"github.com/owncloud/ocis/v2/ocis-pkg/log"
|
|
pkgtrace "github.com/owncloud/ocis/v2/ocis-pkg/tracing"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/proxy/policy"
|
|
"github.com/owncloud/ocis/v2/services/proxy/pkg/router"
|
|
proxytracing "github.com/owncloud/ocis/v2/services/proxy/pkg/tracing"
|
|
"go.opentelemetry.io/otel/propagation"
|
|
"go.opentelemetry.io/otel/trace"
|
|
)
|
|
|
|
// MultiHostReverseProxy extends "httputil" to support multiple hosts with different policies
|
|
type MultiHostReverseProxy struct {
|
|
httputil.ReverseProxy
|
|
// Directors holds policy route type method endpoint Director
|
|
Directors map[string]map[config.RouteType]map[string]map[string]func(req *http.Request)
|
|
PolicySelector policy.Selector
|
|
logger log.Logger
|
|
config *config.Config
|
|
}
|
|
|
|
// NewMultiHostReverseProxy creates a new MultiHostReverseProxy
|
|
func NewMultiHostReverseProxy(opts ...Option) (*MultiHostReverseProxy, error) {
|
|
options := newOptions(opts...)
|
|
|
|
rp := &MultiHostReverseProxy{
|
|
Directors: make(map[string]map[config.RouteType]map[string]map[string]func(req *http.Request)),
|
|
logger: options.Logger,
|
|
config: options.Config,
|
|
}
|
|
|
|
rp.Director = func(r *http.Request) {
|
|
ri := router.ContextRoutingInfo(r.Context())
|
|
ri.Director()(r)
|
|
}
|
|
|
|
tlsConf := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
InsecureSkipVerify: options.Config.InsecureBackends, //nolint:gosec
|
|
}
|
|
if options.Config.BackendHTTPSCACert != "" {
|
|
certs := x509.NewCertPool()
|
|
pemData, err := ioutil.ReadFile(options.Config.BackendHTTPSCACert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !certs.AppendCertsFromPEM(pemData) {
|
|
return nil, errors.New("Error initializing LDAP Backend. Adding CA cert failed")
|
|
}
|
|
tlsConf.RootCAs = certs
|
|
}
|
|
// equals http.DefaultTransport except TLSClientConfig
|
|
rp.Transport = &http.Transport{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
DialContext: (&net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
DualStack: true,
|
|
}).DialContext,
|
|
ForceAttemptHTTP2: true,
|
|
MaxIdleConns: 100,
|
|
IdleConnTimeout: 90 * time.Second,
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
TLSClientConfig: tlsConf,
|
|
}
|
|
return rp, nil
|
|
}
|
|
|
|
func (p *MultiHostReverseProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
var (
|
|
ctx = r.Context()
|
|
span trace.Span
|
|
)
|
|
|
|
tracer := proxytracing.TraceProvider.Tracer("proxy")
|
|
ctx, span = tracer.Start(ctx, fmt.Sprintf("%s %v", r.Method, r.URL.Path))
|
|
defer span.End()
|
|
|
|
span.SetAttributes(
|
|
attribute.KeyValue{
|
|
Key: "x-request-id",
|
|
Value: attribute.StringValue(chimiddleware.GetReqID(r.Context())),
|
|
})
|
|
|
|
pkgtrace.Propagator.Inject(ctx, propagation.HeaderCarrier(r.Header))
|
|
|
|
p.ReverseProxy.ServeHTTP(w, r.WithContext(ctx))
|
|
}
|