Add https upstream support

main.go

@@ -117,16 +117,22 @@ func newHTTPProxy(cfg *config.Config) http.Handler {
 	log.Printf("[INFO] Using routing strategy %q", cfg.Proxy.Strategy)
 	log.Printf("[INFO] Using route matching %q", cfg.Proxy.Matcher)
 
-	return &proxy.HTTPProxy{
-		Config: cfg.Proxy,
-		Transport: &http.Transport{
+	newTransport := func(tlscfg *tls.Config) *http.Transport {
+		return &http.Transport{
 			ResponseHeaderTimeout: cfg.Proxy.ResponseHeaderTimeout,
 			MaxIdleConnsPerHost:   cfg.Proxy.MaxConn,
 			Dial: (&net.Dialer{
 				Timeout:   cfg.Proxy.DialTimeout,
 				KeepAlive: cfg.Proxy.KeepAliveTimeout,
 			}).Dial,
-		},
+			TLSClientConfig: tlscfg,
+		}
+	}
+
+	return &proxy.HTTPProxy{
+		Config:            cfg.Proxy,
+		Transport:         newTransport(nil),
+		InsecureTransport: newTransport(&tls.Config{InsecureSkipVerify: true}),
 		Lookup: func(r *http.Request) *route.Target {
 			t := route.GetTable().Lookup(r, r.Header.Get("trace"), pick, match)
 			if t == nil {

proxy/http_integration_test.go

@@ -3,6 +3,8 @@ package proxy
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -17,6 +19,7 @@ import (
 
 	"github.com/eBay/fabio/config"
 	"github.com/eBay/fabio/logger"
+	"github.com/eBay/fabio/proxy/internal"
 	"github.com/eBay/fabio/route"
 	"github.com/pascaldekloe/goe/verify"
 )
@@ -193,6 +196,78 @@ func TestProxyLogOutput(t *testing.T) {
 	verify.Values(t, "", got, want)
 }
 
+func TestProxyHTTPSUpstream(t *testing.T) {
+	var err error
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("OK"))
+	}))
+	server.TLS = &tls.Config{
+		Certificates: make([]tls.Certificate, 1),
+	}
+	server.TLS.Certificates[0], err = tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+	if err != nil {
+		t.Fatalf("failed to set cert")
+	}
+	server.StartTLS()
+	defer server.Close()
+
+	rootCAs := x509.NewCertPool()
+	if ok := rootCAs.AppendCertsFromPEM(internal.LocalhostCert); !ok {
+		t.Fatal("could not parse cert")
+	}
+	proxy := &HTTPProxy{
+		Config: config.Proxy{},
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: rootCAs},
+		},
+		Lookup: func(r *http.Request) *route.Target {
+			tbl, _ := route.NewTable("route add srv / " + server.URL + ` opts "proto=https"`)
+			return tbl.Lookup(r, "", route.Picker["rr"], route.Matcher["prefix"])
+		},
+	}
+	req := makeReq("/")
+	rec := httptest.NewRecorder()
+	proxy.ServeHTTP(rec, req)
+
+	if got, want := rec.Code, http.StatusOK; got != want {
+		t.Fatalf("got status %d want %d", got, want)
+	}
+	if got, want := rec.Body.String(), "OK"; got != want {
+		t.Fatalf("got body %q want %q", got, want)
+	}
+}
+
+func TestProxyHTTPSUpstreamSkipVerify(t *testing.T) {
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("OK"))
+	}))
+	server.TLS = &tls.Config{}
+	server.StartTLS()
+	defer server.Close()
+
+	proxy := &HTTPProxy{
+		Config:    config.Proxy{},
+		Transport: http.DefaultTransport,
+		InsecureTransport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+		Lookup: func(r *http.Request) *route.Target {
+			tbl, _ := route.NewTable("route add srv / " + server.URL + ` opts "proto=https tlsskipverify=true"`)
+			return tbl.Lookup(r, "", route.Picker["rr"], route.Matcher["prefix"])
+		},
+	}
+	req := makeReq("/")
+	rec := httptest.NewRecorder()
+	proxy.ServeHTTP(rec, req)
+
+	if got, want := rec.Code, http.StatusOK; got != want {
+		t.Fatalf("got status %d want %d", got, want)
+	}
+	if got, want := rec.Body.String(), "OK"; got != want {
+		t.Fatalf("got body %q want %q", got, want)
+	}
+}
+
 func TestProxyGzipHandler(t *testing.T) {
 	tests := []struct {
 		desc            string

proxy/http_proxy.go

@@ -27,6 +27,11 @@ type HTTPProxy struct {
 	// The proxy will panic if this value is nil.
 	Transport http.RoundTripper
 
+	// InsecureTransport is the http connection pool configured with
+	// InsecureSkipVerify set. This is used for https proxies with
+	// self-signed certs.
+	InsecureTransport http.RoundTripper
+
 	// Lookup returns a target host for the given request.
 	// The proxy will panic if this value is nil.
 	Lookup func(*http.Request) *route.Target
@@ -89,6 +94,11 @@ func (p *HTTPProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	upgrade, accept := r.Header.Get("Upgrade"), r.Header.Get("Accept")
 
+	transport := p.Transport
+	if t.TLSSkipVerify {
+		transport = p.InsecureTransport
+	}
+
 	var h http.Handler
 	switch {
 	case upgrade == "websocket" || upgrade == "Websocket":
@@ -97,10 +107,10 @@ func (p *HTTPProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case accept == "text/event-stream":
 		// use the flush interval for SSE (server-sent events)
 		// must be > 0s to be effective
-		h = newHTTPProxy(targetURL, p.Transport, p.Config.FlushInterval)
+		h = newHTTPProxy(targetURL, transport, p.Config.FlushInterval)
 
 	default:
-		h = newHTTPProxy(targetURL, p.Transport, time.Duration(0))
+		h = newHTTPProxy(targetURL, transport, time.Duration(0))
 	}
 
 	if p.Config.GZIPContentTypes != nil {

registry/consul/service.go

@@ -116,6 +116,8 @@ func serviceConfig(client *api.Client, name string, passing map[string]bool, tag
 				dst := "http://" + addr + "/"
 				if strings.Contains(opts, "proto=tcp") {
 					dst = "tcp://" + addr
+				} else if strings.Contains(opts, "proto=https") {
+					dst = "https://" + addr
 				}
 				tags := strings.Join(svctags, ",")
 

route/route.go

@@ -70,6 +70,7 @@ func (r *Route) addTarget(service string, targetURL *url.URL, fixedWeight float6
 	}
 	if r.Opts != nil {
 		t.StripPath = r.Opts["strip"]
+		t.TLSSkipVerify = r.Opts["tlsskipverify"] == "true"
 	}
 
 	r.Targets = append(r.Targets, t)

route/target.go

@@ -17,6 +17,10 @@ type Target struct {
 	// request path
 	StripPath string
 
+	// TLSSkipVerify disables certificate validation for upstream
+	// TLS connections.
+	TLSSkipVerify bool
+
 	// URL is the endpoint the service instance listens on
 	URL *url.URL