marcel/zoraxy
1
0
Fork 0
mirror of https://github.com/tobychui/zoraxy.git synced 2025-10-18 08:39:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added user selectable min TLS version

Browse Source 
- Added user selectable min TLS version in UI
- Updated api to support custom TLS versions
This commit is contained in:
Toby Chui
2025-10-15 20:20:58 +08:00
parent deb096545d
commit 9a5a0eb84d
6 changed files with 78 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/api.go
View File

@@ -74,7 +74,7 @@ func RegisterHTTPProxyAPIs(authRouter *auth.RouterDef) {
func RegisterTLSAPIs(authRouter *auth.RouterDef) {
//Global certificate settings
authRouter.HandleFunc("/api/cert/tls", handleToggleTLSProxy)
authRouter.HandleFunc("/api/cert/tlsRequireLatest", handleSetTlsRequireLatest)
authRouter.HandleFunc("/api/cert/tlsMinVersion", handleSetTlsMinVersion)
authRouter.HandleFunc("/api/cert/resolve", handleCertTryResolve)
authRouter.HandleFunc("/api/cert/setPreferredCertificate", handleSetDomainPreferredCertificate)

67
src/cert.go
View File

@@ -45,32 +45,49 @@ func handleToggleTLSProxy(w http.ResponseWriter, r *http.Request) {
}
}
// Handle the GET and SET of reverse proxy TLS versions
func handleSetTlsRequireLatest(w http.ResponseWriter, r *http.Request) {
newState, err := utils.PostPara(r, "set")
if err != nil {
//GET
var reqLatestTLS bool = false
if sysdb.KeyExists("settings", "forceLatestTLS") {
sysdb.Read("settings", "forceLatestTLS", &reqLatestTLS)
}
js, _ := json.Marshal(reqLatestTLS)
utils.SendJSONResponse(w, string(js))
} else {
switch newState {
case "true":
sysdb.Write("settings", "forceLatestTLS", true)
SystemWideLogger.Println("Updating minimum TLS version to v1.2 or above")
dynamicProxyRouter.UpdateTLSVersion(true)
case "false":
sysdb.Write("settings", "forceLatestTLS", false)
SystemWideLogger.Println("Updating minimum TLS version to v1.0 or above")
dynamicProxyRouter.UpdateTLSVersion(false)
default:
utils.SendErrorResponse(w, "invalid state given")
}
func minTlsVersionStringToUint16(version string) uint16 {
// Update the setting
var tlsVersionUint16 uint16
switch version {
case "1.0":
tlsVersionUint16 = 0x0301
case "1.1":
tlsVersionUint16 = 0x0302
case "1.2":
tlsVersionUint16 = 0x0303
case "1.3":
tlsVersionUint16 = 0x0304
}
return tlsVersionUint16
}
// Handle the GET and SET of reverse proxy minimum TLS version
func handleSetTlsMinVersion(w http.ResponseWriter, r *http.Request) {
newVersion, err := utils.PostPara(r, "set")
if err != nil {
// GET
var minTLSVersion string = "1.2" // Default to 1.2
if sysdb.KeyExists("settings", "minTLSVersion") {
sysdb.Read("settings", "minTLSVersion", &minTLSVersion)
}
js, _ := json.Marshal(minTLSVersion)
utils.SendJSONResponse(w, string(js))
return
}
// Validate input
allowed := map[string]bool{"1.0": true, "1.1": true, "1.2": true, "1.3": true}
if !allowed[newVersion] {
utils.SendErrorResponse(w, "invalid TLS version")
return
}
sysdb.Write("settings", "minTLSVersion", newVersion)
tlsVersionUint16 := minTlsVersionStringToUint16(newVersion)
// Update the setting
SystemWideLogger.PrintAndLog("TLS", "Updating minimum TLS version to v"+newVersion+" or above", nil)
dynamicProxyRouter.SetTlsMinVersion(tlsVersionUint16)
utils.SendOK(w)
}
func handleCertTryResolve(w http.ResponseWriter, r *http.Request) {

10
src/mod/dynamicproxy/dynamicproxy.go
View File

@@ -48,8 +48,8 @@ func (router *Router) UpdateTLSSetting(tlsEnabled bool) {
// Update TLS Version in runtime. Will restart proxy server if running.
// Set this to true to force TLS 1.2 or above
func (router *Router) UpdateTLSVersion(requireLatest bool) {
router.Option.ForceTLSLatest = requireLatest
func (router *Router) SetTlsMinVersion(minTlsVersion uint16) {
router.Option.MinTLSVersion = minTlsVersion
router.Restart()
}
@@ -77,9 +77,9 @@ func (router *Router) StartProxyService() error {
return errors.New("reverse proxy router root not set")
}
minVersion := tls.VersionTLS10
if router.Option.ForceTLSLatest {
minVersion = tls.VersionTLS12
minVersion := tls.VersionTLS12 //Default to TLS 1.2
if router.Option.MinTLSVersion != 0 {
minVersion = int(router.Option.MinTLSVersion)
}
config := &tls.Config{

