作者:johnson
项目:goprox
func NewFilter(config *Config) (filters.Filter, error) {
ss := &Servers{
servers: make([]Server, 0),
sshClients: lrucache.NewLRUCache(uint(len(config.Servers))),
}
for _, s := range config.Servers {
server := Server{
Address: s.Addr,
ClientConfig: &ssh.ClientConfig{
User: s.Username,
Auth: []ssh.AuthMethod{
ssh.Password(s.Password),
},
},
}
ss.servers = append(ss.servers, server)
}
tr := &http.Transport{
Dial: ss.Dial,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: false,
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
},
TLSHandshakeTimeout: time.Duration(config.Transport.TLSHandshakeTimeout) * time.Second,
MaxIdleConnsPerHost: config.Transport.MaxIdleConnsPerHost,
}
return &Filter{
Config: *config,
Transport: tr,
}, nil
}
作者:cfibmer
项目:bb
func NewETCDMetrics(logger lager.Logger, etcdOptions *ETCDOptions) (*ETCDMetrics, error) {
var tlsConfig *tls.Config
if etcdOptions.CertFile != "" && etcdOptions.KeyFile != "" {
var err error
tlsConfig, err = cfhttp.NewTLSConfig(etcdOptions.CertFile, etcdOptions.KeyFile, etcdOptions.CAFile)
if err != nil {
return nil, err
}
tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(etcdOptions.ClientSessionCacheSize)
}
client := cfhttp.NewClient()
client.CheckRedirect = func(*http.Request, []*http.Request) error {
return errRedirected
}
if tr, ok := client.Transport.(*http.Transport); ok {
tr.TLSClientConfig = tlsConfig
} else {
return nil, errors.New("Invalid transport")
}
return &ETCDMetrics{
logger: logger,
etcdCluster: etcdOptions.ClusterUrls,
client: client,
}, nil
}
作者:cloudfoundr
项目:bb
func newSecureClient(url, caFile, certFile, keyFile string, clientSessionCacheSize, maxIdleConnsPerHost int, skipVerify bool) (InternalClient, error) {
client := newClient(url)
tlsConfig, err := cfhttp.NewTLSConfig(certFile, keyFile, caFile)
if err != nil {
return nil, err
}
tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(clientSessionCacheSize)
tlsConfig.InsecureSkipVerify = skipVerify
if tr, ok := client.httpClient.Transport.(*http.Transport); ok {
tr.TLSClientConfig = tlsConfig
tr.MaxIdleConnsPerHost = maxIdleConnsPerHost
} else {
return nil, errors.New("Invalid transport")
}
if tr, ok := client.streamingHTTPClient.Transport.(*http.Transport); ok {
tr.TLSClientConfig = tlsConfig
tr.MaxIdleConnsPerHost = maxIdleConnsPerHost
} else {
return nil, errors.New("Invalid transport")
}
return client, nil
}
作者:mijo-sj
项目:lanter
// tlsConfig builds a tls.Config for dialing the upstream host. Constructed
// tls.Configs are cached on a per-masquerade basis to enable client session
// caching and reduce the amount of PEM certificate parsing.
func (serverInfo *ServerInfo) tlsConfig(masquerade *Masquerade) *tls.Config {
serverInfo.tlsConfigsMutex.Lock()
defer serverInfo.tlsConfigsMutex.Unlock()
if serverInfo.tlsConfigs == nil {
serverInfo.tlsConfigs = make(map[string]*tls.Config)
}
configKey := ""
serverName := serverInfo.Host
if masquerade != nil {
configKey = masquerade.Domain + "|" + masquerade.RootCA
serverName = masquerade.Domain
}
tlsConfig := serverInfo.tlsConfigs[configKey]
if tlsConfig == nil {
tlsConfig = &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
InsecureSkipVerify: serverInfo.InsecureSkipVerify,
ServerName: serverName,
}
if masquerade != nil && masquerade.RootCA != "" {
caCert, err := keyman.LoadCertificateFromPEMBytes([]byte(masquerade.RootCA))
if err != nil {
log.Fatalf("Unable to load root ca cert: %s", err)
}
tlsConfig.RootCAs = caCert.PoolContainingCert()
}
serverInfo.tlsConfigs[configKey] = tlsConfig
}
return tlsConfig
}
作者:nathan
项目:cfss
// SessionResumeScan tests that host is able to resume sessions across all addresses.
