diff options
| author |  Ruslan Drozhdzh <30860269+rdrozhdzh@users.noreply.github.com>
| 2018-03-30 16:35:09 +0300 |
|---|---|---|
| committer |  Miek Gieben <miek@miek.nl>
| 2018-03-30 14:35:09 +0100 |
| commit | f19a3b24ca2510c0465db0183eb5b3bca9ec655a (patch) | |
| tree | 3cd52197495ef2255137dca187ecd936a81c882b | |
| parent | 0e0a641f16b0dc79526ac2eb17fd69ebdd8717cb (diff) | |
| download | coredns-f19a3b24ca2510c0465db0183eb5b3bca9ec655a.tar.gz coredns-f19a3b24ca2510c0465db0183eb5b3bca9ec655a.tar.zst coredns-f19a3b24ca2510c0465db0183eb5b3bca9ec655a.zip | |
plugin/forward: improve tls configuration (#1643)
| -rw-r--r-- | plugin/forward/README.md | 10 | ||||
| -rw-r--r-- | plugin/forward/setup.go | 4 |
2 files changed, 10 insertions, 4 deletions
diff --git a/plugin/forward/README.md b/plugin/forward/README.md index f5011baaa..13f333197 100644 --- a/plugin/forward/README.md +++ b/plugin/forward/README.md @@ -60,8 +60,14 @@ forward FROM TO... { an upstream to be down. If 0, the upstream will never be marked as down (nor health checked). Default is 2. * `expire` **DURATION**, expire (cached) connections after this time, the default is 10s. -* `tls` **CERT** **KEY** **CA** define the TLS properties for TLS; if you leave this out the - system's configuration will be used. +* `tls` **CERT** **KEY** **CA** define the TLS properties for TLS connection. From 0 to 3 arguments can be + provided with the meaning as described below + * `tls` - no client authentication is used, and the system CAs are used to verify the server certificate + * `tls` **CA** - no client authentication is used, and the file CA is used to verify the server certificate + * `tls` **CERT** **KEY** - client authentication is used with the specified cert/key pair. + The server certificate is verified with the system CAs + * `tls` **CERT** **KEY** **CA** - client authentication is used with the specified cert/key pair. + The server certificate is verified using the specified CA file * `tls_servername` **NAME** allows you to set a server name in the TLS configuration; for instance 9.9.9.9 needs this to be set to `dns.quad9.net`. * `policy` specifies the policy to use for selecting upstream servers. The default is `random`. diff --git a/plugin/forward/setup.go b/plugin/forward/setup.go index 8d80e779d..71a5ec1f0 100644 --- a/plugin/forward/setup.go +++ b/plugin/forward/setup.go @@ -200,11 +200,11 @@ func parseBlock(c *caddy.Controller, f *Forward) error { f.forceTCP = true case "tls": args := c.RemainingArgs() - if len(args) != 3 { + if len(args) > 3 { return c.ArgErr() } - tlsConfig, err := pkgtls.NewTLSConfig(args[0], args[1], args[2]) + tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...) if err != nil { return err } |