forked from improbable-eng/grpc-web
/
backend.go
78 lines (70 loc) · 2.03 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package main
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"github.com/mwitkow/grpc-proxy/proxy"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
var (
flagBackendHostPort = pflag.String(
"backend_addr",
"",
"A host:port (IP or hostname) of the gRPC server to forward it to.")
flagBackendIsUsingTls = pflag.Bool(
"backend_tls",
false,
"Whether the gRPC server of the backend is serving in plaintext (false) or over TLS (true).",
)
flagBackendTlsNoVerify = pflag.Bool(
"backend_tls_noverify",
false,
"Whether to ignore TLS verification checks (cert validity, hostname). *DO NOT USE IN PRODUCTION*.",
)
flagBackendTlsCa = pflag.StringSlice(
"backend_tls_ca_files",
[]string{},
"Paths (comma separated) to PEM certificate chains used for verification of backend certificates. If empty, host CA chain will be used.",
)
)
func dialBackendOrFail() *grpc.ClientConn {
if *flagBackendHostPort == "" {
logrus.Fatalf("flag 'backend_addr' must be set")
}
opt := []grpc.DialOption{}
opt = append(opt, grpc.WithCodec(proxy.Codec()))
if *flagBackendIsUsingTls {
opt = append(opt, grpc.WithTransportCredentials(credentials.NewTLS(buildBackendTlsOrFail())))
} else {
opt = append(opt, grpc.WithInsecure())
}
cc, err := grpc.Dial(*flagBackendHostPort, opt...)
if err != nil {
logrus.Fatalf("failed dialing backend: %v", err)
}
return cc
}
func buildBackendTlsOrFail() *tls.Config {
tlsConfig := &tls.Config{}
tlsConfig.MinVersion = tls.VersionTLS12
if *flagBackendTlsNoVerify {
tlsConfig.InsecureSkipVerify = true
} else {
if len(*flagBackendTlsCa) > 0 {
tlsConfig.ClientCAs = x509.NewCertPool()
for _, path := range *flagBackendTlsCa {
data, err := ioutil.ReadFile(path)
if err != nil {
logrus.Fatalf("failed reading backend CA file %v: %v", path, err)
}
if ok := tlsConfig.ClientCAs.AppendCertsFromPEM(data); !ok {
logrus.Fatalf("failed processing backend CA file %v", path)
}
}
}
}
return tlsConfig
}