1.Add Mutual HTTPS Option!

2025-07-06 06:30:18 +00:00 · 2017-11-15 22:42:30 +08:00
parent d96289a81b
commit 3872382a4b
3 changed files with 106 additions and 22 deletions
--- a/app.go
+++ b/app.go
@ -15,7 +15,10 @@
 package beego

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/fcgi"
@ -102,7 +105,7 @@ func (app *App) Run() {
 	if BConfig.Listen.Graceful {
 		httpsAddr := BConfig.Listen.HTTPSAddr
 		app.Server.Addr = httpsAddr
-		if BConfig.Listen.EnableHTTPS {
+		if BConfig.Listen.EnableHTTPS || BConfig.Listen.EnableMutualHTTPS {
 			go func() {
 				time.Sleep(20 * time.Microsecond)
 				if BConfig.Listen.HTTPSPort != 0 {
@ -112,10 +115,19 @@ func (app *App) Run() {
 				server := grace.NewServer(httpsAddr, app.Handlers)
 				server.Server.ReadTimeout = app.Server.ReadTimeout
 				server.Server.WriteTimeout = app.Server.WriteTimeout
-				if err := server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil {
-					logs.Critical("ListenAndServeTLS: ", err, fmt.Sprintf("%d", os.Getpid()))
-					time.Sleep(100 * time.Microsecond)
-					endRunning <- true
+				if BConfig.Listen.EnableMutualHTTPS {
+
+					if err := server.ListenAndServeMutualTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile, BConfig.Listen.TrustCaFile); err != nil {
+						logs.Critical("ListenAndServeTLS: ", err, fmt.Sprintf("%d", os.Getpid()))
+						time.Sleep(100 * time.Microsecond)
+						endRunning <- true
+					}
+				} else {
+					if err := server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil {
+						logs.Critical("ListenAndServeTLS: ", err, fmt.Sprintf("%d", os.Getpid()))
+						time.Sleep(100 * time.Microsecond)
+						endRunning <- true
+					}
 				}
 			}()
 		}
@ -139,7 +151,7 @@ func (app *App) Run() {
 	}

 	// run normal mode
-	if BConfig.Listen.EnableHTTPS {
+	if BConfig.Listen.EnableHTTPS || BConfig.Listen.EnableMutualHTTPS {
 		go func() {
 			time.Sleep(20 * time.Microsecond)
 			if BConfig.Listen.HTTPSPort != 0 {
@ -149,6 +161,19 @@ func (app *App) Run() {
 				return
 			}
 			logs.Info("https server Running on https://%s", app.Server.Addr)
+			if BConfig.Listen.EnableMutualHTTPS {
+				pool := x509.NewCertPool()
+				data, err := ioutil.ReadFile(BConfig.Listen.TrustCaFile)
+				if err != nil {
+					BeeLogger.Info("MutualHTTPS should provide TrustCaFile")
+					return
+				}
+				pool.AppendCertsFromPEM(data)
+				app.Server.TLSConfig = &tls.Config{
+					ClientCAs:  pool,
+					ClientAuth: tls.RequireAndVerifyClientCert,
+				}
+			}
 			if err := app.Server.ListenAndServeTLS(BConfig.Listen.HTTPSCertFile, BConfig.Listen.HTTPSKeyFile); err != nil {
 				logs.Critical("ListenAndServeTLS: ", err)
 				time.Sleep(100 * time.Microsecond)