@@ -146,29 +146,28 @@ func x509ProxyServer() {
146146 serverCrt := checkFile (Config .ServerCrt )
147147 serverKey := checkFile (Config .ServerKey )
148148
149- // start go routine to server /auth/trouble via middleware server
150- go func () {
151- mux := http .NewServeMux ()
152- mux .HandleFunc ("/auth/trouble" , authTroubleHandler )
153- // start main HTTP server
154- customVerify := true
155- tlsCertVerify := false
156- addr := ":4443" // default port for /auth/trouble end-point
157- if Config .AuthTroublePort != 0 {
158- addr = fmt .Sprintf (":%d" , Config .AuthTroublePort )
159- }
160- server , err := getServer (addr , serverCrt , serverKey , customVerify , tlsCertVerify )
161- if err != nil {
162- log .Fatalf ("ERROR: unable to start x509 server, error %v\n " , err )
163- }
164- server .Handler = certMiddleware (mux )
165- log .Println ("Start X509 HTTPs server :4443/auth/trouble" )
166- log .Fatal (server .ListenAndServeTLS (serverCrt , serverKey ))
167- }()
149+ // start middleware server with /auth/trouble end-point only if AuthTroublePort is provided
150+ if Config .AuthTroublePort > 0 {
151+ go func () {
152+ mux := http .NewServeMux ()
153+ mux .HandleFunc ("/auth/trouble" , authTroubleHandler )
154+ // start main HTTP server
155+ customVerify := true // use certificate verification
156+ tlsCertVerify := false // use middleware server and do not perform cert verification during TLS handshake
157+ addr := fmt .Sprintf (":%d" , Config .AuthTroublePort )
158+ server , err := getServer (addr , serverCrt , serverKey , customVerify , tlsCertVerify )
159+ if err != nil {
160+ log .Fatalf ("ERROR: unable to start x509 server, error %v\n " , err )
161+ }
162+ server .Handler = certMiddleware (mux )
163+ log .Printf ("Start X509 middleware HTTPs server :%d/auth/trouble" , Config .AuthTroublePort )
164+ log .Fatal (server .ListenAndServeTLS (serverCrt , serverKey ))
165+ }()
166+ }
168167
169168 // start main HTTP server
170- customVerify := true
171- tlsCertVerify := true
169+ customVerify := true // use certificate verification
170+ tlsCertVerify := true // use HTTPs server and perform cert verification during TLS handshake
172171 server , err := getServer (addr , serverCrt , serverKey , customVerify , tlsCertVerify )
173172 if err != nil {
174173 log .Fatalf ("unable to start x509 server, error %v\n " , err )
@@ -179,37 +178,26 @@ func x509ProxyServer() {
179178
180179}
181180
182- // helper function to start x509 proxy server
181+ // helper function to start x509 proxy middleware server
183182func x509ProxyMiddlewareServer () {
184183 log .Println ("Use x509ProxyMiddlewareServer" )
185184 // use http mux server and attach to it our middleware layers
186185 // this allows to move user certificate verification into middleware layer, see certMiddleware
187186 // instead of using TLS handshake phase (original VerifyPeerCertificate option/function)
188187 mux := http .NewServeMux ()
189188
190- // metrics handler
191- mux .HandleFunc (fmt .Sprintf ("%s/metrics" , Config .Base ), metricsHandler )
192189 // rules handler
193190 mux .HandleFunc (fmt .Sprintf ("%s/rules" , Config .Base ), rulesHandler )
194191
195192 // trouble page
196193 mux .HandleFunc ("/auth/trouble" , authTroubleHandler )
197194
198- // start http server to serve metrics only
199- if Config .MetricsPort > 0 {
200- log .Println ("Start x509 server metrics on port" , Config .MetricsPort )
201- go http .ListenAndServe (fmt .Sprintf (":%d" , Config .MetricsPort ), nil )
202- }
203-
204195 // the server settings handler
205196 mux .HandleFunc (fmt .Sprintf ("%s/server" , Config .Base ), settingsHandler )
206197
207198 // Only expose debug endpoints (pprof, expvar) if the client IP is allowed
208199 mux .HandleFunc ("/debug/" , debugHandler )
209200
210- // the request handler
211- mux .HandleFunc ("/" , x509RequestHandler )
212-
213201 // start HTTPS server
214202 addr := fmt .Sprintf (":%d" , Config .Port )
215203 if Config .LetsEncrypt {
@@ -222,8 +210,8 @@ func x509ProxyMiddlewareServer() {
222210 serverCrt := checkFile (Config .ServerCrt )
223211 serverKey := checkFile (Config .ServerKey )
224212
225- customVerify := true
226- tlsCertVerify := false
213+ customVerify := true // use certificate verification
214+ tlsCertVerify := false // use middleware server and do not perform cert verification during TLS handshake
227215 server , err := getServer (addr , serverCrt , serverKey , customVerify , tlsCertVerify )
228216 if err != nil {
229217 log .Fatalf ("unable to start x509 server, error %v\n " , err )
0 commit comments