Support for client certificate authentication

This commit is contained in:
Anders Betnér 2016-06-15 22:38:40 +02:00
parent 8e333d0a03
commit 959c7dc783
4 changed files with 65 additions and 3 deletions

View file

@ -94,7 +94,7 @@ func (ep *EntryPoints) String() string {
// Set's argument is a string to be parsed to set the flag. // Set's argument is a string to be parsed to set the flag.
// It's a comma-separated list, so we split it. // It's a comma-separated list, so we split it.
func (ep *EntryPoints) Set(value string) error { func (ep *EntryPoints) Set(value string) error {
regex := regexp.MustCompile("(?:Name:(?P<Name>\\S*))\\s*(?:Address:(?P<Address>\\S*))?\\s*(?:TLS:(?P<TLS>\\S*))?\\s*((?P<TLSACME>TLS))?\\s*(?:Redirect.EntryPoint:(?P<RedirectEntryPoint>\\S*))?\\s*(?:Redirect.Regex:(?P<RedirectRegex>\\S*))?\\s*(?:Redirect.Replacement:(?P<RedirectReplacement>\\S*))?") regex := regexp.MustCompile("(?:Name:(?P<Name>\\S*))\\s*(?:Address:(?P<Address>\\S*))?\\s*(?:TLS:(?P<TLS>\\S*))?\\s*((?P<TLSACME>TLS))?\\s*(?:CA:(?P<CA>\\S*))?\\s*(?:Redirect.EntryPoint:(?P<RedirectEntryPoint>\\S*))?\\s*(?:Redirect.Regex:(?P<RedirectRegex>\\S*))?\\s*(?:Redirect.Replacement:(?P<RedirectReplacement>\\S*))?")
match := regex.FindAllStringSubmatch(value, -1) match := regex.FindAllStringSubmatch(value, -1)
if match == nil { if match == nil {
return errors.New("Bad EntryPoints format: " + value) return errors.New("Bad EntryPoints format: " + value)
@ -120,6 +120,10 @@ func (ep *EntryPoints) Set(value string) error {
Certificates: Certificates{}, Certificates: Certificates{},
} }
} }
if len(result["CA"]) > 0 {
files := strings.Split(result["CA"], ",")
tls.ClientCAFiles = files
}
var redirect *Redirect var redirect *Redirect
if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 { if len(result["RedirectEntryPoint"]) > 0 || len(result["RedirectRegex"]) > 0 || len(result["RedirectReplacement"]) > 0 {
redirect = &Redirect{ redirect = &Redirect{
@ -169,6 +173,7 @@ type Redirect struct {
// TLS configures TLS for an entry point // TLS configures TLS for an entry point
type TLS struct { type TLS struct {
Certificates Certificates Certificates Certificates
ClientCAFiles []string
} }
// Certificates defines traefik certificates type // Certificates defines traefik certificates type

View file

@ -30,7 +30,7 @@ Entrypoints are the network entry points into Træfɪk.
They can be defined using: They can be defined using:
- a port (80, 443...) - a port (80, 443...)
- SSL (Certificates. Keys...) - SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA...)
- redirection to another entrypoint (redirect `HTTP` to `HTTPS`) - redirection to another entrypoint (redirect `HTTP` to `HTTPS`)
Here is an example of entrypoints definition: Here is an example of entrypoints definition:
@ -54,6 +54,23 @@ Here is an example of entrypoints definition:
- We enable SSL on `https` by giving a certificate and a key. - We enable SSL on `https` by giving a certificate and a key.
- We also redirect all the traffic from entrypoint `http` to `https`. - We also redirect all the traffic from entrypoint `http` to `https`.
And here is another example with client certificate authentication:
```toml
[entryPoints]
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
clientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "tests/traefik.crt"
keyFile = "tests/traefik.key"
```
- We enable SSL on `https` by giving a certificate and a key.
- One or several files containing Certificate Authorities in PEM format are added.
- It is possible to have multiple CA:s in the same file or keep them in separate files.
## Frontends ## Frontends
A frontend is a set of rules that forwards the incoming traffic from an entrypoint to a backend. A frontend is a set of rules that forwards the incoming traffic from an entrypoint to a backend.

View file

@ -89,6 +89,28 @@
# [entryPoints.http.redirect] # [entryPoints.http.redirect]
# regex = "^http://localhost/(.*)" # regex = "^http://localhost/(.*)"
# replacement = "http://mydomain/$1" # replacement = "http://mydomain/$1"
#
# Only accept clients that present a certificate signed by a specified
# Certificate Authority (CA)
# ClientCAFiles can be configured with multiple CA:s in the same file or
# use multiple files containing one or several CA:s. The CA:s has to be in PEM format.
# All clients will be required to present a valid cert.
# The requirement will apply to all server certs in the entrypoint
# In the example below both snitest.com and snitest.org will require client certs
#
# [entryPoints]
# [entryPoints.https]
# address = ":443"
# [entryPoints.https.tls]
# ClientCAFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.com.cert"
# KeyFile = "integration/fixtures/https/snitest.com.key"
# [[entryPoints.https.tls.certificates]]
# CertFile = "integration/fixtures/https/snitest.org.cert"
# KeyFile = "integration/fixtures/https/snitest.org.key"
#
[entryPoints] [entryPoints]
[entryPoints.http] [entryPoints.http]

View file

@ -5,8 +5,10 @@ package main
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"errors" "errors"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
@ -298,6 +300,22 @@ func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, rou
config.Certificates = append(config.Certificates, cert) config.Certificates = append(config.Certificates, cert)
} }
if len(tlsOption.ClientCAFiles) > 0 {
pool := x509.NewCertPool()
for _, caFile := range tlsOption.ClientCAFiles {
data, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
ok := pool.AppendCertsFromPEM(data)
if !ok {
return nil, errors.New("invalid certificate(s) in " + caFile)
}
}
config.ClientCAs = pool
config.ClientAuth = tls.RequireAndVerifyClientCert
}
if server.globalConfiguration.ACME != nil { if server.globalConfiguration.ACME != nil {
if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok { if _, ok := server.serverEntryPoints[server.globalConfiguration.ACME.EntryPoint]; ok {
if entryPointName == server.globalConfiguration.ACME.EntryPoint { if entryPointName == server.globalConfiguration.ACME.EntryPoint {