summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@rspamd.com>2023-12-14 15:09:38 +0000
committerVsevolod Stakhov <vsevolod@rspamd.com>2023-12-14 15:10:10 +0000
commit35479797646a4a1e5c4b0bfcb9a87d7e3b39dbcd (patch)
treee600ce842406301049469543d00a983808c4783d /src
parentb0e98a56befeed42291de8ac01d46f86879c6c97 (diff)
downloadrspamd-35479797646a4a1e5c4b0bfcb9a87d7e3b39dbcd.tar.gz
rspamd-35479797646a4a1e5c4b0bfcb9a87d7e3b39dbcd.zip
[Feature] Proxy: Allow `encrypted_only` option
Diffstat (limited to 'src')
-rw-r--r--src/rspamd_proxy.c22
1 files changed, 18 insertions, 4 deletions
diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c
index 61a6f9d19..838de060e 100644
--- a/src/rspamd_proxy.c
+++ b/src/rspamd_proxy.c
@@ -1,11 +1,11 @@
-/*-
- * Copyright 2016 Vsevolod Stakhov
+/*
+ * Copyright 2023 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -137,6 +137,7 @@ struct rspamd_proxy_ctx {
GArray *cmp_refs;
/* Maximum count for retries */
guint max_retries;
+ gboolean encrypted_only;
/* If we have self_scanning backends, we need to work as a normal worker */
gboolean has_self_scan;
/* It is not HTTP but milter proxy */
@@ -786,6 +787,14 @@ init_rspamd_proxy(struct rspamd_config *cfg)
"Server's keypair");
rspamd_rcl_register_worker_option(cfg,
type,
+ "encrypted_only",
+ rspamd_rcl_parse_struct_boolean,
+ ctx,
+ G_STRUCT_OFFSET(struct rspamd_proxy_ctx, encrypted_only),
+ 0,
+ "Allow only encrypted connections");
+ rspamd_rcl_register_worker_option(cfg,
+ type,
"upstream",
rspamd_proxy_parse_upstream,
ctx,
@@ -2261,13 +2270,18 @@ proxy_accept_socket(EV_P_ ev_io *w, int revents)
}
if (!ctx->milter) {
+ int http_opts = 0;
+
+ if (ctx->encrypted_only && !rspamd_inet_address_is_local(addr)) {
+ http_opts |= RSPAMD_HTTP_REQUIRE_ENCRYPTION;
+ }
session->client_conn = rspamd_http_connection_new_server(
ctx->http_ctx,
nfd,
NULL,
proxy_client_error_handler,
proxy_client_finish_handler,
- 0);
+ http_opts);
if (ctx->key) {
rspamd_http_connection_set_key(session->client_conn, ctx->key);