diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index aa5382002..a40103d73 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -1166,6 +1166,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.EnableGlobalAuth = anns.EnableGlobalAuth loc.HTTP2PushPreload = anns.HTTP2PushPreload loc.Proxy = anns.Proxy + loc.ProxySSL = anns.ProxySSL loc.RateLimit = anns.RateLimit loc.Redirect = anns.Redirect loc.Rewrite = anns.Rewrite diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go index 4638343cd..4a2f347a3 100644 --- a/internal/ingress/controller/store/backend_ssl.go +++ b/internal/ingress/controller/store/backend_ssl.go @@ -115,6 +115,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error return nil, fmt.Errorf("error while storing certificate and key: %v", err) } + sslCert.PemFileName = path sslCert.CACertificate = caCert sslCert.CAFileName = path sslCert.CASHA = file.SHA1(path) diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7b9233c59..f516d0a74 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -843,6 +843,7 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error CASHA: cert.CASHA, CRLFileName: cert.CRLFileName, CRLSHA: cert.CRLSHA, + PemFileName: cert.PemFileName, }, nil } diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index 4581143a5..e05a2aaae 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -56,6 +56,8 @@ type AuthSSLCert struct { CRLFileName string `json:"crlFileName"` // CRLSHA contains the SHA1 hash of the 'ca.crl' file CRLSHA string `json:"crlSha"` + // PemFileName contains the path to the secrets 'tls.crt' and 'tls.key' + PemFileName string `json:"pemFilename"` } // Equal tests for equality between two AuthSSLCert types diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 74c175858..f54d7931a 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -818,8 +818,6 @@ stream { {{ if not (empty $server.ProxySSL.CAFileName) }} # PEM sha: {{ $server.ProxySSL.CASHA }} - proxy_ssl_certificate {{ $server.ProxySSL.CAFileName }}; - proxy_ssl_certificate_key {{ $server.ProxySSL.CAFileName }}; proxy_ssl_trusted_certificate {{ $server.ProxySSL.CAFileName }}; proxy_ssl_ciphers {{ $server.ProxySSL.Ciphers }}; proxy_ssl_protocols {{ $server.ProxySSL.Protocols }}; @@ -827,6 +825,11 @@ stream { proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }}; {{ end }} + {{ if not (empty $server.ProxySSL.PemFileName) }} + proxy_ssl_certificate {{ $server.ProxySSL.PemFileName }}; + proxy_ssl_certificate_key {{ $server.ProxySSL.PemFileName }}; + {{ end }} + {{ if not (empty $server.SSLCiphers) }} ssl_ciphers {{ $server.SSLCiphers }}; {{ end }} @@ -1287,6 +1290,19 @@ stream { # Location denied. Reason: {{ $location.Denied | quote }} return 503; {{ end }} + {{ if not (empty $location.ProxySSL.CAFileName) }} + # PEM sha: {{ $location.ProxySSL.CASHA }} + proxy_ssl_trusted_certificate {{ $location.ProxySSL.CAFileName }}; + proxy_ssl_ciphers {{ $location.ProxySSL.Ciphers }}; + proxy_ssl_protocols {{ $location.ProxySSL.Protocols }}; + proxy_ssl_verify {{ $location.ProxySSL.Verify }}; + proxy_ssl_verify_depth {{ $location.ProxySSL.VerifyDepth }}; + {{ end }} + + {{ if not (empty $location.ProxySSL.PemFileName) }} + proxy_ssl_certificate {{ $location.ProxySSL.PemFileName }}; + proxy_ssl_certificate_key {{ $location.ProxySSL.PemFileName }}; + {{ end }} } {{ end }} {{ end }}