From: William Lallemand Date: Mon, 29 Apr 2024 15:23:02 +0000 (+0200) Subject: MINOR: ssl: introduce ocsp_update.http_proxy for ocsp-update keyword X-Git-Tag: v3.0-dev10~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b634c4779c25f33cb3295ae43c91955a024cada;p=thirdparty%2Fhaproxy.git MINOR: ssl: introduce ocsp_update.http_proxy for ocsp-update keyword The ocsp_update.http_proxy global option allows to set an HTTP proxy address which will be used to send the OCSP update request with an absolute form URI. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 1695ff047e..96af75434b 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1290,6 +1290,7 @@ The following keywords are supported in the "global" section : - nbthread - node - numa-cpu-mapping + - ocsp_update.http_proxy - pidfile - pp2-never-send-local - presetenv @@ -2168,6 +2169,11 @@ numa-cpu-mapping already specified, for example via the 'cpu-map' directive or the taskset utility. +ocsp_update.http_proxy
[:port] + Allow to use an HTTP proxy for the OCSP updates. This only works with HTTP, + HTTPS is not supported. This option will allow the OCSP updater to send + absolute URI in the request to the proxy. + pidfile Writes PIDs of all daemons into file when daemon mode or writes PID of master process into file when master-worker mode. This option is diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 1b96200cae..edd2344546 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -98,6 +99,8 @@ * to conditionally define it in openssl-compat.h than using lots of ifdefs. */ +static struct sockaddr_storage *ocsp_update_dst; + #ifndef OPENSSL_NO_OCSP int ocsp_ex_index = -1; @@ -1319,6 +1322,15 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, goto leave; } + /* if the ocsp_update.http_proxy option was set */ + if (ocsp_update_dst) { + hc->flags |= HC_F_HTTPPROXY; + if (!sockaddr_alloc(&hc->dst, ocsp_update_dst, sizeof(*ocsp_update_dst))) { + ha_alert("ocsp-update: Failed to allocate sockaddr in %s:%d.\n", __FUNCTION__, __LINE__); + goto leave; + } + } + if (httpclient_req_gen(hc, hc->req.url, hc->req.meth, b_data(req_body) ? ocsp_request_hdrs : NULL, b_data(req_body) ? ist2(b_orig(req_body), b_data(req_body)) : IST_NULL) != ERR_NONE) { @@ -1907,6 +1919,34 @@ static void cli_release_show_ocsp_updates(struct appctx *appctx) HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); } +static int ocsp_update_parse_global_http_proxy(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + struct sockaddr_storage *sk; + char *errmsg = NULL; + + if (too_many_args(1, args, err, NULL)) + return -1; + + sockaddr_free(&ocsp_update_dst); + /* 'sk' is statically allocated (no need to be freed). */ + sk = str2sa_range(args[1], NULL, NULL, NULL, NULL, NULL, NULL, + &errmsg, NULL, NULL, + PA_O_PORT_OK | PA_O_STREAM | PA_O_XPRT | PA_O_CONNECT); + if (!sk) { + ha_alert("ocsp-update: Failed to parse destination address in %s\n", errmsg); + free(errmsg); + return -1; + } + + if (!sockaddr_alloc(&ocsp_update_dst, sk, sizeof(*sk))) { + ha_alert("ocsp-update: Failed to allocate sockaddr in %s:%d.\n", __FUNCTION__, __LINE__); + return -1; + } + + return 0; +} static struct cli_kw_list cli_kws = {{ },{ { { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL }, @@ -1921,6 +1961,12 @@ static struct cli_kw_list cli_kws = {{ },{ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws); +static struct cfg_kw_list cfg_kws = {ILH, { + { CFG_GLOBAL, "ocsp_update.http_proxy", ocsp_update_parse_global_http_proxy }, + { 0, NULL, NULL }, +}}; + +INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws); /* * Local variables: