Documentation ¶
Index ¶
- Constants
- Variables
- func GetCipherName(connState *tls.ConnectionState) string
- func GetVersion(connState *tls.ConnectionState) string
- func VerifyPeerCertificate(uri string, cfg *tls.Config, rawCerts [][]byte) error
- type CertAndStores
- type Certificate
- type CertificateStore
- type Certificates
- type ClientAuth
- type FileOrContent
- type GeneratedCert
- type Manager
- func (m *Manager) Get(storeName, configName string) (*tls.Config, error)
- func (m *Manager) GetServerCertificates() []*x509.Certificate
- func (m *Manager) GetStore(storeName string) *CertificateStore
- func (m *Manager) UpdateConfigs(ctx context.Context, stores map[string]Store, configs map[string]Options, ...)
- type Options
- type Store
Constants ¶
const ( // DefaultTLSConfigName is the name of the default set of options for configuring TLS. DefaultTLSConfigName = "default" // DefaultTLSStoreName is the name of the default store of TLS certificates. // Note that it actually is the only usable one for now. DefaultTLSStoreName = "default" )
Variables ¶
var ( // MinVersion Map of allowed TLS minimum versions. MinVersion = map[string]uint16{ `VersionTLS10`: tls.VersionTLS10, `VersionTLS11`: tls.VersionTLS11, `VersionTLS12`: tls.VersionTLS12, `VersionTLS13`: tls.VersionTLS13, } // MaxVersion Map of allowed TLS maximum versions. MaxVersion = map[string]uint16{ `VersionTLS10`: tls.VersionTLS10, `VersionTLS11`: tls.VersionTLS11, `VersionTLS12`: tls.VersionTLS12, `VersionTLS13`: tls.VersionTLS13, } // CurveIDs is a Map of TLS elliptic curves from crypto/tls // Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID, // also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7 CurveIDs = map[string]tls.CurveID{ `secp256r1`: tls.CurveP256, `CurveP256`: tls.CurveP256, `secp384r1`: tls.CurveP384, `CurveP384`: tls.CurveP384, `secp521r1`: tls.CurveP521, `CurveP521`: tls.CurveP521, `x25519`: tls.X25519, `X25519`: tls.X25519, } )
var ( // CipherSuites Map of TLS CipherSuites from crypto/tls // Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants CipherSuites = map[string]uint16{ `TLS_RSA_WITH_RC4_128_SHA`: tls.TLS_RSA_WITH_RC4_128_SHA, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, `TLS_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_RSA_WITH_AES_128_CBC_SHA, `TLS_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_RSA_WITH_AES_256_CBC_SHA, `TLS_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_RSA_WITH_AES_128_CBC_SHA256, `TLS_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_RSA_WITH_AES_128_GCM_SHA256, `TLS_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_RSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, `TLS_ECDHE_RSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, `TLS_AES_128_GCM_SHA256`: tls.TLS_AES_128_GCM_SHA256, `TLS_AES_256_GCM_SHA384`: tls.TLS_AES_256_GCM_SHA384, `TLS_CHACHA20_POLY1305_SHA256`: tls.TLS_CHACHA20_POLY1305_SHA256, `TLS_FALLBACK_SCSV`: tls.TLS_FALLBACK_SCSV, } // CipherSuitesReversed Map of TLS CipherSuites from crypto/tls // Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants CipherSuitesReversed = map[uint16]string{ tls.TLS_RSA_WITH_RC4_128_SHA: `TLS_RSA_WITH_RC4_128_SHA`, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, tls.TLS_RSA_WITH_AES_128_CBC_SHA: `TLS_RSA_WITH_AES_128_CBC_SHA`, tls.TLS_RSA_WITH_AES_256_CBC_SHA: `TLS_RSA_WITH_AES_256_CBC_SHA`, tls.TLS_RSA_WITH_AES_128_CBC_SHA256: `TLS_RSA_WITH_AES_128_CBC_SHA256`, tls.TLS_RSA_WITH_AES_128_GCM_SHA256: `TLS_RSA_WITH_AES_128_GCM_SHA256`, tls.TLS_RSA_WITH_AES_256_GCM_SHA384: `TLS_RSA_WITH_AES_256_GCM_SHA384`, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: `TLS_ECDHE_RSA_WITH_RC4_128_SHA`, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, tls.TLS_AES_128_GCM_SHA256: `TLS_AES_128_GCM_SHA256`, tls.TLS_AES_256_GCM_SHA384: `TLS_AES_256_GCM_SHA384`, tls.TLS_CHACHA20_POLY1305_SHA256: `TLS_CHACHA20_POLY1305_SHA256`, tls.TLS_FALLBACK_SCSV: `TLS_FALLBACK_SCSV`, } )
var DefaultTLSOptions = Options{ ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol}, MinVersion: "VersionTLS12", CipherSuites: getCipherSuites(), }
DefaultTLSOptions the default TLS options.