2
src/mod/dynamicproxy/typedef.go
View File

@@ -49,7 +49,7 @@ type RouterOption struct {
HostVersion string //The version of Zoraxy, use for heading mod
Port int //Incoming port
UseTls bool //Use TLS to serve incoming requsts
ForceTLSLatest bool //Force TLS1.2 or above
MinTLSVersion uint16 //Minimum TLS version
NoCache bool //Force set Cache-Control: no-store
ListenOnPort80 bool //Enable port 80 http listener
ForceHttpsRedirect bool //Force redirection of http to https endpoint

13
src/reverseproxy.go
View File

@@ -58,13 +58,9 @@ func ReverseProxyInit() {
SystemWideLogger.Println("TLS mode disabled. Serving proxy request with plain http")
}
forceLatestTLSVersion := false
sysdb.Read("settings", "forceLatestTLS", &forceLatestTLSVersion)
if forceLatestTLSVersion {
SystemWideLogger.Println("Force latest TLS mode enabled. Minimum TLS LS version is set to v1.2")
} else {
SystemWideLogger.Println("Force latest TLS mode disabled. Minimum TLS version is set to v1.0")
}
minTLSVersion := "1.2" // default
sysdb.Read("settings", "minTLSVersion", &minTLSVersion)
SystemWideLogger.Println("Minimum TLS version set to v" + minTLSVersion)
developmentMode := false
sysdb.Read("settings", "devMode", &developmentMode)
@@ -106,7 +102,7 @@ func ReverseProxyInit() {
HostVersion: SYSTEM_VERSION,
Port: inboundPort,
UseTls: useTls,
ForceTLSLatest: forceLatestTLSVersion,
MinTLSVersion: minTlsVersionStringToUint16(minTLSVersion),
NoCache: developmentMode,
ListenOnPort80: listenOnPort80,
ForceHttpsRedirect: forceHttpsRedirect,
@@ -125,6 +121,7 @@ func ReverseProxyInit() {
DevelopmentMode: *development_build,
Logger: SystemWideLogger,
})
if err != nil {
SystemWideLogger.PrintAndLog("proxy-config", "Unable to create dynamic proxy router", err)
return

42
src/web/components/status.html
View File

@@ -110,10 +110,19 @@
Advance Settings
</div>
<div class="content">
<div id="tlsMinVer" class="ui toggle notloopbackOnly tlsEnabledOnly checkbox" style="margin-top: 0.6em;">
<input type="checkbox">
<label>Force TLS v1.2 or above<br>
<small>(Enhance security, but not compatible with legacy browsers)</small></label>
<div id="tlsMinVer" class="ui notloopbackOnly tlsEnabledOnly" style="margin-top: 0.6em;">
<div style="display: flex; align-items: center; gap: 1em;">
<select id="tlsVersionSelect" class="ui dropdown">
<option value="1.0">TLS v1.0</option>
<option value="1.1">TLS v1.1</option>
<option value="1.2">TLS v1.2</option>
<option value="1.3">TLS v1.3</option>
</select>
<p for="tlsVersionSelect" style="margin: 0;">
Minimum TLS Version<br>
<small>(Enhance security, but may not be compatible with legacy browsers)</small>
</p>
</div>
</div>
<br>
<div id="developmentMode" class="ui toggle checkbox" style="margin-top: 0.6em;">
@@ -466,31 +475,28 @@
initHTTPtoHTTPSRedirectSetting();
function initTlsVersionSetting(){
$.get("/api/cert/tlsRequireLatest", function(data){
if (data == true){
$("#tlsMinVer").checkbox("set checked");
}else{
$("#tlsMinVer").checkbox("set unchecked");
$.get("/api/cert/tlsMinVersion", function(data){
// Set dropdown value
if (data && typeof data === "string") {
$("#tlsVersionSelect").val(data);
}
//Bind events to the checkbox
$("#tlsMinVer").find("input").on("change", function(){
let thisValue = $("#tlsMinVer").checkbox("is checked");
// Bind change event
$("#tlsVersionSelect").off("change").on("change", function(){
var selectedVersion = $(this).val();
$.cjax({
url: "/api/cert/tlsRequireLatest",
data: {"set": thisValue},
url: "/api/cert/tlsMinVersion",
method: "POST",
data: {set: selectedVersion},
success: function(data){
if (data.error != undefined){
msgbox(data.error, false, 5000);
}else{
msgbox("TLS Version Setting Updated");
msgbox("TLS minimum version updated");
}
}
})
});
});
});
}
initTlsVersionSetting();