support ssl stapling

2024-11-29 18:27:58 +08:00 · 2020-06-22 18:24:31 +08:00 · 2020-06-22 18:24:31 +08:00 · bfd07096ab
commit bfd07096ab
parent 4ebd066b65
4 changed files with 15 additions and 5 deletions
--- a/cmd/gateway/option/option.go
+++ b/cmd/gateway/option/option.go
@ -71,11 +71,12 @@ type Config struct {

 	EnableMetrics bool

-	NodeName        string
-	HostIP          string
-	IgnoreInterface []string
-	ShareMemory     uint64
-	SyncRateLimit   float32
+	NodeName          string
+	HostIP            string
+	IgnoreInterface   []string
+	ShareMemory       uint64
+	SyncRateLimit     float32
+	EnableSSLStapling bool
 }

 // ListenPorts describe the ports required to run the gateway controller
@ -121,6 +122,7 @@ func (g *GWServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&g.NodeName, "node-name", "", "this gateway node host name")
 	fs.StringVar(&g.HostIP, "node-ip", "", "this gateway node ip")
 	fs.BoolVar(&g.Debug, "debug", false, "enable pprof debug")
+	fs.BoolVar(&g.EnableSSLStapling, "enable-ssl-stapling", false, "enable ssl stapling")
 	fs.Uint64Var(&g.ShareMemory, "max-config-share-memory", 128, "Nginx maximum Shared memory size, which should be increased for larger clusters.")
 	fs.Float32Var(&g.SyncRateLimit, "sync-rate-limit", 0.3, "Define the sync frequency upper limit")
 	fs.StringArrayVar(&g.IgnoreInterface, "ignore-interface", []string{"docker0", "tunl0", "cni0", "kube-ipvs0", "flannel"}, "The network interface name that ignore by gateway")
--- a/gateway/controller/openresty/model/server.go
+++ b/gateway/controller/openresty/model/server.go
@ -26,6 +26,7 @@ type Server struct {
 	ProxyPass               string
 	SSLCertificate          string // Specifies a file with the certificate in the PEM format.
 	SSLCertificateKey       string // Specifies a file with the secret key in the PEM format.
+	EnableSSLStapling       bool
 	ForceSSLRedirect        bool
 	Return                  Return
 	Rewrites                []Rewrite
--- a/gateway/controller/openresty/service.go
+++ b/gateway/controller/openresty/service.go
@ -215,6 +215,8 @@ func (o *OrService) getNgxServer(conf *v1.Config) (l7srv []*model.Server, l4srv
 		if vs.SSLCert != nil {
 			server.SSLCertificate = vs.SSLCert.CertificatePem
 			server.SSLCertificateKey = vs.SSLCert.CertificatePem
+			server.EnableSSLStapling = o.ocfg.EnableSSLStapling
+
 		}
 		for _, loc := range vs.Locations {
 			location := &model.Location{
--- a/hack/contrib/docker/gateway/nginxtmp/servers.tmpl
+++ b/hack/contrib/docker/gateway/nginxtmp/servers.tmpl
@ -15,6 +15,11 @@ server {
    {{ if .SSLCertificate }}
    # ssl
    ssl_certificate {{.SSLCertificate}};
+    {{ if .EnableSSLStapling }}
+    ssl_stapling on;
+    resolver 8.8.8.8 8.8.4.4 114.114.114.114 valid=300s;
+    resolver_timeout 5s;
+    {{ end }}
    {{ end }}
    {{ if .SSLCertificateKey }}ssl_certificate_key {{.SSLCertificateKey}};{{ end }}