func (p *HttpProxy) Proxy() {
log.Info("HTTP proxy listening on %s", log.Colorize(log.BLUE, fmt.Sprintf("%s://%s:%d", p.Protocol, p.Host, p.Port)))
pkiMgr, err := pki.New()
checkHttpServerError(err)
config, err := pkiMgr.GetClientTLSConfig()
checkHttpServerError(err)
config.InsecureSkipVerify = false
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
director := func(req *http.Request) {
req = r
req.URL.Scheme = p.ProxyProtocol
req.URL.Host = fmt.Sprintf("%s:%d", p.ProxyHost, p.ProxyPort)
}
proxy := &ReverseProxy{Director: director, Middleware: p.middleware}
proxy.Transport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: config,
TLSHandshakeTimeout: 10 * time.Second,
}
proxy.ServeHTTP(w, r)
})
if p.Protocol == "https" {
checkHttpServerError(err)
checkHttpServerError(http.ListenAndServeTLS(fmt.Sprintf("%s:%d", p.Host, p.Port), pkiMgr.Config.ClientCertPath, pkiMgr.Config.ClientKeyPath, mux))
} else {
checkHttpServerError(http.ListenAndServe(fmt.Sprintf("%s:%d", p.Host, p.Port), mux))
}
}
func (c *PkiCommand) Run(args []string) int {
c.meta = Meta{
Ui: &cli.ColoredUi{
Ui: &cli.BasicUi{Writer: os.Stdout, Reader: os.Stdin, ErrorWriter: os.Stderr},
OutputColor: cli.UiColorNone,
InfoColor: cli.UiColorNone,
ErrorColor: cli.UiColorRed,
},
}
cmdFlags := flag.NewFlagSet("pki", flag.ContinueOnError)
cmdFlags.Usage = func() { c.meta.Ui.Output(c.Help()) }
cmdFlags.StringVar(&c.caHost, "caHost", "localhost", "Specify the CAs custom hostname")
cmdFlags.StringVar(&c.importCA, "importCA", "", "Path to CA Cert to import")
cmdFlags.StringVar(&c.importClientCert, "importClientCert", "", "Path of client certificate to import and set as the default")
cmdFlags.StringVar(&c.importClientKey, "importClientKey", "", "Path of client key to import and set as the default")
cmdFlags.BoolVar(&c.configure, "configure", false, "Configures a default PKI infrastructure. Warning: This will clear any existing PKI files")
cmdFlags.BoolVar(&c.removePKI, "removePKI", false, "Remove existing PKI keys and certs.")
cmdFlags.BoolVar(&c.outputCA, "outputCA", false, "Output the CA Certificate of this node")
cmdFlags.BoolVar(&c.outputClientCert, "outputClientCert", false, "Output the Client Certificate")
cmdFlags.BoolVar(&c.outputClientKey, "outputClientKey", false, "Output the Client Key")
cmdFlags.BoolVar(&c.generateCert, "generateCert", false, "Generate a custom cert from this nodes' CA")
pki, err := pki.New()
if err != nil {
c.meta.Ui.Error(fmt.Sprintf("Unable to setup public key infrastructure: %s", err.Error()))
return 1
}
// Validate
if err := cmdFlags.Parse(args); err != nil {
return 1
}
if c.configure {
c.meta.Ui.Output(fmt.Sprintf("Setting up PKI for %s...", c.caHost))
pki.RemovePKI()
err := pki.SetupPKI(c.caHost)
if err != nil {
c.meta.Ui.Error(err.Error())
}
c.meta.Ui.Output("PKI setup complete.")
}
if c.importCA != "" {
c.meta.Ui.Output(fmt.Sprintf("Importing CA from %s", c.importCA))
timestamp := time.Now().Unix()
err := pki.ImportCA(fmt.Sprintf("%d", timestamp), c.importCA)
if err != nil {
c.meta.Ui.Error(fmt.Sprintf("Failed to import CA: %s", err.Error()))
} else {
c.meta.Ui.Info("CA successfully imported")
}
}
if c.importClientCert != "" && c.importClientKey != "" {
err := pki.ImportClientCertAndKey(c.importClientCert, c.importClientKey)
if err != nil {
c.meta.Ui.Error(fmt.Sprintf("Failed to import client keys: %s", err.Error()))
} else {
c.meta.Ui.Info("Client keys successfully imported")
}
}
if c.outputCA {
cert, _ := pki.OutputCACert()
c.meta.Ui.Output(cert)
}
if c.outputClientCert {
cert, _ := pki.OutputClientCert()
c.meta.Ui.Output(cert)
}
if c.outputClientKey {
cert, _ := pki.OutputClientKey()
c.meta.Ui.Output(cert)
}
if c.removePKI {
c.meta.Ui.Output("Removing existing PKI")
err := pki.RemovePKI()
if err != nil {
c.meta.Ui.Error(err.Error())
}
c.meta.Ui.Output("PKI removal complete.")
}
if c.generateCert {
c.meta.Ui.Output("Generating a new client cert")
err := pki.GenerateClientCertificate([]string{"localhost"})
if err != nil {
c.meta.Ui.Error(err.Error())
}
c.meta.Ui.Output("Cert generation complete")
}
return 0
}