mirror of
https://code.rocketnine.space/tslocum/twins.git
synced 2024-11-27 15:18:13 +01:00
Include client certificate hashes in FastCGI requests
This commit is contained in:
parent
74dc22338e
commit
207e7c4030
5 changed files with 21 additions and 9 deletions
|
@ -129,9 +129,12 @@ for more information.
|
||||||
##### FastCGI
|
##### FastCGI
|
||||||
|
|
||||||
Forward requests to [FastCGI](https://en.wikipedia.org/wiki/FastCGI) server at
|
Forward requests to [FastCGI](https://en.wikipedia.org/wiki/FastCGI) server at
|
||||||
specified address or path.
|
specified address or path. A `Root` attribute must also be specified.
|
||||||
|
|
||||||
A `Root` attribute must also be specified.
|
When a client certificate is provided with a request, the SHA-1 hash of the
|
||||||
|
first certificate is available as `$_SERVER['CLIENT_CERT_A']`. If a second
|
||||||
|
certificate is provided, it is available as `$_SERVER['CLIENT_CERT_B']`, and so
|
||||||
|
on.
|
||||||
|
|
||||||
Connect via Unix socket:
|
Connect via Unix socket:
|
||||||
|
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -7,6 +7,6 @@ require (
|
||||||
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
|
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
|
||||||
github.com/yookoala/gofast v0.4.1-0.20201013050739-975113c54107
|
github.com/yookoala/gofast v0.4.1-0.20201013050739-975113c54107
|
||||||
gitlab.com/tslocum/gmitohtml v1.0.3-0.20201203184239-2a1abe8efe7c
|
gitlab.com/tslocum/gmitohtml v1.0.3-0.20201203184239-2a1abe8efe7c
|
||||||
golang.org/x/tools v0.0.0-20201206230334-368bee879bfd // indirect
|
golang.org/x/tools v0.0.0-20201215192005-fa10ef0b8743 // indirect
|
||||||
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
|
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
|
||||||
)
|
)
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -36,8 +36,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
|
||||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
|
golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
|
||||||
golang.org/x/tools v0.0.0-20201206230334-368bee879bfd h1:EqFvKLTxjH6gEy2baWxX2AgJwZkBIDIcZFYcoYlI9RA=
|
golang.org/x/tools v0.0.0-20201215192005-fa10ef0b8743 h1:SLHKXsC4wI4NdEGVGe/yxcTBkF/mPUS7agW3Qt5smVg=
|
||||||
golang.org/x/tools v0.0.0-20201206230334-368bee879bfd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
golang.org/x/tools v0.0.0-20201215192005-fa10ef0b8743/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
|
|
|
@ -2,10 +2,12 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto/sha1"
|
||||||
|
"crypto/tls"
|
||||||
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"net"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
@ -34,7 +36,7 @@ func (w *fakeResponseWriter) WriteHeader(statusCode int) {
|
||||||
// Do nothing
|
// Do nothing
|
||||||
}
|
}
|
||||||
|
|
||||||
func serveFastCGI(c net.Conn, connFactory gofast.ConnFactory, u *url.URL, filePath string) {
|
func serveFastCGI(c *tls.Conn, connFactory gofast.ConnFactory, u *url.URL, filePath string) {
|
||||||
header := map[string][]string{
|
header := map[string][]string{
|
||||||
"Accept": {"*/*"},
|
"Accept": {"*/*"},
|
||||||
"Host": {u.Hostname()},
|
"Host": {u.Hostname()},
|
||||||
|
@ -73,6 +75,12 @@ func serveFastCGI(c net.Conn, connFactory gofast.ConnFactory, u *url.URL, filePa
|
||||||
req.Params["SCRIPT_FILENAME"] = filePath
|
req.Params["SCRIPT_FILENAME"] = filePath
|
||||||
req.Params["SCRIPT_NAME"] = filepath.Base(filePath)
|
req.Params["SCRIPT_NAME"] = filepath.Base(filePath)
|
||||||
|
|
||||||
|
certLabel := 'A'
|
||||||
|
clientCerts := c.ConnectionState().PeerCertificates
|
||||||
|
for i := 0; i < len(clientCerts) && i < 26; i++ {
|
||||||
|
req.Params["CLIENT_CERT_"+string(certLabel+rune(i))] = fmt.Sprintf("%x", sha1.Sum(clientCerts[i].Raw))
|
||||||
|
}
|
||||||
|
|
||||||
w := newFakeResponseWriter(c)
|
w := newFakeResponseWriter(c)
|
||||||
|
|
||||||
client, err := gofast.SimpleClientFactory(connFactory, 0)()
|
client, err := gofast.SimpleClientFactory(connFactory, 0)()
|
||||||
|
|
|
@ -493,6 +493,7 @@ func listen(address string) {
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := &tls.Config{
|
||||||
ClientAuth: tls.RequestClientCert,
|
ClientAuth: tls.RequestClientCert,
|
||||||
GetCertificate: getCertificate,
|
GetCertificate: getCertificate,
|
||||||
|
InsecureSkipVerify: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
listener, err := tls.Listen("tcp", address, tlsConfig)
|
listener, err := tls.Listen("tcp", address, tlsConfig)
|
||||||
|
|
Loading…
Reference in a new issue