Functions ¶
func GetCipherName ¶ added in v2.5.0
func GetCipherName(connState *tls.ConnectionState) string
GetCipherName returns the Cipher suite name. Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants
func GetVersion ¶ added in v2.5.0
func GetVersion(connState *tls.ConnectionState) string
GetVersion returns the normalized TLS version. Available TLS versions defined at https://pkg.go.dev/crypto/tls/#pkg-constants
Types ¶
type CertAndStores ¶
type CertAndStores struct { Certificate `yaml:",inline" export:"true"` Stores []string `json:"stores,omitempty" toml:"stores,omitempty" yaml:"stores,omitempty" export:"true"` }
CertAndStores allows mapping a TLS certificate to a list of entry points.
func (*CertAndStores) DeepCopy ¶
func (in *CertAndStores) DeepCopy() *CertAndStores
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAndStores.
func (*CertAndStores) DeepCopyInto ¶
func (in *CertAndStores) DeepCopyInto(out *CertAndStores)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Certificate ¶
type Certificate struct { CertFile FileOrContent `json:"certFile,omitempty" toml:"certFile,omitempty" yaml:"certFile,omitempty"` KeyFile FileOrContent `json:"keyFile,omitempty" toml:"keyFile,omitempty" yaml:"keyFile,omitempty" loggable:"false"` }
Certificate holds a SSL cert/key pair Certs and Key could be either a file path, or the file content itself.
func (*Certificate) AppendCertificate ¶
func (c *Certificate) AppendCertificate(certs map[string]map[string]*tls.Certificate, storeName string) error
AppendCertificate appends a Certificate to a certificates map keyed by store name.
func (*Certificate) GetCertificate ¶ added in v2.4.0
func (c *Certificate) GetCertificate() (tls.Certificate, error)
GetCertificate retrieves Certificate as tls.Certificate.
func (*Certificate) GetTruncatedCertificateName ¶
func (c *Certificate) GetTruncatedCertificateName() string
GetTruncatedCertificateName truncates the certificate name.
type CertificateStore ¶
type CertificateStore struct { DynamicCerts *safe.Safe DefaultCertificate *tls.Certificate CertCache *cache.Cache }
CertificateStore store for dynamic certificates.
func NewCertificateStore ¶
func NewCertificateStore() *CertificateStore
NewCertificateStore create a store for dynamic certificates.
func (CertificateStore) GetAllDomains ¶
func (c CertificateStore) GetAllDomains() []string
GetAllDomains return a slice with all the certificate domain.
func (*CertificateStore) GetBestCertificate ¶
func (c *CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *tls.Certificate
GetBestCertificate returns the best match certificate, and caches the response.
func (*CertificateStore) GetCertificate ¶ added in v2.9.0
func (c *CertificateStore) GetCertificate(domains []string) *tls.Certificate
GetCertificate returns the first certificate matching all the given domains.
func (CertificateStore) ResetCache ¶
func (c CertificateStore) ResetCache()
ResetCache clears the cache in the store.
type Certificates ¶
type Certificates []Certificate
Certificates defines traefik certificates type Certs and Keys could be either a file path, or the file content itself.
func (Certificates) GetCertificates ¶ added in v2.4.0
func (c Certificates) GetCertificates() []tls.Certificate
GetCertificates retrieves the certificates as slice of tls.Certificate.
