custom TLS for HTTP client

Author: FZambia

internal/configtypes/tls.go

@@ -37,7 +37,11 @@ func (c TLSConfig) ToGoTLSConfig(logTraceEntity string) (*tls.Config, error) {
 	}
 	logger := log.With().Str("entity", logTraceEntity).Logger()
 	logger.Debug().Msg("TLS enabled")
-	return makeTLSConfig(c, logger, os.ReadFile, os.Stat)
+	tlsConfig, err := makeTLSConfig(c, logger, os.ReadFile, os.Stat)
+	if err != nil {
+		return nil, fmt.Errorf("error make TLS config (for %s): %w", logTraceEntity, err)
+	}
+	return tlsConfig, nil
 }
 
 // ReadFileFunc is like os.ReadFile but helps in testing.

internal/configtypes/types.go

@@ -526,6 +526,7 @@ func (d *HttpStatusToCodeTransforms) Decode(value string) error {
 }
 
 type ProxyCommonHTTP struct {
+	TLS TLSConfig `mapstructure:"tls" json:"tls" envconfig:"tls" yaml:"tls" toml:"tls"`
 	// StaticHeaders is a static set of key/value pairs to attach to HTTP proxy request as
 	// headers. Headers received from HTTP client request or metadata from GRPC client request
 	// both have priority over values set in StaticHttpHeaders map.

internal/proxy/connect_http.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -16,9 +17,13 @@ var _ ConnectProxy = (*HTTPConnectProxy)(nil)
 
 // NewHTTPConnectProxy ...
 func NewHTTPConnectProxy(p Config) (*HTTPConnectProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "connect_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPConnectProxy{
 		config:     p,
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 	}, nil
 }
 

internal/proxy/http.go

@@ -3,13 +3,13 @@ package proxy
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"slices"
 	"strings"
-	"time"
 
 	"github.com/centrifugal/centrifugo/v5/internal/configtypes"
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
@@ -45,13 +45,22 @@ func NewHTTPCaller(httpClient *http.Client) HTTPCaller {
 	}
 }
 
-func proxyHTTPClient(timeout time.Duration) *http.Client {
+func proxyHTTPClient(p configtypes.Proxy, logTraceEntity string) (*http.Client, error) {
+	var tlsConfig *tls.Config
+	if p.HTTP.TLS.Enabled {
+		var err error
+		tlsConfig, err = p.HTTP.TLS.ToGoTLSConfig(logTraceEntity)
+		if err != nil {
+			return nil, fmt.Errorf("error creating TLS config: %w", err)
+		}
+	}
 	return &http.Client{
 		Transport: &http.Transport{
 			MaxIdleConnsPerHost: DefaultMaxIdleConnsPerHost,
+			TLSClientConfig:     tlsConfig,
 		},
-		Timeout: timeout,
-	}
+		Timeout: p.Timeout.ToDuration(),
+	}, nil
 }
 
 type statusCodeError struct {

internal/proxy/publish_http.go

@@ -3,6 +3,7 @@ package proxy
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -29,8 +30,12 @@ var _ PublishProxy = (*HTTPPublishProxy)(nil)
 
 // NewHTTPPublishProxy ...
 func NewHTTPPublishProxy(p Config) (*HTTPPublishProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "publish_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPPublishProxy{
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 		config:     p,
 	}, nil
 }

internal/proxy/refresh_http.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -23,9 +24,13 @@ var _ RefreshProxy = (*HTTPRefreshProxy)(nil)
 
 // NewHTTPRefreshProxy ...
 func NewHTTPRefreshProxy(p Config) (*HTTPRefreshProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "refresh_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPRefreshProxy{
 		config:     p,
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 	}, nil
 }
 

internal/proxy/rpc_http.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -16,9 +17,13 @@ var _ RPCProxy = (*HTTPRPCProxy)(nil)
 
 // NewHTTPRPCProxy ...
 func NewHTTPRPCProxy(p Config) (*HTTPRPCProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "rpc_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPRPCProxy{
 		config:     p,
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 	}, nil
 }
 

internal/proxy/sub_refresh_http.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -24,9 +25,13 @@ var _ SubRefreshProxy = (*HTTPSubRefreshProxy)(nil)
 
 // NewHTTPSubRefreshProxy ...
 func NewHTTPSubRefreshProxy(p Config) (*HTTPSubRefreshProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "sub_refresh_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPSubRefreshProxy{
 		config:     p,
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 	}, nil
 }
 

internal/proxy/subscribe_http.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/centrifugal/centrifugo/v5/internal/proxyproto"
 )
@@ -16,9 +17,13 @@ var _ SubscribeProxy = (*HTTPSubscribeProxy)(nil)
 
 // NewHTTPSubscribeProxy ...
 func NewHTTPSubscribeProxy(p Config) (*HTTPSubscribeProxy, error) {
+	httpClient, err := proxyHTTPClient(p, "subscribe_proxy")
+	if err != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", err)
+	}
 	return &HTTPSubscribeProxy{
 		config:     p,
-		httpCaller: NewHTTPCaller(proxyHTTPClient(p.Timeout.ToDuration())),
+		httpCaller: NewHTTPCaller(httpClient),
 	}, nil
 }