mirror of
https://github.com/openziti/zrok.git
synced 2024-11-25 17:43:53 +01:00
Tls supprt (#540)
* added tls support to controller and access proxies * few pr comments
This commit is contained in:
parent
2ef52607f0
commit
53940d51ab
@ -14,6 +14,10 @@ FEATURE: Python SDK now has a decorator for integrating with various server side
|
|||||||
|
|
||||||
FEATURE: Python SDK share and access handling now supports context management.
|
FEATURE: Python SDK share and access handling now supports context management.
|
||||||
|
|
||||||
|
FEATURE: TLS for `zrok` controller and acces endpoints. Add the specified stanza to your controller file (see `etc/ctrl.yml`). Your controller will now listen over TLS. (Note: you will need to update your client environments/configs to use the new https:// url). Likewise with `access` add the stanza to your frontend configuration (see `etc/frontend.yml`). Additionally you will have to update the frontend url template to emit a https:// scheme.
|
||||||
|
|
||||||
|
FEATURE: TLS for `zrok` controller and frontends. Add the `tls:` stanza to your controller configuration (see `etc/ctrl.yml`) to enable TLS support for the controller API. Add the `tls:` stanza to your frontend configuration (see `etc/frontend.yml`) to enable TLS support for frontends (be sure to check your `public` frontend template) (#24)(https://github.com/openziti/zrok/issues/24)
|
||||||
|
|
||||||
## v0.4.22
|
## v0.4.22
|
||||||
|
|
||||||
FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects
|
FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects
|
||||||
|
@ -31,6 +31,7 @@ type Config struct {
|
|||||||
ResetPassword *ResetPasswordConfig
|
ResetPassword *ResetPasswordConfig
|
||||||
Store *store.Config
|
Store *store.Config
|
||||||
Ziti *zrokEdgeSdk.Config
|
Ziti *zrokEdgeSdk.Config
|
||||||
|
Tls *TlsConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
type AdminConfig struct {
|
type AdminConfig struct {
|
||||||
@ -83,6 +84,11 @@ type ResetPasswordMaintenanceConfig struct {
|
|||||||
BatchLimit int
|
BatchLimit int
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type TlsConfig struct {
|
||||||
|
CertPath string
|
||||||
|
KeyPath string
|
||||||
|
}
|
||||||
|
|
||||||
func DefaultConfig() *Config {
|
func DefaultConfig() *Config {
|
||||||
return &Config{
|
return &Config{
|
||||||
Limits: limits.DefaultConfig(),
|
Limits: limits.DefaultConfig(),
|
||||||
|
@ -2,6 +2,7 @@ package controller
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"github.com/jessevdk/go-flags"
|
||||||
"github.com/openziti/zrok/controller/config"
|
"github.com/openziti/zrok/controller/config"
|
||||||
"github.com/openziti/zrok/controller/limits"
|
"github.com/openziti/zrok/controller/limits"
|
||||||
"github.com/openziti/zrok/controller/metrics"
|
"github.com/openziti/zrok/controller/metrics"
|
||||||
@ -128,8 +129,16 @@ func Run(inCfg *config.Config) error {
|
|||||||
|
|
||||||
server := rest_server_zrok.NewServer(api)
|
server := rest_server_zrok.NewServer(api)
|
||||||
defer func() { _ = server.Shutdown() }()
|
defer func() { _ = server.Shutdown() }()
|
||||||
|
if cfg.Tls != nil {
|
||||||
|
server.TLSHost = cfg.Endpoint.Host
|
||||||
|
server.TLSPort = cfg.Endpoint.Port
|
||||||
|
server.TLSCertificate = flags.Filename(cfg.Tls.CertPath)
|
||||||
|
server.TLSCertificateKey = flags.Filename(cfg.Tls.KeyPath)
|
||||||
|
server.EnabledListeners = []string{"https"}
|
||||||
|
} else {
|
||||||
server.Host = cfg.Endpoint.Host
|
server.Host = cfg.Endpoint.Host
|
||||||
server.Port = cfg.Endpoint.Port
|
server.Port = cfg.Endpoint.Port
|
||||||
|
}
|
||||||
rest_server_zrok.HealthCheck = HealthCheckHTTP
