implement client cert auth

auth.go

@@ -30,6 +30,8 @@ func NewAuth(paramstr string) (Auth, error) {
         return NewStaticAuth(url)
     case "basicfile":
         return NewBasicFileAuth(url)
+    case "cert":
+        return CertAuth{}, nil
     case "none":
         return NoAuth{}, nil
     default:
@@ -177,3 +179,14 @@ func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
     return true
 }
 
+
+type CertAuth struct {}
+
+func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
+    if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 {
+        http.Error(wr, "Forbidden", http.StatusForbidden)
+        return false
+    } else {
+        return true
+    }
+}

main.go

@@ -26,7 +26,7 @@ type CLIArgs struct {
     auth string
     verbosity int
     timeout time.Duration
-    cert, key string
+    cert, key, cafile string
 }
 
 
@@ -39,6 +39,7 @@ func parse_args() CLIArgs {
     flag.DurationVar(&args.timeout, "timeout", 10 * time.Second, "timeout for network operations")
     flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate")
     flag.StringVar(&args.key, "key", "", "key for TLS certificate")
+    flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates")
     flag.Parse()
     return args
 }
@@ -74,7 +75,7 @@ func run() int {
 
     mainLogger.Info("Starting proxy server...")
     if args.cert != "" {
-        cfg, err1 := makeServerTLSConfig(args.cert, args.key, "")
+        cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile)
         if err1 != nil {
             mainLogger.Critical("TLS config construction failed: %v", err)
             return 3