config update for tls files and mysql register tls config
This commit is contained in:
parent
acdcfcc6eb
commit
7ddfd1b9c2
|
@ -4,8 +4,11 @@
|
|||
package setting
|
||||
|
||||
import (
|
||||
gotls "crypto/tls"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/go-sql-driver/mysql"
|
||||
"net"
|
||||
"net/url"
|
||||
"os"
|
||||
|
@ -32,6 +35,9 @@ var (
|
|||
Passwd string
|
||||
Schema string
|
||||
SSLMode string
|
||||
SSLCAFile string
|
||||
SSLCertFile string
|
||||
SSLKeyFile string
|
||||
Path string
|
||||
LogSQL bool
|
||||
MysqlCharset string
|
||||
|
@ -69,6 +75,12 @@ func loadDBSetting(rootCfg ConfigProvider) {
|
|||
Database.SSLMode = sec.Key("SSL_MODE").MustString("disable")
|
||||
Database.MysqlCharset = sec.Key("MYSQL_CHARSET").MustString("utf8mb4") // do not document it, end users won't need it.
|
||||
|
||||
if Database.SSLMode != "disable" {
|
||||
Database.SSLCAFile = sec.Key("SSL_CA_FILE").String()
|
||||
Database.SSLCertFile = sec.Key("SSL_CERT_FILE").String()
|
||||
Database.SSLKeyFile = sec.Key("SSL_KEY_FILE").String()
|
||||
}
|
||||
|
||||
Database.Path = sec.Key("PATH").MustString(filepath.Join(AppDataPath, "gitea.db"))
|
||||
Database.Timeout = sec.Key("SQLITE_TIMEOUT").MustInt(500)
|
||||
Database.SQLiteJournalMode = sec.Key("SQLITE_JOURNAL_MODE").MustString("")
|
||||
|
@ -88,6 +100,37 @@ func loadDBSetting(rootCfg ConfigProvider) {
|
|||
Database.AutoMigration = sec.Key("AUTO_MIGRATION").MustBool(true)
|
||||
}
|
||||
|
||||
func mysqlRegisterTLSConfig(name string) error {
|
||||
var (
|
||||
pem []byte
|
||||
err error
|
||||
ok bool
|
||||
cert gotls.Certificate
|
||||
)
|
||||
|
||||
rootCertPool := x509.NewCertPool()
|
||||
if pem, err = os.ReadFile(Database.SSLCAFile); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if ok = rootCertPool.AppendCertsFromPEM(pem); !ok {
|
||||
return fmt.Errorf("failed to append cert to cert pool")
|
||||
}
|
||||
|
||||
clientCert := make([]gotls.Certificate, 0, 1)
|
||||
if cert, err = gotls.LoadX509KeyPair(Database.SSLCertFile, Database.SSLKeyFile); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
clientCert = append(clientCert, cert)
|
||||
err = mysql.RegisterTLSConfig(name, &gotls.Config{
|
||||
Certificates: clientCert,
|
||||
RootCAs: rootCertPool,
|
||||
})
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
// DBConnStr returns database connection string
|
||||
func DBConnStr() (string, error) {
|
||||
var connStr string
|
||||
|
@ -104,6 +147,11 @@ func DBConnStr() (string, error) {
|
|||
tls := Database.SSLMode
|
||||
if tls == "disable" { // allow (Postgres-inspired) default value to work in MySQL
|
||||
tls = "false"
|
||||
} else if Database.SSLCAFile != "" && Database.SSLCertFile != "" && Database.SSLKeyFile != "" {
|
||||
if err := mysqlRegisterTLSConfig("full"); err != nil {
|
||||
return "", err
|
||||
}
|
||||
tls = "full"
|
||||
}
|
||||
connStr = fmt.Sprintf("%s:%s@%s(%s)/%s%scharset=%s&parseTime=true&tls=%s",
|
||||
Database.User, Database.Passwd, connType, Database.Host, Database.Name, paramSep, Database.MysqlCharset, tls)
|
||||
|
|
Loading…
Reference in New Issue