mirror of
https://github.com/caddyserver/caddy.git
synced 2025-04-16 16:19:15 +08:00
caddytls: Don't publish HTTPS record for CNAME'd domain (fix #6922)
Some checks are pending
Tests / goreleaser-check (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, aix) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, darwin) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, illumos) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, linux) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, solaris) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (ubuntu-latest, linux) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Lint / govulncheck (push) Waiting to run
Some checks are pending
Tests / goreleaser-check (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, aix) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, darwin) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, illumos) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, linux) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, solaris) (push) Waiting to run
Cross-Build / build (~1.24.1, 1.24, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (ubuntu-latest, linux) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Lint / govulncheck (push) Waiting to run
This commit is contained in:
Matthew Holt
parent
173573035c
commit
782a3c7ac6
@ -630,6 +630,7 @@ func (dnsPub ECHDNSPublisher) PublisherKey() string {
|
||||
func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNames []string, configListBin []byte) error {
|
||||
nameservers := certmagic.RecursiveNameservers(nil) // TODO: we could make resolvers configurable
|
||||
|
||||
nextName:
|
||||
for _, domain := range innerNames {
|
||||
zone, err := certmagic.FindZoneByFQDN(ctx, dnsPub.logger, domain, nameservers)
|
||||
if err != nil {
|
||||
@ -660,6 +661,14 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
|
||||
var nameHasExistingRecord bool
|
||||
for _, rec := range recs {
|
||||
if rec.Name == relName {
|
||||
// CNAME records are exclusive of all other records, so we cannot publish an HTTPS
|
||||
// record for a domain that is CNAME'd. See #6922.
|
||||
if rec.Type == "CNAME" {
|
||||
dnsPub.logger.Warn("domain has CNAME record, so unable to publish ECH data to HTTPS record",
|
||||
zap.String("domain", domain),
|
||||
zap.String("cname_value", rec.Value))
|
||||
continue nextName
|
||||
}
|
||||
nameHasExistingRecord = true
|
||||
if rec.Type == "HTTPS" && (rec.Target == "" || rec.Target == ".") {
|
||||
httpsRec = rec
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user