Merge branch v2.11 into v3.0

2024-04-03 17:44:16 +02:00 · 2024-04-03 17:44:16 +02:00 · 9f145dbc28
commit 9f145dbc28
parent c84b510f0d 2bc3fa7b4b
130 changed files with 245 additions and 322 deletions
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@ -8,8 +8,10 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"slices"
 	"time"

+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
 	"github.com/rs/zerolog/log"
 	tcpmuxer "github.com/traefik/traefik/v3/pkg/muxer/tcp"
 	"github.com/traefik/traefik/v3/pkg/tcp"
@ -157,6 +159,12 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) {
 		return
 	}

+	// Handling ACME-TLS/1 challenges.
+	if slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
+		r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))
+		return
+	}
+
 	// For real, the handler eventually used for HTTPS is (almost) always the same:
 	// it is the httpsForwarder that is used for all HTTPS connections that match
 	// (which is also incidentally the same used in the last block below for 404s).
@ -201,6 +209,17 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) {
 	conn.Close()
 }

+// acmeTLSALPNHandler returns a special handler to solve ACME-TLS/1 challenges.
+func (r *Router) acmeTLSALPNHandler() tcp.Handler {
+	if r.httpsTLSConfig == nil {
+		return &brokenTLSRouter{}
+	}
+
+	return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
+		_ = tls.Server(conn, r.httpsTLSConfig).Handshake()
+	})
+}
+
 // AddTCPRoute defines a handler for the given rule.
 func (r *Router) AddTCPRoute(rule string, priority int, target tcp.Handler) error {
 	return r.muxerTCP.AddRoute(rule, "", priority, target)