feat: add root cert path to proxy service

0xRichardH · Apr 5, 2024 · 49203b1 · 49203b1
1 parent a11c86c
commit 49203b1
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/src/config.rs b/src/config.rs
@@ -16,6 +16,7 @@ pub struct Config {
 pub struct ProxyService {
     pub host_configs: Vec<HostConfig>,
     pub listen_addr: String,
+    pub root_cert_path: Option<String>,
 }
 
 #[derive(Deserialize, Clone, Debug)]
@@ -93,6 +94,10 @@ mod tests {
             config.proxy_service.listen_addr,
             String::from("0.0.0.0:443")
         );
+        assert_eq!(
+            config.proxy_service.root_cert_path,
+            Some(String::from("root.pem"))
+        );
         assert_eq!(config.proxy_service.host_configs.len(), 2);
 
         let host_config_1 = config.proxy_service.host_configs[0].clone();
@@ -139,6 +144,7 @@ mod tests {
             r#"
             [proxy_service]
             listen_addr = "0.0.0.0:443"
+            root_cert_path = "root.pem"
 
             [[proxy_service.host_configs]]
             proxy_addr = "1.1.1.1:443"

diff --git a/src/main.rs b/src/main.rs
@@ -32,7 +32,12 @@ fn add_tcp_proxy(server: &mut Server, cfg: &config::ProxyService) {
             host_config
         });
 
-    let proxy = proxy_service_tls(&server.configuration, &cfg.listen_addr, host_configs);
+    let proxy = proxy_service_tls(
+        &server.configuration,
+        &cfg.listen_addr,
+        host_configs,
+        cfg.root_cert_path.clone(),
+    );
     server.add_service(proxy);
 }
 

diff --git a/src/services/service.rs b/src/services/service.rs
@@ -58,13 +58,19 @@ pub fn proxy_service_tls(
     server_conf: &Arc<ServerConf>,
     listen_addr: &str,
     host_configs: HostConfigs,
+    root_cert_path: Option<String>,
 ) -> impl pingora::services::Service {
     let proxy_service = ProxyService::new(host_configs.clone());
     let mut service = http_proxy_service(server_conf, proxy_service);
 
     let cb = Callback::new(host_configs);
     let cb = Box::new(cb);
-    let tls_settings = TlsSettings::with_callbacks(cb).unwrap();
+    let mut tls_settings = TlsSettings::with_callbacks(cb).unwrap();
+    tls_settings.enable_h2();
+    if let Some(root_cert_path) = root_cert_path {
+        // load trusted root certificates
+        tls_settings.set_ca_file(root_cert_path).unwrap();
+    }
     service.add_tls_with_settings(listen_addr, None, tls_settings);
 
     service