mirror of
https://github.com/1Panel-dev/1Panel.git
synced 2025-10-12 00:16:37 +08:00
fix: Resolve certificate validate failure Issues (#9698)
This commit is contained in:
ssongliu
GitHub
parent
3af254cdda
commit
134b17d2f0
3 changed files with 35 additions and 9 deletions
|
|
@ -1,13 +1,15 @@
|
|||
package middleware
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/1Panel-dev/1Panel/agent/app/api/v2/helper"
|
||||
"github.com/1Panel-dev/1Panel/agent/global"
|
||||
"github.com/1Panel-dev/1Panel/agent/utils/cmd"
|
||||
"github.com/1Panel-dev/1Panel/agent/utils/xpack"
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
|
|
@ -17,13 +19,8 @@ func Certificate() gin.HandlerFunc {
|
|||
c.Next()
|
||||
return
|
||||
}
|
||||
if !c.Request.TLS.HandshakeComplete || len(c.Request.TLS.PeerCertificates) == 0 {
|
||||
helper.InternalServer(c, errors.New("no such tls peer certificates"))
|
||||
return
|
||||
}
|
||||
cert := c.Request.TLS.PeerCertificates[0]
|
||||
if cert.Subject.CommonName != "panel_client" {
|
||||
helper.InternalServer(c, fmt.Errorf("err certificate"))
|
||||
if !xpack.ValidateCertificate(c) {
|
||||
CloseDirectly(c)
|
||||
return
|
||||
}
|
||||
conn := c.Request.Header.Get("Connection")
|
||||
|
|
@ -40,3 +37,18 @@ func Certificate() gin.HandlerFunc {
|
|||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func CloseDirectly(c *gin.Context) {
|
||||
hijacker, ok := c.Writer.(http.Hijacker)
|
||||
if !ok {
|
||||
c.AbortWithStatus(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
conn, _, err := hijacker.Hijack()
|
||||
if err != nil {
|
||||
c.AbortWithStatus(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
_ = conn.(*net.TCPConn).SetLinger(0)
|
||||
conn.Close()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package server
|
|||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
|
|
@ -78,9 +79,17 @@ func Start() {
|
|||
fmt.Printf("failed to load X.509 key pair: %s\n", err)
|
||||
return
|
||||
}
|
||||
|
||||
server.TLSConfig = &tls.Config{
|
||||
Certificates: []tls.Certificate{tlsCert},
|
||||
ClientAuth: tls.RequireAnyClientCert,
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
caItem, _ := settingRepo.GetValueByKey("RootCrt")
|
||||
if len(caItem) != 0 {
|
||||
caCertPool := x509.NewCertPool()
|
||||
rootCrt, _ := encrypt.StringDecrypt(caItem)
|
||||
caCertPool.AppendCertsFromPEM([]byte(rootCrt))
|
||||
server.TLSConfig.ClientCAs = caCertPool
|
||||
}
|
||||
business.Init()
|
||||
global.LOG.Infof("listen at https://0.0.0.0:%s", global.CONF.Base.Port)
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ import (
|
|||
"github.com/1Panel-dev/1Panel/agent/buserr"
|
||||
"github.com/1Panel-dev/1Panel/agent/global"
|
||||
"github.com/1Panel-dev/1Panel/agent/utils/cmd"
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
func RemoveTamper(website string) {}
|
||||
|
|
@ -72,3 +73,7 @@ func LoadRequestTransport() *http.Transport {
|
|||
IdleConnTimeout: 15 * time.Second,
|
||||
}
|
||||
}
|
||||
|
||||
func ValidateCertificate(c *gin.Context) bool {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue