Documentation ¶
Index ¶
- func CertPoolFromFile(filename string) (*x509.CertPool, error)
- func CertificateFromFile(certFile, keyFile, password string) (tls.Certificate, error)
- func FilterPEM(pemBlocks []byte, filter func(*pem.Block) bool) ([]byte, error)
- func FlushOnWrite(w http.ResponseWriter) http.ResponseWriter
- func ForwardedIPFromContext(ctx context.Context) net.IP
- type TLSProxy
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CertPoolFromFile ¶
CertPoolFromFile returns a X.509 certificate pool that contains all system root certificates from x509.SystemCertPool and the certificates loaded from the given filename.
If filename is a directory LoadCertPool parses all files inside as PEM-encoded X.509 certificate and adds them to the certificate pool. Otherwise, LoadCertPool parses filename as PEM-encoded X.509 certificate file and adds it to the certificate pool.
It returns the first error it encounters, if any, when parsing a X.509 certificate file.
func CertificateFromFile ¶
func CertificateFromFile(certFile, keyFile, password string) (tls.Certificate, error)
CertificateFromFile reads and parses the PEM-encoded private key from the keyFile and the X.509 certificate from the given certFile.
If the private key is an encrypted PEM block, it uses the given password to decrypt the private key. However, PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.
func FilterPEM ¶
FilterPEM applies the filter function on each PEM block in pemBlocks and returns an error if at least one PEM block does not pass the filter.
func FlushOnWrite ¶
func FlushOnWrite(w http.ResponseWriter) http.ResponseWriter
FlushOnWrite returns an ResponseWriter that wraps w and flushes after every Write if w implements the Flusher interface.
Types ¶
type TLSProxy ¶
type TLSProxy struct { // CertHeader is the HTTP header key used to extract the // client certificate forwarded by a TLS proxy. The TLS // proxy has to include the certificate of the actual // client into the request headers as CertHeader. // // If the request has been sent by a proxy but the request // headers do not contain an escaped and ASN.1 encoded // certificate then the request will be rejected. CertHeader string // The X.509 certificate verification options used when // verifying the certificate that has been sent by the // actual kes client and forwarded by the TLS proxy as // part of the request headers. // // If it is nil the client certificate won't be verified. VerifyOptions *x509.VerifyOptions // contains filtered or unexported fields }
A TLSProxy handles HTTP requests sent by a client through a TLS proxy sitting between the client and the server.
It verifies that the request actually came from a known TLS proxy, extracts the client information attached by proxy and modifies request based on the client information.
In particular, it extracts the forwarded client IP, if any, and adjusts the request TLS state with the forwarded client certificate.
func (*TLSProxy) Add ¶
func (p *TLSProxy) Add(identity kes.Identity)
Add adds the given identity to the list of TLS proxies if:
identity != kes.IdentityUnknown
func (*TLSProxy) Verify ¶
Verify verifies the given HTTP request. If the request has been made by a TLS proxy then Verify tries to extract the certificate of the actual kes client from the request headers and replaces the peer certificate of the TLS proxy with the extracted client certificate.
It verifies the certificate of the actual kes client, if present, only if the TLSProxy.VerifyOptions are not nil.
If the request has not been made by a TLS proxy, Verify only checks whether a client certificate is present.