Ability to load cert and key file in wrap_server or option to use custom wrap_server

[ananth-sivam]

Hi @abhinavsingh ,

I could not a find an option to provide cert and key file, which can be wrapped in the TcpServerConnection.
i.e. Need a way to do below code inside proxy/core/connection/server.py:def wrap
ctx.load_cert_chain(certfile='/var/cert/clientcert.pem', keyfile='/var/cert/clientkey.pem')

Please suggest a way!

[ghost]

I did not find a propper way too and tried to find some workaround.

1. Define you own class with your wrap implementation (lets it will be located in file overridden.py):

class TcpServerConnectionOverridden(TcpServerConnection):

    def wrap(
            self,
            hostname: Optional[str] = None,
            ca_file: Optional[str] = None,
            as_non_blocking: bool = False,
            # Ref https://github.com/PyCQA/pylint/issues/3691
            verify_mode: ssl.VerifyMode = ssl.VerifyMode.CERT_REQUIRED,     # pylint: disable=E1101
    ) -> None:
        ctx = ssl.create_default_context(
            ssl.Purpose.SERVER_AUTH,
            cafile=ca_file,
        )
        ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
        ctx.check_hostname = hostname is not None
        ctx.verify_mode = verify_mode
        
        # for example, add what you need here
        ctx.load_cert_chain(certfile='/var/cert/clientcert.pem', keyfile='/var/cert/clientkey.pem')

        self.connection.setblocking(True)
        self._conn = ctx.wrap_socket(
            self.connection,
            server_hostname=hostname,
        )
        if as_non_blocking:
            self.connection.setblocking(False)

2. Override default HttpProxyPlugin like so:

class HttpProxyPluginOverridden(HttpProxyPlugin):

    def connect_upstream(self) -> None:
            # ... content skipped ...
            
                if self.flags.enable_conn_pool:
                    assert self.upstream_conn_pool
                    with self.lock:
                        created, self.upstream = self.upstream_conn_pool.acquire(
                            (text_(host), port),
                        )
                else:
                
                    # replace TcpServerConnection with TcpServerConnectionOverridden
                    # keep in mind that something like this you may need to do with "self.upstream_conn_pool" above
                    created, self.upstream = True, TcpServerConnectionOverridden(
                        text_(host), port,
                    )
        # ... content skipped ...

3. Disable original HttpProxyPlugin and enable you own by starting proxy like bellow:

proxy \
    --disable-http-proxy
    --plugins overridden.HttpProxyPluginOverridden

overridden.py must be available for importing (for example you can add path to it to PYTHONPATH).