public ConfigurationConfigProvider(
ILogger <ConfigurationConfigProvider> logger,
IConfiguration configuration,
ICertificateConfigLoader certificateConfigLoader)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
_certificateConfigLoader = certificateConfigLoader ?? throw new ArgumentNullException(nameof(certificateConfigLoader));
}
public ConfigurationConfigProvider(
ILogger <ConfigurationConfigProvider> logger,
IOptionsMonitor <ConfigurationData> dataMonitor,
ICertificateConfigLoader certificateConfigLoader)
{
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_optionsMonitor = dataMonitor ?? throw new ArgumentNullException(nameof(dataMonitor));
_certificateConfigLoader = certificateConfigLoader ?? throw new ArgumentNullException(nameof(certificateConfigLoader));
}
public SniOptionsSelector(
string endpointName,
Dictionary <string, SniConfig> sniDictionary,
ICertificateConfigLoader certifcateConfigLoader,
HttpsConnectionAdapterOptions fallbackHttpsOptions,
HttpProtocols fallbackHttpProtocols,
ILogger <HttpsConnectionMiddleware> logger)
{
_endpointName = endpointName;
_fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;
_onAuthenticateCallback = fallbackHttpsOptions.OnAuthenticate;
foreach (var(name, sniConfig) in sniDictionary)
{
var sslOptions = new SslServerAuthenticationOptions
{
ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
};
if (sslOptions.ServerCertificate is null)
{
if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
{
throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
}
if (_fallbackServerCertificateSelector is null)
{
// Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.
sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;
}
}
if (sslOptions.ServerCertificate != null)
{
// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
// made to the server
sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
}
if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
{
HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
}
var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;
if (clientCertificateMode != ClientCertificateMode.NoCertificate)
{
sslOptions.ClientCertificateRequired = clientCertificateMode == ClientCertificateMode.AllowCertificate ||
clientCertificateMode == ClientCertificateMode.RequireCertificate;
sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
clientCertificateMode, fallbackHttpsOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
}
var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
HttpsConnectionMiddleware.ConfigureAlpn(sslOptions, httpProtocols);
var sniOptions = new SniOptions(sslOptions, httpProtocols, clientCertificateMode);
if (name.Equals(WildcardHost, StringComparison.Ordinal))
{
_wildcardOptions = sniOptions;
}
else if (name.StartsWith(WildcardPrefix, StringComparison.Ordinal))
{
// Only slice off 1 character, the `*`. We want to match the leading `.` also.
_wildcardPrefixOptions.Add(name.Substring(1), sniOptions);
}
else
{
_exactNameOptions.Add(name, sniOptions);
}
}
}
public EFCoreReverseProxyStore(IServiceProvider sp, IMemoryCache cache, ICertificateConfigLoader certificateConfigLoader)
{
_sp = sp;
_cache = cache;
_certificateConfigLoader = certificateConfigLoader;
}
