make ssl_protocols configrable

2024-11-30 02:38:17 +08:00 · 2020-12-01 13:26:07 +08:00 · 2020-12-01 13:26:07 +08:00 · 9a196dbbdc
commit 9a196dbbdc
parent 17fdad609a
5 changed files with 15 additions and 4 deletions
--- a/gateway/controller/openresty/model/server.go
+++ b/gateway/controller/openresty/model/server.go
@ -24,6 +24,7 @@ type Server struct {
 	ProxyConnectTimeout     Time
 	ProxyTimeout            Time
 	ProxyPass               string
+	SSLProtocols            string
 	SSLCertificate          string // Specifies a file with the certificate in the PEM format.
 	SSLCertificateKey       string // Specifies a file with the secret key in the PEM format.
 	EnableSSLStapling       bool
--- a/gateway/controller/openresty/service.go
+++ b/gateway/controller/openresty/service.go
@ -213,6 +213,7 @@ func (o *OrService) getNgxServer(conf *v1.Config) (l7srv []*model.Server, l4srv
 			},
 		}
 		if vs.SSLCert != nil {
+			server.SSLProtocols = vs.SSlProtocols
 			server.SSLCertificate = vs.SSLCert.CertificatePem
 			server.SSLCertificateKey = vs.SSLCert.CertificatePem
 			server.EnableSSLStapling = o.ocfg.EnableSSLStapling
--- a/gateway/store/store.go
+++ b/gateway/store/store.go
@ -565,10 +565,16 @@ func (s *k8sStore) ListVirtualService() (l7vs []*v1.VirtualService, l4vs []*v1.V
 				vs = l7vsMap[virSrvName]
 				if vs == nil {
 					vs = &v1.VirtualService{
-						Listening:  []string{strconv.Itoa(s.conf.ListenPorts.HTTP)},
-						ServerName: virSrvName,
-						Locations:  []*v1.Location{},
+						Listening:    []string{strconv.Itoa(s.conf.ListenPorts.HTTP)},
+						ServerName:   virSrvName,
+						Locations:    []*v1.Location{},
+						SSlProtocols: "TLSv1.2 TLSv1.3",
 					}
+					sslProtocols := os.Getenv("SSL_PROTOCOLS")
+					if sslProtocols != "" {
+						vs.SSlProtocols = sslProtocols
+					}
+
 					vs.Namespace = ing.Namespace
 					vs.ServiceID = anns.Labels["service_id"]
 					if len(hostSSLMap) != 0 {
--- a/gateway/v1/virtual_service.go
+++ b/gateway/v1/virtual_service.go
@ -55,6 +55,7 @@ type VirtualService struct {
 	Timeout          int                    `json:"timeout"`
 	ServerName       string                 `json:"server_name"`
 	PoolName         string                 `json:"pool_name"`
+	SSlProtocols     string                 `json:"ssl_protocols"`
 	SSLCert          *SSLCert               `json:"ssl_cert"`
 	Locations        []*Location            `json:"locations"`
 	ForceSSLRedirect bool                   `json:"force_ssl_redirect"`
--- a/hack/contrib/docker/gateway/nginxtmp/servers.tmpl
+++ b/hack/contrib/docker/gateway/nginxtmp/servers.tmpl
@ -14,8 +14,10 @@ server {

    {{ if .SSLCertificate }}
    # ssl
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_certificate {{.SSLCertificate}};
+    {{ if .SSLProtocols }}
+    ssl_protocols {{.SSLProtocols}};
+    {{ end }}
    {{ if .EnableSSLStapling }}
    ssl_stapling on;
    resolver 8.8.8.8 8.8.4.4 114.114.114.114 valid=300s;