From 89dc74519f1d93874b5fccaa090ce5a78657f871 Mon Sep 17 00:00:00 2001 From: Vladislav Yarmak Date: Mon, 25 May 2020 00:16:56 +0300 Subject: [PATCH] implement client cert auth --- auth.go | 13 +++++++++++++ main.go | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/auth.go b/auth.go index 2588187..e555e7c 100644 --- a/auth.go +++ b/auth.go @@ -30,6 +30,8 @@ func NewAuth(paramstr string) (Auth, error) { return NewStaticAuth(url) case "basicfile": return NewBasicFileAuth(url) + case "cert": + return CertAuth{}, nil case "none": return NoAuth{}, nil default: @@ -177,3 +179,14 @@ func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { return true } + +type CertAuth struct {} + +func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { + if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 { + http.Error(wr, "Forbidden", http.StatusForbidden) + return false + } else { + return true + } +} diff --git a/main.go b/main.go index 8faaa0b..17b4d03 100644 --- a/main.go +++ b/main.go @@ -26,7 +26,7 @@ type CLIArgs struct { auth string verbosity int timeout time.Duration - cert, key string + cert, key, cafile string } @@ -39,6 +39,7 @@ func parse_args() CLIArgs { flag.DurationVar(&args.timeout, "timeout", 10 * time.Second, "timeout for network operations") flag.StringVar(&args.cert, "cert", "", "enable TLS and use certificate") flag.StringVar(&args.key, "key", "", "key for TLS certificate") + flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates") flag.Parse() return args } @@ -74,7 +75,7 @@ func run() int { mainLogger.Info("Starting proxy server...") if args.cert != "" { - cfg, err1 := makeServerTLSConfig(args.cert, args.key, "") + cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile) if err1 != nil { mainLogger.Critical("TLS config construction failed: %v", err) return 3