Add tls configuration to both client and server (#1974)

2025-07-09 23:41:50 +07:00 · 2020-09-18 19:58:58 +08:00
parent 48fa618c34
commit 4fff3c7472
6 changed files with 247 additions and 34 deletions
--- a/models/config/server_common.go
+++ b/models/config/server_common.go
@ -133,9 +133,24 @@ type ServerCommonConf struct {
 	// may proxy to. If this value is 0, no limit will be applied. By default,
 	// this value is 0.
 	MaxPortsPerClient int64 `json:"max_ports_per_client"`
-	// TLSOnly specifies whether to only accept TLS-encrypted connections. By
-	// default, the value is false.
+	// TLSOnly specifies whether to only accept TLS-encrypted connections.
+	// By default, the value is false.
 	TLSOnly bool `json:"tls_only"`
+	// TLSCertFile specifies the path of the cert file that the server will
+	// load. If "tls_cert_file", "tls_key_file" are valid, the server will use this
+	// supplied tls configuration. Otherwise, the server will use the tls
+	// configuration generated by itself.
+	TLSCertFile string `json:"tls_cert_file"`
+	// TLSKeyFile specifies the path of the secret key that the server will
+	// load. If "tls_cert_file", "tls_key_file" are valid, the server will use this
+	// supplied tls configuration. Otherwise, the server will use the tls
+	// configuration generated by itself.
+	TLSKeyFile string `json:"tls_key_file"`
+	// TLSTrustedCaFile specifies the paths of the client cert files that the
+	// server will load. It only works when "tls_only" is true. If
+	// "tls_trusted_ca_file" is valid, the server will verify each client's
+	// certificate.
+	TLSTrustedCaFile string `json:"tls_trusted_ca_file"`
 	// HeartBeatTimeout specifies the maximum time to wait for a heartbeat
 	// before terminating the connection. It is not recommended to change this
 	// value. By default, this value is 90.
@ -181,6 +196,9 @@ func GetDefaultServerConf() ServerCommonConf {
 		MaxPoolCount:           5,
 		MaxPortsPerClient:      0,
 		TLSOnly:                false,
+		TLSCertFile:            "",
+		TLSKeyFile:             "",
+		TLSTrustedCaFile:       "",
 		HeartBeatTimeout:       90,
 		UserConnTimeout:        10,
 		Custom404Page:          "",
@ -419,6 +437,19 @@ func UnmarshalServerConfFromIni(content string) (cfg ServerCommonConf, err error
 		}
 		cfg.UDPPacketSize = v
 	}
+
+	if tmpStr, ok := conf.Get("common", "tls_cert_file"); ok {
+		cfg.TLSCertFile = tmpStr
+	}
+
+	if tmpStr, ok := conf.Get("common", "tls_key_file"); ok {
+		cfg.TLSKeyFile = tmpStr
+	}
+
+	if tmpStr, ok := conf.Get("common", "tls_trusted_ca_file"); ok {
+		cfg.TLSTrustedCaFile = tmpStr
+	}
+
 	return
 }

@ -441,5 +472,11 @@ func UnmarshalPluginsFromIni(sections ini.File, cfg *ServerCommonConf) {
 }

 func (cfg *ServerCommonConf) Check() (err error) {
+	if cfg.TLSOnly == false {
+		if cfg.TLSTrustedCaFile != "" {
+			err = fmt.Errorf("Parse conf error: forbidden tls_trusted_ca_file, it only works when tls_only is true")
+			return
+		}
+	}
 	return
 }