From bfd07096ab69cf20e3fe167939ad7626fe41ff8c Mon Sep 17 00:00:00 2001 From: barnettZQG Date: Mon, 22 Jun 2020 18:24:31 +0800 Subject: [PATCH] support ssl stapling --- cmd/gateway/option/option.go | 12 +++++++----- gateway/controller/openresty/model/server.go | 1 + gateway/controller/openresty/service.go | 2 ++ hack/contrib/docker/gateway/nginxtmp/servers.tmpl | 5 +++++ 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/cmd/gateway/option/option.go b/cmd/gateway/option/option.go index 805bd13d4..61dfb896d 100644 --- a/cmd/gateway/option/option.go +++ b/cmd/gateway/option/option.go @@ -71,11 +71,12 @@ type Config struct { EnableMetrics bool - NodeName string - HostIP string - IgnoreInterface []string - ShareMemory uint64 - SyncRateLimit float32 + NodeName string + HostIP string + IgnoreInterface []string + ShareMemory uint64 + SyncRateLimit float32 + EnableSSLStapling bool } // ListenPorts describe the ports required to run the gateway controller @@ -121,6 +122,7 @@ func (g *GWServer) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&g.NodeName, "node-name", "", "this gateway node host name") fs.StringVar(&g.HostIP, "node-ip", "", "this gateway node ip") fs.BoolVar(&g.Debug, "debug", false, "enable pprof debug") + fs.BoolVar(&g.EnableSSLStapling, "enable-ssl-stapling", false, "enable ssl stapling") fs.Uint64Var(&g.ShareMemory, "max-config-share-memory", 128, "Nginx maximum Shared memory size, which should be increased for larger clusters.") fs.Float32Var(&g.SyncRateLimit, "sync-rate-limit", 0.3, "Define the sync frequency upper limit") fs.StringArrayVar(&g.IgnoreInterface, "ignore-interface", []string{"docker0", "tunl0", "cni0", "kube-ipvs0", "flannel"}, "The network interface name that ignore by gateway") diff --git a/gateway/controller/openresty/model/server.go b/gateway/controller/openresty/model/server.go index 03108b0b1..9117db5b5 100644 --- a/gateway/controller/openresty/model/server.go +++ b/gateway/controller/openresty/model/server.go @@ -26,6 +26,7 @@ type Server struct { ProxyPass string SSLCertificate string // Specifies a file with the certificate in the PEM format. SSLCertificateKey string // Specifies a file with the secret key in the PEM format. + EnableSSLStapling bool ForceSSLRedirect bool Return Return Rewrites []Rewrite diff --git a/gateway/controller/openresty/service.go b/gateway/controller/openresty/service.go index f2639e6b6..b42c0a930 100644 --- a/gateway/controller/openresty/service.go +++ b/gateway/controller/openresty/service.go @@ -215,6 +215,8 @@ func (o *OrService) getNgxServer(conf *v1.Config) (l7srv []*model.Server, l4srv if vs.SSLCert != nil { server.SSLCertificate = vs.SSLCert.CertificatePem server.SSLCertificateKey = vs.SSLCert.CertificatePem + server.EnableSSLStapling = o.ocfg.EnableSSLStapling + } for _, loc := range vs.Locations { location := &model.Location{ diff --git a/hack/contrib/docker/gateway/nginxtmp/servers.tmpl b/hack/contrib/docker/gateway/nginxtmp/servers.tmpl index 5941de897..3be751a2b 100644 --- a/hack/contrib/docker/gateway/nginxtmp/servers.tmpl +++ b/hack/contrib/docker/gateway/nginxtmp/servers.tmpl @@ -15,6 +15,11 @@ server { {{ if .SSLCertificate }} # ssl ssl_certificate {{.SSLCertificate}}; + {{ if .EnableSSLStapling }} + ssl_stapling on; + resolver 8.8.8.8 8.8.4.4 114.114.114.114 valid=300s; + resolver_timeout 5s; + {{ end }} {{ end }} {{ if .SSLCertificateKey }}ssl_certificate_key {{.SSLCertificateKey}};{{ end }}