func sessionResumeScan(addr, hostname string) (grade Grade, output Output, err error) {
config := defaultTLSConfig(hostname)
config.ClientSessionCache = tls.NewLRUClientSessionCache(1)
conn, err := tls.DialWithDialer(Dialer, Network, addr, config)
if err != nil {
return
}
if err = conn.Close(); err != nil {
return
}
return multiscan(addr, func(addrport string) (g Grade, o Output, e error) {
var conn *tls.Conn
if conn, e = tls.DialWithDialer(Dialer, Network, addrport, config); e != nil {
return
}
conn.Close()
if o = conn.ConnectionState().DidResume; o.(bool) {
g = Good
}
return
})
}
作者:shizh
项目:lanter
// Dialer creates a *balancer.Dialer backed by a chained server.
func (s *ChainedServerInfo) Dialer() (*balancer.Dialer, error) {
netd := &net.Dialer{Timeout: chainedDialTimeout}
var dial func() (net.Conn, error)
if s.Cert == "" {
log.Error("No Cert configured for chained server, will dial with plain tcp")
dial = func() (net.Conn, error) {
return netd.Dial("tcp", s.Addr)
}
} else {
log.Trace("Cert configured for chained server, will dial with tls over tcp")
cert, err := keyman.LoadCertificateFromPEMBytes([]byte(s.Cert))
if err != nil {
return nil, fmt.Errorf("Unable to parse certificate: %s", err)
}
x509cert := cert.X509()
sessionCache := tls.NewLRUClientSessionCache(1000)
dial = func() (net.Conn, error) {
conn, err := tlsdialer.DialWithDialer(netd, "tcp", s.Addr, false, &tls.Config{
ClientSessionCache: sessionCache,
InsecureSkipVerify: true,
})
if err != nil {
return nil, err
}
if !conn.ConnectionState().PeerCertificates[0].Equal(x509cert) {
conn.Close()
return nil, fmt.Errorf("Server's certificate didn't match expected!")
}
return conn, err
}
}
ccfg := chained.Config{
DialServer: dial,
}
if s.AuthToken != "" {
ccfg.OnRequest = func(req *http.Request) {
req.Header.Set("X-LANTERN-AUTH-TOKEN", s.AuthToken)
}
}
d := chained.NewDialer(ccfg)
// Is this a trusted proxy that we could use for HTTP traffic?
var trusted string
if s.Trusted {
trusted = "(trusted) "
}
return &balancer.Dialer{
Label: fmt.Sprintf("%schained proxy at %s", trusted, s.Addr),
Weight: s.Weight,
QOS: s.QOS,
Trusted: s.Trusted,
Dial: func(network, addr string) (net.Conn, error) {
return withStats(d.Dial(network, addr))
},
}, nil
}
作者:123hurra
项目:tlslo
func (l *TLSLog) initConfig(config *tls.Config) {
l.log = ""
l.logRand = newLogRand(config.Rand)
config.Rand = l.logRand
config.SessionTicketsDisabled = false
if config.ClientSessionCache == nil {
config.ClientSessionCache = tls.NewLRUClientSessionCache(1)
}
}
作者:pavel-
项目:go-mit
func runHTTPServer() {
cryptoConfig := &CryptoConfig{
PKFile: "proxypk.pem",
CertFile: "proxycert.pem",
ServerTLSConfig: &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
PreferServerCipherSuites: true,
},
}
rp := &httputil.ReverseProxy{
Director: func(req *http.Request) {
log.Printf("Processing request to: %s", req.URL)
},
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// Use a TLS session cache to minimize TLS connection establishment
// Requires Go 1.3+
ClientSessionCache: tls.NewLRUClientSessionCache(SESSIONS_TO_CACHE),
},
},
}
handler, err := Wrap(rp, cryptoConfig)
if err != nil {
log.Fatalf("Unable to wrap reverse proxy: %s", err)
}
