Use the first static certificate as a fallback when no default is given
This commit is contained in:
parent
1d8bdd4384
commit
8cc3c4a6b7
3 changed files with 37 additions and 10 deletions
|
@ -207,6 +207,11 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) {
|
||||||
entryPoint.WhitelistSourceRange = nil
|
entryPoint.WhitelistSourceRange = nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if entryPoint.TLS != nil && entryPoint.TLS.DefaultCertificate == nil && len(entryPoint.TLS.Certificates) > 0 {
|
||||||
|
log.Infof("No tls.defaultCertificate given for %s: using the first item in tls.certificates as a fallback.", entryPointName)
|
||||||
|
entryPoint.TLS.DefaultCertificate = &entryPoint.TLS.Certificates[0]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure LifeCycle isn't nil to spare nil checks elsewhere.
|
// Make sure LifeCycle isn't nil to spare nil checks elsewhere.
|
||||||
|
|
|
@ -315,13 +315,13 @@ func (s *EtcdSuite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
|
||||||
snitestOrgKey, err := ioutil.ReadFile("fixtures/https/snitest.org.key")
|
snitestOrgKey, err := ioutil.ReadFile("fixtures/https/snitest.org.key")
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
|
|
||||||
globalConfig := map[string]string{
|
globalConfig := map[string][]byte{
|
||||||
"/traefik/entrypoints/https/address": ":4443",
|
"/traefik/entrypoints/https/address": []byte(":4443"),
|
||||||
"/traefik/entrypoints/https/tls/certificates/0/certfile": string(snitestComCert),
|
"/traefik/entrypoints/https/tls/certificates/0/certfile": snitestComCert,
|
||||||
"/traefik/entrypoints/https/tls/certificates/0/keyfile": string(snitestComKey),
|
"/traefik/entrypoints/https/tls/certificates/0/keyfile": snitestComKey,
|
||||||
"/traefik/entrypoints/https/tls/certificates/1/certfile": string(snitestOrgCert),
|
"/traefik/entrypoints/https/tls/certificates/1/certfile": snitestOrgCert,
|
||||||
"/traefik/entrypoints/https/tls/certificates/1/keyfile": string(snitestOrgKey),
|
"/traefik/entrypoints/https/tls/certificates/1/keyfile": snitestOrgKey,
|
||||||
"/traefik/defaultentrypoints/0": "https",
|
"/traefik/defaultentrypoints/0": []byte("https"),
|
||||||
}
|
}
|
||||||
|
|
||||||
backend1 := map[string]string{
|
backend1 := map[string]string{
|
||||||
|
@ -351,7 +351,7 @@ func (s *EtcdSuite) TestCertificatesContentWithSNIConfigHandshake(c *check.C) {
|
||||||
"/traefik/frontends/frontend2/routes/test_2/rule": "Host:snitest.org",
|
"/traefik/frontends/frontend2/routes/test_2/rule": "Host:snitest.org",
|
||||||
}
|
}
|
||||||
for key, value := range globalConfig {
|
for key, value := range globalConfig {
|
||||||
err := s.kv.Put(key, []byte(value), nil)
|
err := s.kv.Put(key, value, nil)
|
||||||
c.Assert(err, checker.IsNil)
|
c.Assert(err, checker.IsNil)
|
||||||
}
|
}
|
||||||
for key, value := range backend1 {
|
for key, value := range backend1 {
|
||||||
|
|
|
@ -590,13 +590,17 @@ func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
|
||||||
serverEntryPoints[entryPointName].certs.SniStrict = entryPoint.Configuration.TLS.SniStrict
|
serverEntryPoints[entryPointName].certs.SniStrict = entryPoint.Configuration.TLS.SniStrict
|
||||||
|
|
||||||
if entryPoint.Configuration.TLS.DefaultCertificate != nil {
|
if entryPoint.Configuration.TLS.DefaultCertificate != nil {
|
||||||
cert, err := tls.LoadX509KeyPair(entryPoint.Configuration.TLS.DefaultCertificate.CertFile.String(), entryPoint.Configuration.TLS.DefaultCertificate.KeyFile.String())
|
cert, err := buildDefaultCertificate(entryPoint.Configuration.TLS.DefaultCertificate)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
log.Error(err)
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
serverEntryPoints[entryPointName].certs.DefaultCertificate = &cert
|
serverEntryPoints[entryPointName].certs.DefaultCertificate = cert
|
||||||
} else {
|
} else {
|
||||||
cert, err := generate.DefaultCertificate()
|
cert, err := generate.DefaultCertificate()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
log.Errorf("failed to generate default certificate: %v", err)
|
||||||
|
continue
|
||||||
}
|
}
|
||||||
serverEntryPoints[entryPointName].certs.DefaultCertificate = cert
|
serverEntryPoints[entryPointName].certs.DefaultCertificate = cert
|
||||||
}
|
}
|
||||||
|
@ -611,6 +615,24 @@ func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
|
||||||
return serverEntryPoints
|
return serverEntryPoints
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func buildDefaultCertificate(defaultCertificate *traefiktls.Certificate) (*tls.Certificate, error) {
|
||||||
|
certFile, err := defaultCertificate.CertFile.Read()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to get cert file content: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
keyFile, err := defaultCertificate.KeyFile.Read()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to get key file content: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := tls.X509KeyPair(certFile, keyFile)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to load X509 key pair: %v", err)
|
||||||
|
}
|
||||||
|
return &cert, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (s *Server) buildDefaultHTTPRouter() *mux.Router {
|
func (s *Server) buildDefaultHTTPRouter() *mux.Router {
|
||||||
rt := mux.NewRouter()
|
rt := mux.NewRouter()
|
||||||
rt.NotFoundHandler = s.wrapHTTPHandlerWithAccessLog(http.HandlerFunc(http.NotFound), "backend not found")
|
rt.NotFoundHandler = s.wrapHTTPHandlerWithAccessLog(http.HandlerFunc(http.NotFound), "backend not found")
|
||||||
|
|
Loading…
Reference in a new issue