Support for HTTPS upstream servers (#102)

Author: lucasdillmann

CHANGELOG.md

@@ -1,6 +1,7 @@
 # CHANGELOG
 
 ## 2.35.0
+- Integration routes now support HTTPS upstream servers (with the option to ignore certificate errors)
 - Development pipeline and workflow improvements
 - Security and other minor fixes and improvements
 

Makefile

@@ -189,4 +189,6 @@ test: .backend-prerequisites .backend-test
 
 build-release: .frontend-build .backend-build .build-release-docker-image .build-distribution-files
 
-build-snapshot: .frontend-build .backend-build .build-snapshot-docker-image .build-distribution-files
+build-snapshot:
+	$(MAKE) .frontend-build .backend-build VERSION=0.0.0
+	$(MAKE) .build-snapshot-docker-image VERSION=$(VERSION)

api/host/artifacts_test.go

@@ -28,6 +28,7 @@ func newHostRequestDTO() hostRequestDTO {
 				TargetURI:  new("http://backend"),
 				Settings: &routeSettingsDTO{
 					IncludeForwardHeaders:  new(true),
+					IgnoreSSLErrors:        new(true),
 					ProxySslServerName:     new(true),
 					KeepOriginalDomainName: new(true),
 					IndexFile:              new("index.html"),
@@ -69,6 +70,7 @@ func newHost() *host.Host {
 				TargetURI:  new("http://backend"),
 				Settings: host.RouteSettings{
 					IncludeForwardHeaders:  true,
+					IgnoreSSLErrors:        true,
 					ProxySSLServerName:     true,
 					KeepOriginalDomainName: true,
 					IndexFile:              new("index.html"),

api/host/converter.go

@@ -136,6 +136,7 @@ func toRouteSettingsDTO(set *host.RouteSettings) *routeSettingsDTO {
 	return &routeSettingsDTO{
 		IncludeForwardHeaders:   &set.IncludeForwardHeaders,
 		ProxySslServerName:      &set.ProxySSLServerName,
+		IgnoreSSLErrors:         &set.IgnoreSSLErrors,
 		KeepOriginalDomainName:  &set.KeepOriginalDomainName,
 		DirectoryListingEnabled: &set.DirectoryListingEnabled,
 		IndexFile:               dropBlankValues(set.IndexFile),
@@ -163,6 +164,7 @@ func toIntegrationConfigDTO(config *host.RouteIntegrationConfig) *integrationCon
 	return &integrationConfigDTO{
 		IntegrationID: &config.IntegrationID,
 		OptionID:      &config.OptionID,
+		UseHTTPS:      &config.UseHTTPS,
 	}
 }
 
@@ -240,6 +242,7 @@ func toRouteSettings(input *routeSettingsDTO) host.RouteSettings {
 	return host.RouteSettings{
 		IncludeForwardHeaders:   getBoolValue(input.IncludeForwardHeaders),
 		ProxySSLServerName:      getBoolValue(input.ProxySslServerName),
+		IgnoreSSLErrors:         getBoolValue(input.IgnoreSSLErrors),
 		KeepOriginalDomainName:  getBoolValue(input.KeepOriginalDomainName),
 		DirectoryListingEnabled: getBoolValue(input.DirectoryListingEnabled),
 		IndexFile:               dropBlankValues(input.IndexFile),
@@ -267,6 +270,7 @@ func toRouteIntegrationConfig(input *integrationConfigDTO) *host.RouteIntegratio
 	return &host.RouteIntegrationConfig{
 		IntegrationID: getUUIDValue(input.IntegrationID),
 		OptionID:      getStringValue(input.OptionID),
+		UseHTTPS:      getBoolValue(input.UseHTTPS),
 	}
 }
 

api/host/dto.go

@@ -44,6 +44,7 @@ type routeSourceCodeDTO struct {
 type routeSettingsDTO struct {
 	IncludeForwardHeaders   *bool   `json:"includeForwardHeaders"`
 	ProxySslServerName      *bool   `json:"proxySslServerName"`
+	IgnoreSSLErrors         *bool   `json:"ignoreSslErrors"`
 	KeepOriginalDomainName  *bool   `json:"keepOriginalDomainName"`
 	DirectoryListingEnabled *bool   `json:"directoryListingEnabled"`
 	IndexFile               *string `json:"indexFile"`
@@ -53,6 +54,7 @@ type routeSettingsDTO struct {
 type integrationConfigDTO struct {
 	IntegrationID *uuid.UUID `json:"integrationId"`
 	OptionID      *string    `json:"optionId"`
+	UseHTTPS      *bool      `json:"useHttps"`
 }
 
 type staticResponseDTO struct {

core/host/model.go

@@ -72,6 +72,7 @@ type RouteSettings struct {
 	IndexFile               *string
 	IncludeForwardHeaders   bool
 	ProxySSLServerName      bool
+	IgnoreSSLErrors         bool
 	KeepOriginalDomainName  bool
 	DirectoryListingEnabled bool
 }
@@ -85,6 +86,7 @@ type RouteStaticResponse struct {
 type RouteIntegrationConfig struct {
 	OptionID      string
 	IntegrationID uuid.UUID
+	UseHTTPS      bool
 }
 
 type VPN struct {

core/nginx/cfgfiles/host_configuration_file_provider.go

@@ -350,10 +350,14 @@ func (p *hostConfigurationFileProvider) buildIntegrationRoute(
 		return "", coreerror.New(
 			i18n.M(ctx.context, i18n.K.CoreNginxCfgfilesOptionNotFound).
 				V("optionID", r.Integration.OptionID),
-			false,
+			true,
 		)
 	}
 
