Add TLS connection support for tty-proxy connections

4 years ago · 2100e4ab90
parent 2d481a5a98
commit 2100e4ab90
2 changed files with 22 additions and 5 deletions
--- a/main.go
+++ b/main.go
@ -67,6 +67,7 @@ Flags:
 	proxyServerAddress := flag.String("tty-proxy", "localhost:9000", "Address of the proxy for public facing connections")
 	readOnly := flag.Bool("readonly", false, "Start a read only session")
 	publicSession := flag.Bool("public", false, "Create a public session")
+	noTLS := flag.Bool("no-tls", false, "Don't use TLS to connect to the tty-proxy server. Useful for local debugging")
 	flag.Usage = func() {
 		fmt.Fprintf(flag.CommandLine.Output(), "%s", usageString)
 		flag.PrintDefaults()
@ -114,7 +115,7 @@ Flags:

 	sessionID := "local"
 	if *publicSession {
-		proxy, err := proxy.NewProxyConnection(*listenAddress, *proxyServerAddress)
+		proxy, err := proxy.NewProxyConnection(*listenAddress, *proxyServerAddress, *noTLS)
 		if err != nil {
 			fmt.Printf("Can't connect to the proxy: %s\n", err.Error())
 			return
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -1,6 +1,8 @@
 package proxy

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"io"
 	"net"
@ -28,10 +30,24 @@ type proxyConnection struct {
 	PublicURL       string
 }

-func NewProxyConnection(backConnAddrr, proxyAddr string) (*proxyConnection, error) {
-	conn, err := net.Dial("tcp", proxyAddr)
-	if err != nil {
-		return nil, err
+func NewProxyConnection(backConnAddrr, proxyAddr string, noTLS bool) (*proxyConnection, error) {
+	var conn net.Conn
+	var err error
+
+	if noTLS {
+		conn, err = net.Dial("tcp", proxyAddr)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		roots, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		conn, err = tls.Dial("tcp", proxyAddr, &tls.Config{RootCAs: roots})
+		if err != nil {
+			return nil, err
+		}
 	}

 	// C -> S: HelloCLient