func (p *HttpProxy) Proxy() { log.Info("HTTP proxy listening on %s", log.Colorize(log.BLUE, fmt.Sprintf("%s://%s:%d", p.Protocol, p.Host, p.Port))) pkiMgr, err := pki.New() checkHttpServerError(err) config, err := pkiMgr.GetClientTLSConfig() checkHttpServerError(err) config.InsecureSkipVerify = false mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { director := func(req *http.Request) { req = r req.URL.Scheme = p.ProxyProtocol req.URL.Host = fmt.Sprintf("%s:%d", p.ProxyHost, p.ProxyPort) } proxy := &ReverseProxy{Director: director, Middleware: p.middleware} proxy.Transport = &http.Transport{ Proxy: http.ProxyFromEnvironment, TLSClientConfig: config, TLSHandshakeTimeout: 10 * time.Second, } proxy.ServeHTTP(w, r) }) if p.Protocol == "https" { checkHttpServerError(err) checkHttpServerError(http.ListenAndServeTLS(fmt.Sprintf("%s:%d", p.Host, p.Port), pkiMgr.Config.ClientCertPath, pkiMgr.Config.ClientKeyPath, mux)) } else { checkHttpServerError(http.ListenAndServe(fmt.Sprintf("%s:%d", p.Host, p.Port), mux)) } }
func (c *PkiCommand) Run(args []string) int { c.meta = Meta{ Ui: &cli.ColoredUi{ Ui: &cli.BasicUi{Writer: os.Stdout, Reader: os.Stdin, ErrorWriter: os.Stderr}, OutputColor: cli.UiColorNone, InfoColor: cli.UiColorNone, ErrorColor: cli.UiColorRed, }, } cmdFlags := flag.NewFlagSet("pki", flag.ContinueOnError) cmdFlags.Usage = func() { c.meta.Ui.Output(c.Help()) } cmdFlags.StringVar(&c.caHost, "caHost", "localhost", "Specify the CAs custom hostname") cmdFlags.StringVar(&c.importCA, "importCA", "", "Path to CA Cert to import") cmdFlags.StringVar(&c.importClientCert, "importClientCert", "", "Path of client certificate to import and set as the default") cmdFlags.StringVar(&c.importClientKey, "importClientKey", "", "Path of client key to import and set as the default") cmdFlags.BoolVar(&c.configure, "configure", false, "Configures a default PKI infrastructure. Warning: This will clear any existing PKI files") cmdFlags.BoolVar(&c.removePKI, "removePKI", false, "Remove existing PKI keys and certs.") cmdFlags.BoolVar(&c.outputCA, "outputCA", false, "Output the CA Certificate of this node") cmdFlags.BoolVar(&c.outputClientCert, "outputClientCert", false, "Output the Client Certificate") cmdFlags.BoolVar(&c.outputClientKey, "outputClientKey", false, "Output the Client Key") cmdFlags.BoolVar(&c.generateCert, "generateCert", false, "Generate a custom cert from this nodes' CA") pki, err := pki.New() if err != nil { c.meta.Ui.Error(fmt.Sprintf("Unable to setup public key infrastructure: %s", err.Error())) return 1 } // Validate if err := cmdFlags.Parse(args); err != nil { return 1 } if c.configure { c.meta.Ui.Output(fmt.Sprintf("Setting up PKI for %s...", c.caHost)) pki.RemovePKI() err := pki.SetupPKI(c.caHost) if err != nil { c.meta.Ui.Error(err.Error()) } c.meta.Ui.Output("PKI setup complete.") } if c.importCA != "" { c.meta.Ui.Output(fmt.Sprintf("Importing CA from %s", c.importCA)) timestamp := time.Now().Unix() err := pki.ImportCA(fmt.Sprintf("%d", timestamp), c.importCA) if err != nil { c.meta.Ui.Error(fmt.Sprintf("Failed to import CA: %s", err.Error())) } else { c.meta.Ui.Info("CA successfully imported") } } if c.importClientCert != "" && c.importClientKey != "" { err := pki.ImportClientCertAndKey(c.importClientCert, c.importClientKey) if err != nil { c.meta.Ui.Error(fmt.Sprintf("Failed to import client keys: %s", err.Error())) } else { c.meta.Ui.Info("Client keys successfully imported") } } if c.outputCA { cert, _ := pki.OutputCACert() c.meta.Ui.Output(cert) } if c.outputClientCert { cert, _ := pki.OutputClientCert() c.meta.Ui.Output(cert) } if c.outputClientKey { cert, _ := pki.OutputClientKey() c.meta.Ui.Output(cert) } if c.removePKI { c.meta.Ui.Output("Removing existing PKI") err := pki.RemovePKI() if err != nil { c.meta.Ui.Error(err.Error()) } c.meta.Ui.Output("PKI removal complete.") } if c.generateCert { c.meta.Ui.Output("Generating a new client cert") err := pki.GenerateClientCertificate([]string{"localhost"}) if err != nil { c.meta.Ui.Error(err.Error()) } c.meta.Ui.Output("Cert generation complete") } return 0 }