server := &http.Server{
Addr: HTTP_ADDR,
Handler: handler,
ReadTimeout: 10 * time.Hour,
WriteTimeout: 10 * time.Hour,
}
go func() {
log.Printf("About to start HTTP proxy at %s", HTTP_ADDR)
if err := server.ListenAndServe(); err != nil {
log.Fatalf("Unable to start HTTP proxy: %s", err)
}
exampleWg.Done()
}()
return
}
作者:mengzhu
项目:bl
func New() {
flag.Parse()
LoadConfig(*configPath)
server := &Server{
Docs: make(map[string]*Doc, 0),
sortedDocs: make([]*Doc, 0),
DocLock: &sync.RWMutex{},
Tags: make(map[string][]*Doc, 0),
TagLock: &sync.RWMutex{},
StaticFiles: make([]string, 0),
Version: Version,
StopWatch: make(chan bool)}
server.Reset()
if err := server.LoadTempalte(); err != nil {
log.Fatal(err)
}
server.LoadStaticFiles()
server.LoadAllDocs()
if err := server.SaveAllDocs(); err != nil {
log.Fatal(err)
}
server.MakeHome()
log.Print(server.MakeSitemap())
log.Print(Cfg)
server.Watch()
server.ConfigWatch()
admin := map[string]http.HandlerFunc{
".add": server.Add,
".edit": server.Edit,
".quit": server.Quit,
".upload": server.UploadMedia,
}
for k, v := range admin {
http.HandleFunc(path.Join(Cfg.BasePath, k), server.auth(v))
}
http.Handle("/", http.FileServer(http.Dir(Cfg.PublicPath)))
if Cfg.TLSKeyFile != "" && Cfg.TLSCertFile != "" {
tls_server := http.Server{Addr: Cfg.Addr, Handler: nil,
TLSConfig: &tls.Config{ClientSessionCache: tls.NewLRUClientSessionCache(100)}}
log.Fatal(tls_server.ListenAndServeTLS(Cfg.TLSCertFile, Cfg.TLSKeyFile))
} else {
log.Fatal(http.ListenAndServe(Cfg.Addr, nil))
}
}
作者:272
项目:lanter
func New(domain string, email string, apiToken string) *Util {
client := dnsimple.NewClient(apiToken, email)
// Set a longish timeout on the HTTP client just in case
client.HttpClient = &http.Client{
Timeout: 5 * time.Minute,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
},
},
}
return &Util{client, domain}
}
作者:tomdionysu
项目:trinit
func NewTLSServer(logger *util.Logger, caPool *CAPool, kvStore *kvstore.KVStore, hostname string) *TLSServer {
inst := &TLSServer{
ServerNode: ch.NewServerNode(hostname),
Logger: logger,
ControlChannel: make(chan (int)),
StatusChannel: make(chan (int)),
Connections: map[[16]byte]*Peer{},
SessionCache: tls.NewLRUClientSessionCache(1024),
KVStore: kvStore,
CAPool: caPool,
}
return inst
}
作者:Christeefy
项目:lanter
func New(domain string, username string, apiKey string) *Util {
client := cloudflare.NewClient(username, apiKey)
// Set a longish timeout on the HTTP client just in case
client.Http = &http.Client{
Timeout: 5 * time.Minute,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
},
},
}
return &Util{client, domain}
}
作者:272
项目:lanter
func New(id string, key string, httpClient *http.Client) *cloudfront.CloudFront {
creds := aws.Creds(id, key, "")
// Set a longish timeout on the HTTP client just in case
if httpClient == nil {
httpClient = &http.Client{
Timeout: 5 * time.Minute,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
},
},
}
}
return cloudfront.New(creds, "", httpClient)
}
作者:bflorian
项目:dock2bo
func post(params map[string]interface{}) error {
buffer := bytes.NewBufferString("")
if err := tmpl.Execute(buffer, params); err != nil {
log.Printf("Airbrake error: %s", err)
return err
}
if Verbose {
