This is an automated email from the ASF dual-hosted git repository.
zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 906a2780d4 TPv2 Load in custom Certificate Authorities for the Proxy
Server. (#7488)
906a2780d4 is described below
commit 906a2780d4113f7eb5dc3e4074d830f23ae55939
Author: Steve Hamrick <[email protected]>
AuthorDate: Wed May 3 16:30:27 2023 -0600
TPv2 Load in custom Certificate Authorities for the Proxy Server. (#7488)
Add ability to load in custom certificate authorities to TPv2 proxy server
---
experimental/traffic-portal/build/config.json | 15 ++++++++-------
experimental/traffic-portal/server.config.ts | 4 ++++
experimental/traffic-portal/server.ts | 3 +++
3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/experimental/traffic-portal/build/config.json
b/experimental/traffic-portal/build/config.json
index 19725f52d2..f20bbc221a 100644
--- a/experimental/traffic-portal/build/config.json
+++ b/experimental/traffic-portal/build/config.json
@@ -1,9 +1,10 @@
{
- "insecure": false,
- "port": 443,
- "trafficOps": "https://localhost:6443";,
- "useSSL": true,
- "certPath": "/server.crt",
- "keyPath": "/server.key",
- "browserFolder": "/opt/traffic-portal/browser"
+ "insecure": false,
+ "port": 443,
+ "trafficOps": "https://localhost:6443";,
+ "useSSL": true,
+ "certificateAuthPaths": [],
+ "certPath": "/server.crt",
+ "keyPath": "/server.key",
+ "browserFolder": "/opt/traffic-portal/browser"
}
diff --git a/experimental/traffic-portal/server.config.ts
b/experimental/traffic-portal/server.config.ts
index f1ca69be3f..12dcff7fdf 100644
--- a/experimental/traffic-portal/server.config.ts
+++ b/experimental/traffic-portal/server.config.ts
@@ -149,6 +149,9 @@ interface ConfigWithSSL {
certPath: string;
/** The path to the SSL private key Traffic Portal will use. */
keyPath: string;
+ /** The paths to trusted root certificates, setting this is equivalent
+ * to the path to the environment variable NODE_EXTRA_CA_CERTS */
+ certificateAuthPaths: Array<string>;
/** Whether or not to serve HTTPS */
useSSL: true;
}
@@ -384,6 +387,7 @@ export function getConfig(args: Args, ver: ServerVersion):
ServerConfig {
cfg = {
browserFolder: cfg.browserFolder,
certPath: args.certPath,
+ certificateAuthPaths: [],
insecure: cfg.insecure,
keyPath: args.keyPath,
port: cfg.port,
diff --git a/experimental/traffic-portal/server.ts
b/experimental/traffic-portal/server.ts
index 84c1c4fca6..f71e7ddb0a 100644
--- a/experimental/traffic-portal/server.ts
+++ b/experimental/traffic-portal/server.ts
@@ -185,15 +185,18 @@ function run(): number {
if (config.useSSL) {
let cert: string;
let key: string;
+ let ca: Array<string>;
try {
cert = readFileSync(config.certPath, {encoding:
"utf8"});
key = readFileSync(config.keyPath, {encoding: "utf8"});
+ ca = config.certificateAuthPaths.map(c =>
readFileSync(c, {encoding: "utf8"}));
} catch (e) {
console.error("reading SSL key/cert:", e);
return 1;
}
createServer(
{
+ ca,
cert,
key,
rejectUnauthorized: !config.insecure,