|
rest_server_zrok.HealthCheck = HealthCheckHTTP
|
||||||
server.ConfigureAPI()
|
server.ConfigureAPI()
|
||||||
if err := server.Serve(); err != nil {
|
if err := server.Serve(); err != nil {
|
||||||
|
6
endpoints/config.go
Normal file
6
endpoints/config.go
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
package endpoints
|
||||||
|
|
||||||
|
type TlsConfig struct {
|
||||||
|
CertPath string
|
||||||
|
KeyPath string
|
||||||
|
}
|
@ -22,6 +22,7 @@ type FrontendConfig struct {
|
|||||||
IdentityName string
|
IdentityName string
|
||||||
ShrToken string
|
ShrToken string
|
||||||
Address string
|
Address string
|
||||||
|
Tls *endpoints.TlsConfig
|
||||||
RequestsChan chan *endpoints.Request
|
RequestsChan chan *endpoints.Request
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -76,6 +77,9 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (h *Frontend) Run() error {
|
func (h *Frontend) Run() error {
|
||||||
|
if h.cfg.Tls != nil {
|
||||||
|
return http.ListenAndServeTLS(h.cfg.Address, h.cfg.Tls.CertPath, h.cfg.Tls.KeyPath, h.handler)
|
||||||
|
}
|
||||||
return http.ListenAndServe(h.cfg.Address, h.handler)
|
return http.ListenAndServe(h.cfg.Address, h.handler)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,6 +3,7 @@ package publicProxy
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"github.com/michaelquigley/cf"
|
"github.com/michaelquigley/cf"
|
||||||
|
"github.com/openziti/zrok/endpoints"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
zhttp "github.com/zitadel/oidc/v2/pkg/http"
|
zhttp "github.com/zitadel/oidc/v2/pkg/http"
|
||||||
@ -16,6 +17,7 @@ type Config struct {
|
|||||||
Address string
|
Address string
|
||||||
HostMatch string
|
HostMatch string
|
||||||
Oauth *OauthConfig
|
Oauth *OauthConfig
|
||||||
|
Tls *endpoints.TlsConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
type OauthConfig struct {
|
type OauthConfig struct {
|
||||||
|
@ -69,7 +69,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
proxy.Transport = zTransport
|
proxy.Transport = zTransport
|
||||||
if err := configureOauthHandlers(context.Background(), cfg, false); err != nil {
|
if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
|
handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
|
||||||
@ -81,6 +81,9 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (f *HttpFrontend) Run() error {
|
func (f *HttpFrontend) Run() error {
|
||||||
|
if f.cfg.Tls != nil {
|
||||||
|
return http.ListenAndServeTLS(f.cfg.Address, f.cfg.Tls.CertPath, f.cfg.Tls.KeyPath, f.handler)
|
||||||
|
}
|
||||||
return http.ListenAndServe(f.cfg.Address, f.handler)
|
return http.ListenAndServe(f.cfg.Address, f.handler)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -181,6 +181,12 @@ store:
|
|||||||
path: zrok.db
|
path: zrok.db
|
||||||
type: sqlite3
|
type: sqlite3
|
||||||
|
|
||||||
|
# The `tls` section sets the cert and key to use and enables serving over HTTPS
|
||||||
|
#
|
||||||
|
#tls:
|
||||||
|
# cert_path: "/Path/To/Cert/zrok.crt"
|
||||||
|
# key_path: "/Path/To/Cert/zrok.key"
|
||||||
|
|
||||||
# Ziti configuration.
|
# Ziti configuration.
|
||||||
#
|
#
|
||||||
ziti:
|
ziti:
|
||||||
|
@ -42,3 +42,9 @@ v: 3
|
|||||||
# - name: github
|
# - name: github
|
||||||
# client_id: <client-id>
|
# client_id: <client-id>
|
||||||
# client_secret: <client-secret>
|
# client_secret: <client-secret>
|
||||||
|
#
|
||||||
|
# The `tls` section sets the cert and key to use and enables serving over HTTPS
|
||||||
|
#
|
||||||
|
#tls:
|
||||||
|
# cert_path: "/Path/To/Cert/zrok.crt"
|
||||||
|
# key_path: "/Path/To/Cert/zrok.key"
|
Loading…
Reference in New Issue
Block a user