Merge branch v2.11 into v3.1

2024-09-16 16:24:08 +02:00 · 2024-09-16 16:24:08 +02:00 · 093989fc14
commit 093989fc14
parent 8c977b8f8c 06d7fab820
66 changed files with 904 additions and 136 deletions
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@ -21,6 +21,8 @@ const defaultBufSize = 4096

 // Router is a TCP router.
 type Router struct {
+	acmeTLSPassthrough bool
+
 	// Contains TCP routes.
 	muxerTCP tcpmuxer.Muxer
 	// Contains TCP TLS routes.
@ -164,7 +166,7 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) {
 	}

 	// Handling ACME-TLS/1 challenges.
-	if slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
+	if !r.acmeTLSPassthrough && slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
 		r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))
 		return
 	}
@ -317,6 +319,10 @@ func (r *Router) SetHTTPSHandler(handler http.Handler, config *tls.Config) {
 	r.httpsTLSConfig = config
 }

+func (r *Router) EnableACMETLSPassthrough() {
+	r.acmeTLSPassthrough = true
+}
+
 // Conn is a connection proxy that handles Peeked bytes.
 type Conn struct {
 	// Peeked are the bytes that have been read from Conn for the purposes of route matching,
--- a/pkg/server/router/tcp/router_test.go
+++ b/pkg/server/router/tcp/router_test.go
@ -212,9 +212,10 @@ func Test_Routing(t *testing.T) {
 	}

 	testCases := []struct {
-		desc    string
-		routers []applyRouter
-		checks  []checkCase
+		desc                    string
+		routers                 []applyRouter
+		checks                  []checkCase
+		allowACMETLSPassthrough bool
 	}{
 		{
 			desc:    "No routers",
@ -271,6 +272,18 @@ func Test_Routing(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc:                    "TCP TLS passthrough catches ACME TLS",
+			allowACMETLSPassthrough: true,
+			routers:                 []applyRouter{routerTCPTLSCatchAllPassthrough},
+			checks: []checkCase{
+				{
+					desc:          "ACME TLS Challenge",
+					checkRouter:   checkACMETLS,
+					expectedError: "tls: first record does not look like a TLS handshake",
+				},
+			},
+		},
 		{
 			desc:    "Single TCP CatchAll router",
 			routers: []applyRouter{routerTCPCatchAll},
@ -596,6 +609,10 @@ func Test_Routing(t *testing.T) {
 			router, err := manager.buildEntryPointHandler(context.Background(), dynConf.TCPRouters, dynConf.Routers, nil, nil)
 			require.NoError(t, err)

+			if test.allowACMETLSPassthrough {
+				router.EnableACMETLSPassthrough()
+			}
+
 			epListener, err := net.Listen("tcp", "127.0.0.1:0")
 			require.NoError(t, err)

@ -717,7 +734,7 @@ func routerTCPTLSCatchAll(conf *runtime.Configuration) {
 	}
 }

-// routerTCPTLSCatchAllPassthrough a TCP TLS CatchAll Passthrough - HostSNI(`*`) router with TLS 1.0 config.
+// routerTCPTLSCatchAllPassthrough a TCP TLS CatchAll Passthrough - HostSNI(`*`) router with TLS 1.2 config.
 func routerTCPTLSCatchAllPassthrough(conf *runtime.Configuration) {
 	conf.TCPRouters["tcp-tls-catchall-passthrough"] = &runtime.TCPRouterInfo{
 		TCPRouter: &dynamic.TCPRouter{