starred/godoxy-yusing
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-18 22:49:52 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

feat(entrypoint): add inbound mTLS profiles for HTTPS

Browse Source 
Add root-level inbound_mtls_profiles combining optional system CAs with PEM
CA files, and entrypoint.inbound_mtls_profile to require client certificates
on every HTTPS connection. Route-level inbound_mtls_profile is allowed only
without a global profile; per-handshake TLS picks ClientCAs from SNI, and
requests fail with 421 when Host and SNI would select different mTLS routes.

Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and
reject unknown profile refs or mixed global-plus-route configuration.

Extend config.example.yml and package READMEs; add entrypoint and config
tests for TLS mutation, handshakes, and validation.
This commit is contained in:
yusing
2026-04-09 17:51:18 +08:00
parent 6cafbcf669
commit 2a3823091d
18 changed files with 886 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
internal/route/provider/all_fields.yaml
View File

@@ -10,6 +10,7 @@ example: # matching `example.y.z`
no_tls_verify: true
disable_compression: false
response_header_timeout: 30s
inbound_mtls_profile: corp # optional, only supported when no global entrypoint inbound_mtls_profile is configured; selected by TLS SNI and Host/SNI must resolve to the same route
ssl_server_name: "" # empty uses target hostname, "off" disables SNI
ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
ssl_certificate: /etc/ssl/client.crt