Exemple #1
0
        private Yarp.ReverseProxy.Abstractions.ProxyHttpClientOptions CreateProxyHttpClientOptions(ProxyHttpClientOptions proxyHttpClientOptions)
        {
            if (proxyHttpClientOptions is null)
            {
                return(null);
            }

            //var certSection = proxyHttpClientOptions.ClientCertificate;

            X509Certificate2 clientCertificate = null;

            if (proxyHttpClientOptions.ClientCertificate != null)
            {
                clientCertificate = _certificateConfigLoader.LoadCertificate(proxyHttpClientOptions.ClientCertificate);
            }

            if (clientCertificate != null)
            {
                Certificates.AddLast(new WeakReference <X509Certificate2>(clientCertificate));
            }

            SslProtocols?sslProtocols = null;

            if (!string.IsNullOrWhiteSpace(proxyHttpClientOptions?.SslProtocols))
            {
                foreach (var protocolConfig in proxyHttpClientOptions?.SslProtocols?.Split(",").Select(s => Enum.Parse <SslProtocols>(s, ignoreCase: true)))
                {
                    sslProtocols = sslProtocols == null ? protocolConfig : sslProtocols | protocolConfig;
                }
            }
            else
            {
                sslProtocols = SslProtocols.None;
            }

            return(new Yarp.ReverseProxy.Abstractions.ProxyHttpClientOptions
            {
                SslProtocols = sslProtocols,
                DangerousAcceptAnyServerCertificate = proxyHttpClientOptions.DangerousAcceptAnyServerCertificate,
                ClientCertificate = clientCertificate,
                MaxConnectionsPerServer = proxyHttpClientOptions.MaxConnectionsPerServer,
#if NET
                EnableMultipleHttp2Connections = proxyHttpClientOptions.EnableMultipleHttp2Connections,
#endif
                ActivityContextHeaders = proxyHttpClientOptions.ActivityContextHeaders.ReadEnum <Yarp.ReverseProxy.Abstractions.ActivityContextHeaders>()
            });
        }
Exemple #2
0
        private ProxyHttpClientOptions CreateProxyHttpClientOptions(IConfigurationSection section)
        {
            if (!section.Exists())
            {
                return(null);
            }

            var certSection = section.GetSection(nameof(ProxyHttpClientOptions.ClientCertificate));

            X509Certificate2 clientCertificate = null;

            if (certSection.Exists())
            {
                clientCertificate = _certificateConfigLoader.LoadCertificate(certSection);
            }

            if (clientCertificate != null)
            {
                Certificates.AddLast(new WeakReference <X509Certificate2>(clientCertificate));
            }

            SslProtocols?sslProtocols = null;

            if (section.GetSection(nameof(ProxyHttpClientOptions.SslProtocols)) is IConfigurationSection sslProtocolsSection)
            {
                foreach (var protocolConfig in sslProtocolsSection.GetChildren().Select(s => Enum.Parse <SslProtocols>(s.Value, ignoreCase: true)))
                {
                    sslProtocols = sslProtocols == null ? protocolConfig : sslProtocols | protocolConfig;
                }
            }

            return(new ProxyHttpClientOptions
            {
                SslProtocols = sslProtocols,
                DangerousAcceptAnyServerCertificate = section.ReadBool(nameof(ProxyHttpClientOptions.DangerousAcceptAnyServerCertificate)),
                ClientCertificate = clientCertificate,
                MaxConnectionsPerServer = section.ReadInt32(nameof(ProxyHttpClientOptions.MaxConnectionsPerServer)),
#if NET
                EnableMultipleHttp2Connections = section.ReadBool(nameof(ProxyHttpClientOptions.EnableMultipleHttp2Connections)),
                RequestHeaderEncoding = section[nameof(ProxyHttpClientOptions.RequestHeaderEncoding)] is string encoding?Encoding.GetEncoding(encoding) : null,
#endif
                ActivityContextHeaders = section.ReadEnum <ActivityContextHeaders>(nameof(ProxyHttpClientOptions.ActivityContextHeaders))
            });
Exemple #3
0
        public SniOptionsSelector(
            string endpointName,
            Dictionary <string, SniConfig> sniDictionary,
            ICertificateConfigLoader certifcateConfigLoader,
            HttpsConnectionAdapterOptions fallbackHttpsOptions,
            HttpProtocols fallbackHttpProtocols,
            ILogger <HttpsConnectionMiddleware> logger)
        {
            _endpointName = endpointName;

            _fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;
            _onAuthenticateCallback            = fallbackHttpsOptions.OnAuthenticate;

            foreach (var(name, sniConfig) in sniDictionary)
            {
                var sslOptions = new SslServerAuthenticationOptions
                {
                    ServerCertificate              = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
                    EnabledSslProtocols            = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
                    CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
                };

                if (sslOptions.ServerCertificate is null)
                {
                    if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
                    {
                        throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
                    }

                    if (_fallbackServerCertificateSelector is null)
                    {
                        // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.
                        sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;
                    }
                }

                if (sslOptions.ServerCertificate != null)
                {
                    // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
                    // made to the server
                    sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
                }

                if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
                {
                    HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
                }

                var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;

                if (clientCertificateMode != ClientCertificateMode.NoCertificate)
                {
                    sslOptions.ClientCertificateRequired = clientCertificateMode == ClientCertificateMode.AllowCertificate ||
                                                           clientCertificateMode == ClientCertificateMode.RequireCertificate;
                    sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
                                                                     HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
                        clientCertificateMode, fallbackHttpsOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
                }

                var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
                httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
                HttpsConnectionMiddleware.ConfigureAlpn(sslOptions, httpProtocols);

                var sniOptions = new SniOptions(sslOptions, httpProtocols, clientCertificateMode);

                if (name.Equals(WildcardHost, StringComparison.Ordinal))
                {
                    _wildcardOptions = sniOptions;
                }
                else if (name.StartsWith(WildcardPrefix, StringComparison.Ordinal))
                {
                    // Only slice off 1 character, the `*`. We want to match the leading `.` also.
                    _wildcardPrefixOptions.Add(name.Substring(1), sniOptions);
                }
                else
                {
                    _exactNameOptions.Add(name, sniOptions);
                }
            }
        }