Allow using sts over a proxied hook like HAProxy.

Closes #1911.

diff --git a/src/modules/m_ircv3_sts.cpp b/src/modules/m_ircv3_sts.cpp
index 801d870824c79de9462a0d80fa1fc4fc46418edc..f7f03d7fa61b395107f8b3462e9f3ac663b7507e 100644 (file)
--- a/src/modules/m_ircv3_sts.cpp
+++ b/src/modules/m_ircv3_sts.cpp
@@ -28,6 +28,7 @@ class STSCap : public Cap::Capability
        std::string host;
        std::string plaintextpolicy;
        std::string securepolicy;
+       mutable UserCertificateAPI sslapi;
 
        bool OnList(LocalUser* user) CXX11_OVERRIDE
        {
@@ -64,12 +65,19 @@ class STSCap : public Cap::Capability
 
        const std::string* GetValue(LocalUser* user) const CXX11_OVERRIDE
        {
-               return SSLIOHook::IsSSL(&user->eh) ? &securepolicy : &plaintextpolicy;
+               if (SSLIOHook::IsSSL(&user->eh))
+                       return &securepolicy; // Normal SSL connection.
+
+               if (sslapi && sslapi->GetCertificate(user))
+                       return &securepolicy; // Proxied SSL connection.
+
+               return &plaintextpolicy; // Plain text connection.
        }
 
  public:
        STSCap(Module* mod)
                : Cap::Capability(mod, "sts")
+               , sslapi(mod)
        {
                DisableAutoRegister();
        }
@@ -136,6 +144,10 @@ class ModuleIRCv3STS : public Module
                {
                        ListenSocket* ls = *iter;
 
+                       // Is this listener marked as providing SSL over HAProxy?
+                       if (!ls->bind_tag->getString("hook").empty() && ls->bind_tag->getBool("sslhook"))
+                               return true;
+
                        // Is this listener on the right port?
                        unsigned int saport = ls->bind_sa.port();
                        if (saport != port)