Add downstream TLS handshake timeout
This commit is contained in:
Simon Ser
parent
8ce6fc38f2
commit
14bdfb49f3
14
server.go
14
server.go
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"strings"
|
"strings"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
|
"time"
|
||||||
|
|
||||||
"git.sr.ht/~emersion/go-scfg"
|
"git.sr.ht/~emersion/go-scfg"
|
||||||
"github.com/caddyserver/certmagic"
|
"github.com/caddyserver/certmagic"
|
||||||
|
|
@ -16,6 +17,8 @@ import (
|
||||||
"github.com/pires/go-proxyproto/tlvparse"
|
"github.com/pires/go-proxyproto/tlvparse"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const tlsHandshakeTimeout = 10 * time.Second
|
||||||
|
|
||||||
type acmeCache struct {
|
type acmeCache struct {
|
||||||
config *certmagic.Config
|
config *certmagic.Config
|
||||||
cache *certmagic.Cache
|
cache *certmagic.Cache
|
||||||
|
|
@ -245,7 +248,6 @@ func (ln *Listener) handle(conn net.Conn) error {
|
||||||
defer conn.Close()
|
defer conn.Close()
|
||||||
srv := ln.atomic.Load().(*listenerHandles).Server
|
srv := ln.atomic.Load().(*listenerHandles).Server
|
||||||
|
|
||||||
// TODO: setup timeouts
|
|
||||||
tlsConfig := srv.ACMEConfig.TLSConfig()
|
tlsConfig := srv.ACMEConfig.TLSConfig()
|
||||||
getConfigForClient := tlsConfig.GetConfigForClient
|
getConfigForClient := tlsConfig.GetConfigForClient
|
||||||
tlsConfig.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
|
tlsConfig.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||||
|
|
@ -270,9 +272,17 @@ func (ln *Listener) handle(conn net.Conn) error {
|
||||||
return tlsConfig, nil
|
return tlsConfig, nil
|
||||||
}
|
}
|
||||||
tlsConn := tls.Server(conn, tlsConfig)
|
tlsConn := tls.Server(conn, tlsConfig)
|
||||||
|
|
||||||
|
if err := tlsConn.SetDeadline(time.Now().Add(tlsHandshakeTimeout)); err != nil {
|
||||||
|
return fmt.Errorf("failed to set TLS handshake timeout: %v", err)
|
||||||
|
}
|
||||||
if err := tlsConn.Handshake(); err != nil {
|
if err := tlsConn.Handshake(); err != nil {
|
||||||
return fmt.Errorf("TLS handshake failed: %v", err)
|
return fmt.Errorf("TLS handshake failed: %v", err)
|
||||||
}
|
}
|
||||||
|
if err := tlsConn.SetDeadline(time.Time{}); err != nil {
|
||||||
|
return fmt.Errorf("failed to reset TLS handshake timeout: %v", err)
|
||||||
|
}
|
||||||
|
// TODO: allow setting custom downstream timeouts
|
||||||
|
|
||||||
tlsState := tlsConn.ConnectionState()
|
tlsState := tlsConn.ConnectionState()
|
||||||
fe, err := ln.matchFrontend(tlsState.ServerName)
|
fe, err := ln.matchFrontend(tlsState.ServerName)
|
||||||
|
|
@ -314,6 +324,8 @@ type Frontend struct {
|
||||||
func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) error {
|
func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) error {
|
||||||
defer downstream.Close()
|
defer downstream.Close()
|
||||||
|
|
||||||
|
// TODO: setup upstream timeouts
|
||||||
|
|
||||||
be := &fe.Backend
|
be := &fe.Backend
|
||||||
upstream, err := net.Dial(be.Network, be.Address)
|
upstream, err := net.Dial(be.Network, be.Address)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue