Merge branch 'main' of ../private

TheLunarCompany · Sep 10, 2024 · 8a45a03 · 8a45a03
2 parents 7380829 + c8c4b05
commit 8a45a03
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/proxy/rootfs/etc/haproxy/haproxy.cfg b/proxy/rootfs/etc/haproxy/haproxy.cfg
@@ -33,6 +33,7 @@ listen healthcheck
     http-request deny status 404 unless path_healthcheck
     http-request return status 200 content-type text/plain lf-string "proxy is up"
 
+
 frontend http-in
     mode http
     bind *:${BIND_PORT}
@@ -120,6 +121,8 @@ frontend http-in
     acl dst_port_not_found var(txn.dst_port) -m int 0
 
     acl is_https_scheme var(txn.scheme) -m str https
+    acl use_mtls var(txn.host),lower,map_reg(/etc/haproxy/maps/mtls.map) -m found
+
     http-request set-var(txn.dst_port) int(443) if dst_port_not_found is_https_scheme
     http-request set-var(txn.dst_port) int(80) if dst_port_not_found !is_https_scheme
 
@@ -128,6 +131,7 @@ frontend http-in
     http-request deny status 503 content-type text/plain lf-string "Could not resolve port" hdr x-lunar-error 5 if { var(txn.dst_port) -m int 0 }
 
     http-request do-resolve(req.host_ip,resolv-conf,ipv4) var(txn.host),host_only
+
     http-request set-var(txn.x_lunar_error) str(5) unless { var(req.host_ip) -m found }
     http-request set-var(txn.error_in_body) str("Could not resolve host") unless { var(req.host_ip) -m found }
     http-request deny status 503 content-type text/plain lf-string "Could not resolve host" hdr x-lunar-error 5 unless { var(req.host_ip) -m found }
@@ -152,7 +156,8 @@ frontend http-in
     http-request set-dst-port var(txn.dst_port)
 
     # Send request to provider
-    use_backend provider if is_https_scheme
+    use_backend %[var(txn.host)] if use_mtls
+    use_backend provider if is_https_scheme !use_mtls
     default_backend insecure_provider
 
     # Modify response
@@ -251,6 +256,8 @@ backend insecure_provider
     mode http
     server clear 0.0.0.0:0
 
+# _ # Lunar_mTLS_Backend_Binder # _ #
+
 # DNS
 resolvers resolv-conf
     parse-resolv-conf
diff --git a/proxy/rootfs/etc/lunar-proxy/policies.yaml b/proxy/rootfs/etc/lunar-proxy/policies.yaml
@@ -1,4 +1,5 @@
 ---
+mTLS:
 allowed_domains:
 blocked_domains:
 global:

diff --git a/proxy/rootfs/usr/bin/setenv b/proxy/rootfs/usr/bin/setenv
@@ -76,3 +76,33 @@ cat /etc/haproxy/allowed_domains.lst
 
 echo "Blocked domains:"
 cat /etc/haproxy/blocked_domains.lst
+
+# Extract mTLS configuration from the policies.yaml
+MAP_FILE="/etc/haproxy/maps/mtls.map"
+echo "Validating mTLS map file: $MAP_FILE"
+> "$MAP_FILE"
+
+echo "Extracting mTLS configuration from policies.yaml"
+yq e '.mTLS[] | .domain + " " + (.cert // "")' "$LUNAR_PROXY_POLICIES_CONFIG" >> "$MAP_FILE"
+
+if [[ -s "$MAP_FILE" ]]; then
+    echo "mTLS configuration:"
+
+    yq eval '.mTLS[] | .domain + " " + .cert' "$LUNAR_PROXY_POLICIES_CONFIG" | while read -r domain cert; do
+        section="backend $domain
+        mode http
+        server clear 0.0.0.0:0 ssl crt $cert verify none
+
+        "
+        echo "Adding mTLS configuration for $domain with cert $cert"
+        awk -v replacement="$section" '
+        {
+            # If we find the placeholder, insert the replacement data first
+            if ($0 ~ /# _ # Lunar_mTLS_Backend_Binder # _ #/) {
+                print replacement
+            }
+            print
+        }' "$LUNAR_HAPROXY_CONFIG" > modified_haproxy_cfg && mv modified_haproxy_cfg "$LUNAR_HAPROXY_CONFIG"
+    done
+fi
+