mirror of
https://github.com/openziti/zrok.git
synced 2024-11-25 01:23:49 +01:00
Tls supprt (#540)
* added tls support to controller and access proxies * few pr comments
This commit is contained in:
parent
2ef52607f0
commit
53940d51ab
@ -14,6 +14,10 @@ FEATURE: Python SDK now has a decorator for integrating with various server side
|
||||
|
||||
FEATURE: Python SDK share and access handling now supports context management.
|
||||
|
||||
FEATURE: TLS for `zrok` controller and acces endpoints. Add the specified stanza to your controller file (see `etc/ctrl.yml`). Your controller will now listen over TLS. (Note: you will need to update your client environments/configs to use the new https:// url). Likewise with `access` add the stanza to your frontend configuration (see `etc/frontend.yml`). Additionally you will have to update the frontend url template to emit a https:// scheme.
|
||||
|
||||
FEATURE: TLS for `zrok` controller and frontends. Add the `tls:` stanza to your controller configuration (see `etc/ctrl.yml`) to enable TLS support for the controller API. Add the `tls:` stanza to your frontend configuration (see `etc/frontend.yml`) to enable TLS support for frontends (be sure to check your `public` frontend template) (#24)(https://github.com/openziti/zrok/issues/24)
|
||||
|
||||
## v0.4.22
|
||||
|
||||
FIX: The goreleaser action is not updated to work with the latest golang build. Modifed `go.mod` to comply with what goreleaser expects
|
||||
|
@ -31,6 +31,7 @@ type Config struct {
|
||||
ResetPassword *ResetPasswordConfig
|
||||
Store *store.Config
|
||||
Ziti *zrokEdgeSdk.Config
|
||||
Tls *TlsConfig
|
||||
}
|
||||
|
||||
type AdminConfig struct {
|
||||
@ -83,6 +84,11 @@ type ResetPasswordMaintenanceConfig struct {
|
||||
BatchLimit int
|
||||
}
|
||||
|
||||
type TlsConfig struct {
|
||||
CertPath string
|
||||
KeyPath string
|
||||
}
|
||||
|
||||
func DefaultConfig() *Config {
|
||||
return &Config{
|
||||
Limits: limits.DefaultConfig(),
|
||||
|
@ -2,6 +2,7 @@ package controller
|
||||
|
||||
import (
|
||||
"context"
|
||||
"github.com/jessevdk/go-flags"
|
||||
"github.com/openziti/zrok/controller/config"
|
||||
"github.com/openziti/zrok/controller/limits"
|
||||
"github.com/openziti/zrok/controller/metrics"
|
||||
@ -128,8 +129,16 @@ func Run(inCfg *config.Config) error {
|
||||
|
||||
server := rest_server_zrok.NewServer(api)
|
||||
defer func() { _ = server.Shutdown() }()
|
||||
if cfg.Tls != nil {
|
||||
server.TLSHost = cfg.Endpoint.Host
|
||||
server.TLSPort = cfg.Endpoint.Port
|
||||
server.TLSCertificate = flags.Filename(cfg.Tls.CertPath)
|
||||
server.TLSCertificateKey = flags.Filename(cfg.Tls.KeyPath)
|
||||
server.EnabledListeners = []string{"https"}
|
||||
} else {
|
||||
server.Host = cfg.Endpoint.Host
|
||||
server.Port = cfg.Endpoint.Port
|
||||
}
|
||||
rest_server_zrok.HealthCheck = HealthCheckHTTP
|
||||
server.ConfigureAPI()
|
||||
if err := server.Serve(); err != nil {
|
||||
|
6
endpoints/config.go
Normal file
6
endpoints/config.go
Normal file
@ -0,0 +1,6 @@
|
||||
package endpoints
|
||||
|
||||
type TlsConfig struct {
|
||||
CertPath string
|
||||
KeyPath string
|
||||
}
|
@ -22,6 +22,7 @@ type FrontendConfig struct {
|
||||
IdentityName string
|
||||
ShrToken string
|
||||
Address string
|
||||
Tls *endpoints.TlsConfig
|
||||
RequestsChan chan *endpoints.Request
|
||||
}
|
||||
|
||||
@ -76,6 +77,9 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
|
||||
}
|
||||
|
||||
func (h *Frontend) Run() error {
|
||||
if h.cfg.Tls != nil {
|
||||
return http.ListenAndServeTLS(h.cfg.Address, h.cfg.Tls.CertPath, h.cfg.Tls.KeyPath, h.handler)
|
||||
}
|
||||
return http.ListenAndServe(h.cfg.Address, h.handler)
|
||||
}
|
||||
|
||||
|
@ -3,6 +3,7 @@ package publicProxy
|
||||
import (
|
||||
"context"
|
||||
"github.com/michaelquigley/cf"
|
||||
"github.com/openziti/zrok/endpoints"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
zhttp "github.com/zitadel/oidc/v2/pkg/http"
|
||||
@ -16,6 +17,7 @@ type Config struct {
|
||||
Address string
|
||||
HostMatch string
|
||||
Oauth *OauthConfig
|
||||
Tls *endpoints.TlsConfig
|
||||
}
|
||||
|
||||
type OauthConfig struct {
|
||||
|
@ -69,7 +69,7 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
|
||||
return nil, err
|
||||
}
|
||||
proxy.Transport = zTransport
|
||||
if err := configureOauthHandlers(context.Background(), cfg, false); err != nil {
|
||||
if err := configureOauthHandlers(context.Background(), cfg, cfg.Tls != nil); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
|
||||
@ -81,6 +81,9 @@ func NewHTTP(cfg *Config) (*HttpFrontend, error) {
|
||||
}
|
||||
|
||||
func (f *HttpFrontend) Run() error {
|
||||
if f.cfg.Tls != nil {
|
||||
return http.ListenAndServeTLS(f.cfg.Address, f.cfg.Tls.CertPath, f.cfg.Tls.KeyPath, f.handler)
|
||||
}
|
||||
return http.ListenAndServe(f.cfg.Address, f.handler)
|
||||
}
|
||||
|
||||
|
@ -181,6 +181,12 @@ store:
|
||||
path: zrok.db
|
||||
type: sqlite3
|
||||
|
||||
# The `tls` section sets the cert and key to use and enables serving over HTTPS
|
||||
#
|
||||
#tls:
|
||||
# cert_path: "/Path/To/Cert/zrok.crt"
|
||||
# key_path: "/Path/To/Cert/zrok.key"
|
||||
|
||||
# Ziti configuration.
|
||||
#
|
||||
ziti:
|
||||
|
@ -42,3 +42,9 @@ v: 3
|
||||
# - name: github
|
||||
# client_id: <client-id>
|
||||
# client_secret: <client-secret>
|
||||
#
|
||||
# The `tls` section sets the cert and key to use and enables serving over HTTPS
|
||||
#
|
||||
#tls:
|
||||
# cert_path: "/Path/To/Cert/zrok.crt"
|
||||
# key_path: "/Path/To/Cert/zrok.key"
|
Loading…
Reference in New Issue
Block a user