+	if r.Integration.UseHTTPS {
+		proxyURL = new(strings.Replace(*proxyURL, "http://", "https://", 1))
+	}
+
 	if r.TargetURI != nil && strings.TrimSpace(*r.TargetURI) != "" {
 		proxyURL = new(*proxyURL + *r.TargetURI)
 	}
@@ -478,8 +482,13 @@ func (p *hostConfigurationFileProvider) buildRouteSettings(
 	r *host.Route,
 ) string {
 	builder := strings.Builder{}
+
 	if r.Settings.ProxySSLServerName {
-		_, _ = builder.WriteString("proxy_ssl_server_name on;")
+		_, _ = builder.WriteString("proxy_ssl_server_name on;\n")
+	}
+
+	if r.Settings.IgnoreSSLErrors {
+		_, _ = builder.WriteString("proxy_ssl_verify off;\n")
 	}
 
 	if r.Settings.IncludeForwardHeaders {

core/nginx/cfgfiles/host_configuration_file_provider_test.go

@@ -266,6 +266,31 @@ func Test_hostConfigurationFileProvider(t *testing.T) {
 			assert.ErrorAs(t, err, &coreErr)
 			assert.Equal(t, i18n.K.CoreNginxCfgfilesOptionNotFound, coreErr.Message.Key)
 		})
+
+		t.Run("replaces http with https when UseHTTPS is true", func(t *testing.T) {
+			integrationID := uuid.New()
+			r := &host.Route{
+				SourcePath: "/api",
+				Integration: &host.RouteIntegrationConfig{
+					IntegrationID: integrationID,
+					OptionID:      "opt-1",
+					UseHTTPS:      true,
+				},
+			}
+
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			integrationCmds := integration.NewMockedCommands(ctrl)
+			integrationCmds.EXPECT().
+				GetOptionURL(gomock.Any(), integrationID, "opt-1").
+				Return(new("http://1.2.3.4:80"), nil, nil)
+			provider.integrationCommands = integrationCmds
+
+			result, err := provider.buildIntegrationRoute(ctx, r, host.FeatureSet{})
+			assert.NoError(t, err)
+			assert.Contains(t, result, "proxy_pass https://1.2.3.4:80;")
+		})
 	})
 
 	t.Run("BuildExecuteCodeRoute", func(t *testing.T) {
@@ -407,6 +432,52 @@ func Test_hostConfigurationFileProvider(t *testing.T) {
 				fmt.Sprintf("include \"/etc/nginx/access-list-%s.conf\";", id),
 			)
 		})
+
+		t.Run(
+			"includes proxy_ssl_server_name on when ProxySSLServerName is true",
+			func(t *testing.T) {
+				r := &host.Route{
+					Settings: host.RouteSettings{
+						ProxySSLServerName: true,
+					},
+				}
+				result := provider.buildRouteSettings(ctx, r)
+				assert.Contains(t, result, "proxy_ssl_server_name on;")
+			},
+		)
+
+		t.Run(
+			"doesn't includes proxy_ssl_server_name when ProxySSLServerName is false",
+			func(t *testing.T) {
+				r := &host.Route{
+					Settings: host.RouteSettings{
+						ProxySSLServerName: false,
+					},
+				}
+				result := provider.buildRouteSettings(ctx, r)
+				assert.NotContains(t, result, "proxy_ssl_server_name")
+			},
+		)
+
+		t.Run("includes proxy_ssl_verify off when IgnoreSSLErrors is true", func(t *testing.T) {
+			r := &host.Route{
+				Settings: host.RouteSettings{
+					IgnoreSSLErrors: true,
+				},
+			}
+			result := provider.buildRouteSettings(ctx, r)
+			assert.Contains(t, result, "proxy_ssl_verify off;")
+		})
+
+		t.Run("does not include proxy_ssl_verify by default", func(t *testing.T) {
+			r := &host.Route{
+				Settings: host.RouteSettings{
+					IgnoreSSLErrors: false,
+				},
+			}
+			result := provider.buildRouteSettings(ctx, r)
+			assert.NotContains(t, result, "proxy_ssl_verify")
+		})
 	})
 
 	t.Run("BuildBinding", func(t *testing.T) {

database/common/migrations/scripts/postgres/030_route_ssl_options.up.sql

@@ -0,0 +1,2 @@
+alter table host_route add column ignore_ssl_errors boolean not null default false;
+alter table host_route add column integration_use_https boolean not null default false;

database/common/migrations/scripts/sqlite/030_route_ssl_options.up.sql

@@ -0,0 +1,2 @@
+alter table host_route add column ignore_ssl_errors boolean not null default false;
+alter table host_route add column integration_use_https boolean not null default false;