From 9698903499e5ff9835d076cd01f89b6fdf146f75 Mon Sep 17 00:00:00 2001 From: Jim Ma Date: Tue, 6 Aug 2024 14:46:52 +0800 Subject: [PATCH] chore: optimize hijack ca format (#3418) * chore: optimize hijack ca format Signed-off-by: Jim Ma * chore: fix cert leaf Signed-off-by: Jim Ma * fix: unit test Signed-off-by: Jim Ma --------- Signed-off-by: Jim Ma --- client/config/peerhost.go | 4 ++-- client/config/peerhost_test.go | 4 ++-- client/config/testdata/certs/sca.crt | 2 +- client/config/testdata/certs/sca.key | 2 +- client/daemon/proxy/proxy_manager.go | 17 +++++++++-------- 5 files changed, 15 insertions(+), 14 deletions(-) diff --git a/client/config/peerhost.go b/client/config/peerhost.go index 8e75cdbd17f..68bc8bc7f75 100644 --- a/client/config/peerhost.go +++ b/client/config/peerhost.go @@ -920,8 +920,8 @@ func (r *Regexp) MarshalYAML() (any, error) { // HijackConfig represents how dfdaemon hijacks http requests. type HijackConfig struct { - Cert string `yaml:"cert" mapstructure:"cert"` - Key string `yaml:"key" mapstructure:"key"` + Cert types.PEMContent `yaml:"cert" mapstructure:"cert"` + Key types.PEMContent `yaml:"key" mapstructure:"key"` Hosts []*HijackHost `yaml:"hosts" mapstructure:"hosts"` SNI []*TCPListenOption `yaml:"sni" mapstructure:"sni"` } diff --git a/client/config/peerhost_test.go b/client/config/peerhost_test.go index 7aa857df47a..915980b589d 100644 --- a/client/config/peerhost_test.go +++ b/client/config/peerhost_test.go @@ -470,8 +470,8 @@ func TestPeerHostOption_Load(t *testing.T) { }, }, HijackHTTPS: &HijackConfig{ - Cert: "./testdata/certs/sca.crt", - Key: "./testdata/certs/sca.key", + Cert: types.PEMContent(_cert), + Key: types.PEMContent(_key), Hosts: []*HijackHost{ { Regx: hijackExp, diff --git a/client/config/testdata/certs/sca.crt b/client/config/testdata/certs/sca.crt index a56708e17af..926d943f013 100644 --- a/client/config/testdata/certs/sca.crt +++ b/client/config/testdata/certs/sca.crt @@ -17,4 +17,4 @@ A5l000dtHekhk+DO2tjQgEKg5+EYMYoki5mEkSbyHkMMY8D6w5A130fpw10ZeN1z B/v/1PiVkZfu1kbnTZICQDsb4xI/2Sw2x0qKXp1oYzIDt8fZATNJgWhzv47xLLXF XQM7Yj0HQ3txAi6qOMDw1sYf/TEc1k4VC9J//QJb5/kNnWcAheLPCm3D1+CnAxcD vL928p4GmUIGbzxm3/WbWfLosSwxq5y4P5bbEd3niM4= ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/client/config/testdata/certs/sca.key b/client/config/testdata/certs/sca.key index bc116c6601e..f13cbde135c 100644 --- a/client/config/testdata/certs/sca.key +++ b/client/config/testdata/certs/sca.key @@ -24,4 +24,4 @@ fbR5XmFsuzmdL0zRIt6+mtDjfqHHYA2avzwvRaBWVprzS8/ISTqJSEs/NWSYuAsP tjPw2QKBgQCB+sS2lio/sTAQzsYTe/GNmxsL1lKO+yRsTPRRjzcm3ZdOsPgkFDx/ ZCL9Lsp7TqOLOghLGdYj9a45GrXwmEeJo5P9c1y+G9PSzFDMBUyseWmDvrcvYwWo JMfrfs6pHtZ828AbnT2kfnFv6zok2ns6vE2gme/a9Z/RCjVXyJwF5w== ------END RSA PRIVATE KEY----- +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/client/daemon/proxy/proxy_manager.go b/client/daemon/proxy/proxy_manager.go index 3da2b697f84..02d32e55507 100644 --- a/client/daemon/proxy/proxy_manager.go +++ b/client/daemon/proxy/proxy_manager.go @@ -98,20 +98,20 @@ func NewProxyManager(peerHost *schedulerv1.PeerHost, peerTaskManager peer.TaskMa if r.Direct { method = "directly" } - scheme := "" + prompt := "" if r.UseHTTPS { - scheme = "and force https" + prompt = " and force https" } - logger.Infof("[%d] proxy %s %s %s", i+1, r.Regx, method, scheme) + logger.Infof("[%d] proxy %s %s%s", i+1, r.Regx, method, prompt) } } if hijackHTTPS != nil { options = append(options, WithHTTPSHosts(hijackHTTPS.Hosts...)) if hijackHTTPS.Cert != "" && hijackHTTPS.Key != "" { - cert, err := certFromFile(hijackHTTPS.Cert, hijackHTTPS.Key) + cert, err := certFromFile(string(hijackHTTPS.Cert), string(hijackHTTPS.Key)) if err != nil { - return nil, fmt.Errorf("cert from file: %w", err) + return nil, fmt.Errorf("load cert error: %w", err) } if cert.Leaf != nil && cert.Leaf.IsCA { logger.Debugf("hijack https request with CA <%s>", cert.Leaf.Subject.CommonName) @@ -174,13 +174,14 @@ func (pm *proxyManager) Watch(opt *config.ProxyOption) { } } -func certFromFile(certFile string, keyFile string) (*tls.Certificate, error) { +func certFromFile(certPEM string, keyPEM string) (*tls.Certificate, error) { // cert.Certificate is a chain of one or more certificates, leaf first. - cert, err := tls.LoadX509KeyPair(certFile, keyFile) + cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM)) if err != nil { return nil, fmt.Errorf("load cert: %w", err) } - logger.Infof("use self-signed certificate (%s, %s) for https hijacking", certFile, keyFile) + + logger.Infof("use self-signed certificate for https hijacking") // leaf is CA cert or server cert leaf, err := x509.ParseCertificate(cert.Certificate[0])