log.Printf("Airbrake payload for endpoint %s: %s", Endpoint, buffer)
}
var httpClient = &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1024),
},
MaxIdleConnsPerHost: 100,
ResponseHeaderTimeout: 10 * time.Second,
},
Timeout: 10 * time.Second,
}
response, err := httpClient.Post(Endpoint, "text/xml", buffer)
if err != nil {
log.Printf("Airbrake error: %s", err)
return err
}
if Verbose {
body, _ := ioutil.ReadAll(response.Body)
log.Printf("response: %s", body)
}
response.Body.Close()
if Verbose {
log.Printf("Airbrake post: %s status code: %d", params["Error"], response.StatusCode)
}
return nil
}
作者:Christeefy
项目:lanter
// tlsConfig builds a tls.Config for dialing the upstream host. Constructed
// tls.Configs are cached on a per-masquerade basis to enable client session
// caching and reduce the amount of PEM certificate parsing.
func (d *direct) tlsConfig(m *Masquerade) *tls.Config {
d.tlsConfigsMutex.Lock()
defer d.tlsConfigsMutex.Unlock()
tlsConfig := d.tlsConfigs[m.Domain]
if tlsConfig == nil {
tlsConfig = &tls.Config{
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
InsecureSkipVerify: false,
ServerName: m.Domain,
RootCAs: d.certPool,
}
d.tlsConfigs[m.Domain] = tlsConfig
}
return tlsConfig
}
作者:272
项目:lanter
// resetProxiedClient reconfigures the host so attempts to proxy through it,
// for the sake of checking whether it's up and serving, will use the given
// port. Valid port values are "443", in which case we'll access the proxy
// through HTTPS, or "80", for an unencrypted connection.
//
// This is necessary because when peerscanner starts up and gets the list of
// hosts from the various DNS/CDN services, it has no way to know what port
// these servers are listening at. So we want to try both until one works, or
// until the server first registers with peerscanner, advertising which port
// it uses.
func (h *host) resetProxiedClient(port string) {
var dial func(addr string) (net.Conn, error)
if port == "80" {
dial = func(addr string) (net.Conn, error) {
dialer := net.Dialer{Timeout: dialTimeout}
return dialer.Dial("tcp", h.ip+":80")
}
} else if port == "443" {
dial = func(addr string) (net.Conn, error) {
return tlsdialer.DialWithDialer(&net.Dialer{
Timeout: dialTimeout,
}, "tcp", h.ip+":443", true, &tls.Config{
InsecureSkipVerify: true,
// Cache TLS sessions
ClientSessionCache: tls.NewLRUClientSessionCache(1000),
})
}
} else {
log.Errorf("Unsupported port: %v", port)
return
}
h.proxiedClient = &http.Client{
Transport: &http.Transport{
Dial: func(network, addr string) (net.Conn, error) {
return enproxy.Dial(addr, &enproxy.Config{
DialProxy: dial,
NewRequest: func(upstreamHost string, method string, body io.Reader) (req *http.Request, err error) {
return http.NewRequest(method, "http://"+h.ip+"/", body)
},
OnFirstResponse: func(resp *http.Response) {
h.reportedHostMutex.Lock()
h.reportedHost = resp.Header.Get(enproxy.X_ENPROXY_PROXY_HOST)
h.reportedHostMutex.Unlock()
},
})
},
DisableKeepAlives: true,
},
Timeout: requestTimeout,
}
}
作者:nathanaell
项目:shitenn
func NewDB(URL, CertPool, ClientCert string, HPKP []string) (*HTTPDB, error) {
remote, err := url.Parse(URL)
if err != nil {
return nil, err
}
db := &HTTPDB{
sni: remote.Host,
