github-mirror/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-06-10 07:43:34 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

caddytls: Zero out throttle window first (#5443)

Browse Source 
* caddytls: Zero out throttle window first

* Don't error for on-demand 

Fixes b97c76fb47

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
Matt Holt
2023-03-20 12:06:00 -06:00
committed by GitHub
parent a7db0cfe55
commit 0cc49c053f
2 changed files with 23 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
modules/caddytls/automation.go
View File

@ -19,6 +19,7 @@ import (
"errors"
"fmt"
"net/http"
"strings"
"time"
"github.com/caddyserver/caddy/v2"
@ -224,8 +225,10 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// on-demand TLS
var ond *certmagic.OnDemandConfig
if ap.OnDemand {
// ask endpoint is now required after a number of negligence cases causing abuse
if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
// ask endpoint is now required after a number of negligence cases causing abuse;
// but is still allowed for explicit subjects (non-wildcard, non-unbounded),
// and for the internal issuer since it doesn't cause ACME issuer pressure
if ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
}
ond = &certmagic.OnDemandConfig{
@ -294,6 +297,22 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool {
return ok
}
// isWildcardOrDefault determines if the subjects include any wildcard domains,
// or is the "default" policy (i.e. no subjects) which is unbounded.
func (ap *AutomationPolicy) isWildcardOrDefault() bool {
isWildcardOrDefault := false
if len(ap.Subjects) == 0 {
isWildcardOrDefault = true
}
for _, sub := range ap.Subjects {
if strings.HasPrefix(sub, "*") {
isWildcardOrDefault = true
break
}
}
return isWildcardOrDefault
}
// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
// This function is experimental and has no compatibility promises.
func DefaultIssuers() []certmagic.Issuer {