func (*Certificates) Set ¶
func (c *Certificates) Set(value string) error
Set is the method to set the flag value, part of the flag.Value interface. Set's argument is a string to be parsed to set the flag. It's a comma-separated list, so we split it.
func (*Certificates) String ¶
func (c *Certificates) String() string
String is the method to format the flag's value, part of the flag.Value interface. The String method's output will be used in diagnostics.
type ClientAuth ¶
type ClientAuth struct { CAFiles []FileOrContent `json:"caFiles,omitempty" toml:"caFiles,omitempty" yaml:"caFiles,omitempty"` // ClientAuthType defines the client authentication type to apply. // The available values are: "NoClientCert", "RequestClientCert", "VerifyClientCertIfGiven" and "RequireAndVerifyClientCert". ClientAuthType string `json:"clientAuthType,omitempty" toml:"clientAuthType,omitempty" yaml:"clientAuthType,omitempty" export:"true"` }
ClientAuth defines the parameters of the client authentication part of the TLS connection, if any.
func (*ClientAuth) DeepCopy ¶
func (in *ClientAuth) DeepCopy() *ClientAuth
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientAuth.
func (*ClientAuth) DeepCopyInto ¶
func (in *ClientAuth) DeepCopyInto(out *ClientAuth)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FileOrContent ¶
type FileOrContent string
FileOrContent hold a file path or content.
func (FileOrContent) IsPath ¶
func (f FileOrContent) IsPath() bool
IsPath returns true if the FileOrContent is a file path, otherwise returns false.
func (FileOrContent) Read ¶
func (f FileOrContent) Read() ([]byte, error)
func (FileOrContent) String ¶
func (f FileOrContent) String() string
type GeneratedCert ¶ added in v2.9.0
type GeneratedCert struct { // Resolver is the name of the resolver that will be used to issue the DefaultCertificate. Resolver string `json:"resolver,omitempty" toml:"resolver,omitempty" yaml:"resolver,omitempty" export:"true"` // Domain is the domain definition for the DefaultCertificate. Domain *types.Domain `json:"domain,omitempty" toml:"domain,omitempty" yaml:"domain,omitempty" export:"true"` }
GeneratedCert defines the default generated certificate configuration.
func (*GeneratedCert) DeepCopy ¶ added in v2.9.0
func (in *GeneratedCert) DeepCopy() *GeneratedCert
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeneratedCert.
func (*GeneratedCert) DeepCopyInto ¶ added in v2.9.0
func (in *GeneratedCert) DeepCopyInto(out *GeneratedCert)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is the TLS option/store/configuration factory.
func (*Manager) GetServerCertificates ¶ added in v2.9.9
func (m *Manager) GetServerCertificates() []*x509.Certificate
GetServerCertificates returns all certificates from the default store, as well as the user-defined default certificate (if it exists).
func (*Manager) GetStore ¶
func (m *Manager) GetStore(storeName string) *CertificateStore
GetStore gets the certificate store of a given name.
func (*Manager) UpdateConfigs ¶
func (m *Manager) UpdateConfigs(ctx context.Context, stores map[string]Store, configs map[string]Options, certs []*CertAndStores)
UpdateConfigs updates the TLS* configuration options. It initializes the default TLS store, and the TLS store for the ACME challenges.
type Options ¶
type Options struct { MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"` MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"` CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"` CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"` ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"` SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"` PreferServerCipherSuites bool `` // Deprecated: https://github.com/golang/go/issues/45430 /* 139-byte string literal not displayed */ ALPNProtocols []string `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"` }
Options configures TLS for an entry point.
func (*Options) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Options.
func (*Options) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Options) SetDefaults ¶ added in v2.5.1
func (o *Options) SetDefaults()
SetDefaults sets the default values for an Options struct.
type Store ¶
type Store struct { DefaultCertificate *Certificate `` /* 131-byte string literal not displayed */ DefaultGeneratedCert *GeneratedCert `` /* 127-byte string literal not displayed */ }
Store holds the options for a given Store.
func (*Store) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Store.
func (*Store) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.