[proxy] Add support to set client certificate/key when sending reques…

…t via proxy
3scale · Oct 10, 2024 · bb57b47 · bb57b47
1 parent 5f7e0c0
commit bb57b47
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua
@@ -143,9 +143,7 @@ local function forward_https_request(proxy_uri, uri, proxy_opts)
         path = format('%s%s%s', ngx.var.uri, ngx.var.is_args, ngx.var.query_string or ''),
         body = body,
         proxy_uri = proxy_uri,
-        proxy_auth = opts.proxy_auth,
-        upstream_connection_opts = opts.upstream_connection_opts,
-        skip_https_connect = opts.skip_https_connect
+        proxy_options = opts
     }
 
     local httpc, err = http_proxy.new(request)
@@ -226,7 +224,8 @@ function _M.request(upstream, proxy_uri)
             proxy_auth = proxy_auth,
             skip_https_connect = upstream.skip_https_connect,
             request_unbuffered = upstream.request_unbuffered,
-            upstream_connection_opts = upstream.upstream_connection_opts
+            upstream_connection_opts = upstream.upstream_connection_opts,
+            upstream_ssl = upstream.upstream_ssl
         }
 
         forward_https_request(proxy_uri, uri, proxy_opts)

diff --git a/gateway/src/apicast/upstream.lua b/gateway/src/apicast/upstream.lua
@@ -233,6 +233,11 @@ function _M:call(context)
 
         self.request_unbuffered = context.request_unbuffered
         self.upstream_connection_opts = context.upstream_connection_opts
+        self.upstream_ssl = {
+          ssl_verify = context.upstream_verify,
+          ssl_client_cert = context.upstream_certificate,
+          ssl_client_priv_key = context.upstream_key
+        }
         http_proxy.request(self, proxy_uri)
     else
         local err = self:rewrite_request()

diff --git a/gateway/src/resty/http/proxy.lua b/gateway/src/resty/http/proxy.lua
@@ -32,9 +32,10 @@ end
 local function connect(request)
     request = request or { }
     local httpc = http.new()
+    local proxy_options = request.proxy_options or {}
 
-    if request.upstream_connection_opts then
-      local con_opts = request.upstream_connection_opts
+    if proxy_options.upstream_connection_opts then
+      local con_opts = request.proxy_options.upstream_connection_opts
       ngx.log(ngx.DEBUG, 'setting timeouts (secs), connect_timeout: ', con_opts.connect_timeout,
         ' send_timeout: ', con_opts.send_timeout, ' read_timeout: ', con_opts.read_timeout)
       -- lua-resty-http uses nginx API for lua sockets
@@ -51,7 +52,7 @@ local function connect(request)
     local scheme = uri.scheme
     local host = uri.host
     local port = default_port(uri)
-    local skip_https_connect = request.skip_https_connect
+    local skip_https_connect = proxy_options.skip_https_connect
 
     -- set ssl_verify: lua-resty-http set ssl_verify to true by default if scheme is https, whereas
     -- openresty treat nil as false, so we need to explicitly set ssl_verify to false if nil
@@ -68,6 +69,10 @@ local function connect(request)
     if scheme == 'https' then
         options.ssl_server_name = host
         options.ssl_verify = ssl_verify
+        if proxy_options.upstream_ssl then
+          options.ssl_client_cert = proxy_options.upstream_ssl.ssl_client_cert
+          options.ssl_client_priv_key = proxy_options.upstream_ssl.ssl_client_priv_key
+        end
     end
 
     -- Connect via proxy
@@ -79,7 +84,7 @@ local function connect(request)
         end
 
         local proxy_url = format("%s://%s:%s", proxy_uri.scheme, proxy_uri.host, proxy_uri.port)
-        local proxy_auth = request.proxy_auth
+        local proxy_auth = proxy_options.proxy_auth
 
         if scheme == 'http' then
             -- Used by http_ng module to send request to 3scale backend through proxy.