Add option to sso-proxy to set SSL server_name explicitly

f0382112 · ale · ff7a1048 · f0382112 · f0382112
Commit f0382112 authored Jan 06, 2018 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

proxy/proxy.go proxy/proxy.go +8 -0

proxy/proxy_test.go proxy/proxy_test.go +1 -2

No files found.
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -20,6 +20,7 @@ import (
 type Backend struct {
 	Host            string                      `yaml:"host"`
 	Upstream        []string                    `yaml:"upstream"`
+	ServerName      string                      `yaml:"tls_server_name"`
 	ClientTLSConfig *clientutil.TLSClientConfig `yaml:"client_tls"`

 	AllowedGroups []string `yaml:"allowed_groups"`
@@ -45,6 +46,13 @@ func (b *Backend) newHandler(ssow *httpsso.SSOWrapper) (http.Handler, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		// By setting the ServerName on the tls.Config, we
+		// hope to decouple TLS certificate verification from
+		// the details of the HTTP Host header included in the
+		// request, so that the transport layer will work
+		// regardless of the HTTP request details.
+		tlsConfig.ServerName = b.ServerName
 	}
 	proxy.Transport = clientutil.NewTransport(b.Upstream, tlsConfig, nil)


--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
 package proxy

 import (
-	"crypto/rand"
 	"crypto/tls"
 	"io"
 	"io/ioutil"
@@ -32,7 +31,7 @@ func TestProxy(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)

-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		t.Fatal(err)
 	}