private Yarp.ReverseProxy.Abstractions.ProxyHttpClientOptions CreateProxyHttpClientOptions(ProxyHttpClientOptions proxyHttpClientOptions)
{
if (proxyHttpClientOptions is null)
{
return(null);
}
//var certSection = proxyHttpClientOptions.ClientCertificate;
X509Certificate2 clientCertificate = null;
if (proxyHttpClientOptions.ClientCertificate != null)
{
clientCertificate = _certificateConfigLoader.LoadCertificate(proxyHttpClientOptions.ClientCertificate);
}
if (clientCertificate != null)
{
Certificates.AddLast(new WeakReference <X509Certificate2>(clientCertificate));
}
SslProtocols?sslProtocols = null;
if (!string.IsNullOrWhiteSpace(proxyHttpClientOptions?.SslProtocols))
{
foreach (var protocolConfig in proxyHttpClientOptions?.SslProtocols?.Split(",").Select(s => Enum.Parse <SslProtocols>(s, ignoreCase: true)))
{
sslProtocols = sslProtocols == null ? protocolConfig : sslProtocols | protocolConfig;
}
}
else
{
sslProtocols = SslProtocols.None;
}
return(new Yarp.ReverseProxy.Abstractions.ProxyHttpClientOptions
{
SslProtocols = sslProtocols,
DangerousAcceptAnyServerCertificate = proxyHttpClientOptions.DangerousAcceptAnyServerCertificate,
ClientCertificate = clientCertificate,
MaxConnectionsPerServer = proxyHttpClientOptions.MaxConnectionsPerServer,
#if NET
EnableMultipleHttp2Connections = proxyHttpClientOptions.EnableMultipleHttp2Connections,
#endif
ActivityContextHeaders = proxyHttpClientOptions.ActivityContextHeaders.ReadEnum <Yarp.ReverseProxy.Abstractions.ActivityContextHeaders>()
});
}
private ProxyHttpClientOptions CreateProxyHttpClientOptions(IConfigurationSection section)
{
if (!section.Exists())
{
return(null);
}
var certSection = section.GetSection(nameof(ProxyHttpClientOptions.ClientCertificate));
X509Certificate2 clientCertificate = null;
if (certSection.Exists())
{
clientCertificate = _certificateConfigLoader.LoadCertificate(certSection);
}
if (clientCertificate != null)
{
Certificates.AddLast(new WeakReference <X509Certificate2>(clientCertificate));
}
SslProtocols?sslProtocols = null;
if (section.GetSection(nameof(ProxyHttpClientOptions.SslProtocols)) is IConfigurationSection sslProtocolsSection)
{
foreach (var protocolConfig in sslProtocolsSection.GetChildren().Select(s => Enum.Parse <SslProtocols>(s.Value, ignoreCase: true)))
{
sslProtocols = sslProtocols == null ? protocolConfig : sslProtocols | protocolConfig;
}
}
return(new ProxyHttpClientOptions
{
SslProtocols = sslProtocols,
DangerousAcceptAnyServerCertificate = section.ReadBool(nameof(ProxyHttpClientOptions.DangerousAcceptAnyServerCertificate)),
ClientCertificate = clientCertificate,
MaxConnectionsPerServer = section.ReadInt32(nameof(ProxyHttpClientOptions.MaxConnectionsPerServer)),
#if NET
EnableMultipleHttp2Connections = section.ReadBool(nameof(ProxyHttpClientOptions.EnableMultipleHttp2Connections)),
RequestHeaderEncoding = section[nameof(ProxyHttpClientOptions.RequestHeaderEncoding)] is string encoding?Encoding.GetEncoding(encoding) : null,
#endif
ActivityContextHeaders = section.ReadEnum <ActivityContextHeaders>(nameof(ProxyHttpClientOptions.ActivityContextHeaders))
});
public SniOptionsSelector(
string endpointName,
Dictionary <string, SniConfig> sniDictionary,
ICertificateConfigLoader certifcateConfigLoader,
HttpsConnectionAdapterOptions fallbackHttpsOptions,
HttpProtocols fallbackHttpProtocols,
ILogger <HttpsConnectionMiddleware> logger)
{
_endpointName = endpointName;
_fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;
_onAuthenticateCallback = fallbackHttpsOptions.OnAuthenticate;
foreach (var(name, sniConfig) in sniDictionary)
{
var sslOptions = new SslServerAuthenticationOptions
{
ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
};
if (sslOptions.ServerCertificate is null)
{
if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
{
throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
}
if (_fallbackServerCertificateSelector is null)
{
// Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.
sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;
}
}
if (sslOptions.ServerCertificate != null)
{
// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
// made to the server
sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
}
if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
{
HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
}
var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;
if (clientCertificateMode != ClientCertificateMode.NoCertificate)
{
sslOptions.ClientCertificateRequired = clientCertificateMode == ClientCertificateMode.AllowCertificate ||
clientCertificateMode == ClientCertificateMode.RequireCertificate;
sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
clientCertificateMode, fallbackHttpsOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
}
var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
HttpsConnectionMiddleware.ConfigureAlpn(sslOptions, httpProtocols);
var sniOptions = new SniOptions(sslOptions, httpProtocols, clientCertificateMode);
if (name.Equals(WildcardHost, StringComparison.Ordinal))
{
_wildcardOptions = sniOptions;
}
else if (name.StartsWith(WildcardPrefix, StringComparison.Ordinal))
{
// Only slice off 1 character, the `*`. We want to match the leading `.` also.
_wildcardPrefixOptions.Add(name.Substring(1), sniOptions);
}
else
{
_exactNameOptions.Add(name, sniOptions);
}
}
}