url: URL,
CertPool: CertPool,
ClientCert: ClientCert,
client: &http.Client{},
tlsconfig: &tls.Config{
ServerName: remote.Host,
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
ClientSessionCache: tls.NewLRUClientSessionCache(MaxConn),
CurvePreferences: []tls.CurveID{
tls.CurveP521,
tls.CurveP384,
tls.CurveP256,
},
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
},
hpkp: make(map[string]bool),
}
for _, k := range HPKP {
db.hpkp[k] = true
}
db.client.Transport = &http.Transport{
MaxIdleConnsPerHost: MaxConn,
DialTLS: db.DialerTLS,
}
return db, nil
}
作者:taiping-
项目:goprox
func NewFilter(config *Config) (filters.Filter, error) {
d := &dialer.Dialer{
Dialer: net.Dialer{
KeepAlive: time.Duration(config.Transport.Dialer.KeepAlive) * time.Second,
Timeout: time.Duration(config.Transport.Dialer.Timeout) * time.Second,
DualStack: config.Transport.Dialer.DualStack,
},
RetryTimes: config.Transport.Dialer.RetryTimes,
RetryDelay: time.Duration(config.Transport.Dialer.RetryDelay*1000) * time.Second,
DNSCache: lrucache.NewLRUCache(config.Transport.Dialer.DNSCacheSize),
DNSCacheExpiry: time.Duration(config.Transport.Dialer.DNSCacheExpiry) * time.Second,
LoopbackAddrs: make(map[string]struct{}),
}
d.LoopbackAddrs = make(map[string]struct{})
d.LoopbackAddrs["127.0.0.1"] = struct{}{}
d.LoopbackAddrs["::1"] = struct{}{}
if addrs, err := net.InterfaceAddrs(); err == nil {
for _, addr := range addrs {
switch addr.Network() {
case "ip":
d.LoopbackAddrs[addr.String()] = struct{}{}
}
}
}
tr := &http.Transport{
Dial: d.Dial,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: config.Transport.TLSClientConfig.InsecureSkipVerify,
ClientSessionCache: tls.NewLRUClientSessionCache(config.Transport.TLSClientConfig.ClientSessionCacheSize),
},
TLSHandshakeTimeout: time.Duration(config.Transport.TLSHandshakeTimeout) * time.Second,
MaxIdleConnsPerHost: config.Transport.MaxIdleConnsPerHost,
DisableCompression: config.Transport.DisableCompression,
}
return &Filter{
Config: *config,
transport: tr,
}, nil
}
作者:JFrogDe
项目:jfrog-cli-g
func initTransport(artDetails *config.ArtifactoryDetails) error {
// Remove once SystemCertPool supports windows
caCertPool, err := LoadSystemRoots()
err = cliutils.CheckError(err)
if err != nil {
return err
}
err = loadCertificates(caCertPool)
if err != nil {
return err
}
// Setup HTTPS client
tlsConfig := &tls.Config{
RootCAs: caCertPool,
ClientSessionCache: tls.NewLRUClientSessionCache(1)}
tlsConfig.BuildNameToCertificate()
artDetails.Transport = &http.Transport{TLSClientConfig: tlsConfig}
return nil
}
作者:huho
项目:vulcan
// NewTLSSessionCache validates parameters and creates a new TLS session cache
func NewTLSSessionCache(s *TLSSessionCache) (tls.ClientSessionCache, error) {
cacheType := s.Type
if cacheType == "" {
cacheType = LRUCacheType
}
if cacheType != LRUCacheType {
return nil, fmt.Errorf("unsupported session cache type: %v", s.Type)
}
var capacity int
if params := s.Settings; params != nil {
if params.Capacity < 0 {
return nil, fmt.Errorf("bad LRU capacity: %v", params.Capacity)
} else if params.Capacity == 0 {
capacity = DefaultLRUCapacity
} else {
capacity = params.Capacity
}
}
return tls.NewLRUClientSessionCache(capacity), nil
}
