func NewTlsServerCommand() cli.Command {
return cli.Command{
Name: "tls-server",
Usage: "Setup server encrypt mode",
Flags: append(common, certflags...),
Before: func(c *cli.Context) error {
SetLoglevel(c)
tlscacert, tlscert, tlskey := preprocess(c)
opts := proxy.CertOptions{
CA: tlscacert,
TlsCert: tlscert,
TlsKey: tlskey,
Server: true,
}
loadCertificate = func(c *cli.Context) proxy.TLSConfig {
cfg, err := proxy.LoadCertificate(opts)
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
return proxy.TLSConfig{Server: cfg}
}
return nil
},
Action: Proxy,
}
}
/*
Create a proxy that encrypts outbound connection to TLS enabled endpoint
*/
func ExampleLoadCertificate() {
tlscfg, err := proxy.LoadCertificate(proxy.CertOptions{
"s3://devops.org/cert/ca.pem",
"file://cert.pem",
"key.pem",
})
if err != nil {
log.Fatal(err)
}
// prepare proxy option with TLS enabled
pxyOpts := &proxy.ConnOptions{
// Conneciton initiator does not encrypt data
Net: "tcp4",
From: ":6379",
// destination endpoint must accept TLS encrypted data
To: []string{"10.0.0.12:6379"},
// instructs go-proxy to establish TLS connection with config
TLSConfig: proxy.TLSConfig{
Client: tlscfg,
},
}
context, cancel := ctx.WithCancel(ctx.Background())
defer cancel()
err := proxy.To(context, pxyOpts)
log.Warning(err)
}
func (i *Info) Listen() {
var (
// proxy type handler
handle ProxyFunc
// proxy connection option
opts *proxy.ConnOptions
// tls configuration info
tlscfg proxy.TLSConfig
logger = log.WithFields(log.Fields{
"Name": i.Name,
"Net": i.Net,
"From": i.From,
"Range": i.FromRange,
"To": i.To,
"Service": i.Service,
"Role": i.ServerRole,
})
)
// Setup TLS configuration
switch {
case i.ServerRole == "server":
cfg, err := proxy.LoadCertificate(proxy.CertOptions{
CA: i.CA,
TlsCert: i.Cert,
TlsKey: i.Key,
Server: true,
})
if err != nil {
logger.Error(err)
return
}
tlscfg = proxy.TLSConfig{Server: cfg}
break
case i.ServerRole == "client":
cfg, err := proxy.LoadCertificate(proxy.CertOptions{
CA: i.CA,
TlsCert: i.Cert,
TlsKey: i.Key,
})
if err != nil {
logger.Error(err)
return
}
tlscfg = proxy.TLSConfig{Client: cfg}
break
case i.ServerRole == "": // not processing TLS
break
default: // fall through as if not processing TLS
break
}
// Setup destination and listener information
switch {
case i.Service != "":
discovery := &proxy.DiscOptions{
Service: i.Service,
Endpoints: disc.Endpoints(),
}
opts = &proxy.ConnOptions{
Net: i.Net,
Discovery: discovery,
TLSConfig: tlscfg,
}
if len(i.FromRange) != 0 {
handle = proxy.ClusterSrv
opts.FromRange = i.FromRange
} else {
handle = proxy.Srv
opts.From = i.From
}
break
case len(i.To) != 0:
opts = &proxy.ConnOptions{
Net: i.Net,
To: i.To,
TLSConfig: tlscfg,
}
if len(i.FromRange) != 0 {
handle = proxy.ClusterTo
opts.FromRange = i.FromRange
} else {
handle = proxy.To
opts.From = i.From
}
break
}
// Attach context to proxy daemon
order, abort := ctx.WithCancel(RootContext)
// This proxy shall have its isolated abort feature
i.Cancel = abort
go func() {
logger.Info("begin")
err := handle(order, opts)
logger.Warning(err)
}()
}