WIP Caddyfile

2025-04-24 05:44:04 +08:00 · 2025-02-26 10:35:47 -07:00 · 2025-02-26 10:35:47 -07:00 · d527ac3486
commit d527ac3486
parent b5ef11ad7a
3 changed files with 127 additions and 20 deletions
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@ -112,6 +112,9 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //	    issuer                        <module_name> [...]
 //	    get_certificate               <module_name> [...]
 //	    insecure_secrets_log          <log_file>
+//	    ech <public_name> {
+//	        dns <provider> ...
+//	    }
 //	}
 func parseTLS(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
@ -461,6 +464,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			}
 			cp.InsecureSecretsLog = h.Val()

+		// case "ech":
+		// 	if !h.NextArg() {
+		// 		return nil, h.ArgErr()
+		// 	}
+		// 	if cp.EncryptedClientHello == nil {
+		// 		cp.EncryptedClientHello = new(caddytls.ECH)
+		// 	}
+		// 	cp.EncryptedClientHello.PublicName = h.Val()
+
+		// 	for nesting := h.Nesting(); h.NextBlock(nesting); {
+		// 		switch h.Val() {
+		// 		case "dns":
+		// 			if !h.Next() {
+		// 				return nil, h.ArgErr()
+		// 			}
+		// 			providerName := h.Val()
+		// 			modID := "dns.providers." + providerName
+		// 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
+		// 			if err != nil {
+		// 				return nil, err
+		// 			}
+		// 			cp.EncryptedClientHello.DNSProviderRaw = caddyconfig.JSONModuleObject(unm, "name", providerName, h.warnings)
+		// 		default:
+		// 			return nil, h.Errf("ech: unrecognized subdirective '%s'", h.Val())
+		// 		}
+		// 	}
+		// 	log.Println("CP:", cp.EncryptedClientHello)
+
 		default:
 			return nil, h.Errf("unknown subdirective: %s", h.Val())
 		}
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@ -19,6 +19,7 @@ import (
 	"strconv"

 	"github.com/caddyserver/certmagic"
+	"github.com/libdns/libdns"
 	"github.com/mholt/acmez/v3/acme"

 	"github.com/caddyserver/caddy/v2"
@ -45,7 +46,7 @@ func init() {
 	RegisterGlobalOption("ocsp_interval", parseOptDuration)
 	RegisterGlobalOption("acme_ca", parseOptSingleString)
 	RegisterGlobalOption("acme_ca_root", parseOptSingleString)
-	RegisterGlobalOption("acme_dns", parseOptACMEDNS)
+	RegisterGlobalOption("acme_dns", parseOptDNS)
 	RegisterGlobalOption("acme_eab", parseOptACMEEAB)
 	RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
 	RegisterGlobalOption("skip_install_trust", parseOptTrue)
@ -62,6 +63,8 @@ func init() {
 	RegisterGlobalOption("log", parseLogOptions)
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
+	RegisterGlobalOption("dns", parseOptDNS)
+	RegisterGlobalOption("ech", parseOptECH)
 }

 func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
@ -238,25 +241,6 @@ func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
 	return caddy.Duration(dur), nil
 }

-func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
-	if !d.Next() { // consume option name
-		return nil, d.ArgErr()
-	}
-	if !d.Next() { // get DNS module name
-		return nil, d.ArgErr()
-	}
-	modID := "dns.providers." + d.Val()
-	unm, err := caddyfile.UnmarshalModule(d, modID)
-	if err != nil {
-		return nil, err
-	}
-	prov, ok := unm.(certmagic.DNSProvider)
-	if !ok {
-		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm)
-	}
-	return prov, nil
-}
-
 func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
 	eab := new(acme.EAB)
 	d.Next() // consume option name
@ -570,3 +554,90 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next()
 	return caddytls.ParseCaddyfilePreferredChainsOptions(d)
 }
+
+func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) {
+	d.Next() // consume option name
+
+	if !d.Next() { // get DNS module name
+		return nil, d.ArgErr()
+	}
+	modID := "dns.providers." + d.Val()
+	unm, err := caddyfile.UnmarshalModule(d, modID)
+	if err != nil {
+		return nil, err
+	}
+	switch unm.(type) {
+	case libdns.RecordGetter,
+		libdns.RecordSetter,
+		libdns.RecordAppender,
+		libdns.RecordDeleter:
+	default:
+		return nil, d.Errf("module %s (%T) is not a libdns provider", modID, unm)
+	}
+	return unm, nil
+}
+
+func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) {
+	d.Next() // consume option name
+
+	// outers := d.RemainingArgs()
+
+	// for nesting := d.Nesting(); d.NextBlock(nesting); {
+	// 	switch d.Val() {
+	// 	case "dns":
+	// 		if !d.Next() { // get the DNS module name
+	// 			return nil, d.ArgErr()
+	// 		}
+	// 		modID := "dns.providers." + d.Val()
+	// 		unm, err := caddyfile.UnmarshalModule(d, modID)
+	// 		if err != nil {
+	// 			return nil, err
+	// 		}
+	// 		rs, ok := unm.(libdns.RecordSetter)
+	// 		if !ok {
+	// 			return nil, d.Errf("module %s (%T) is not a libdns.RecordSetter", modID, unm)
+	// 		}
+	// 	}
+	// }
+
+	ech := new(caddytls.ECH)
+
+	publicNames := d.RemainingArgs()
+	for _, publicName := range publicNames {
+		ech.Configs = append(ech.Configs, caddytls.ECHConfiguration{
+			OuterSNI: publicName,
+		})
+	}
+	if len(ech.Configs) == 0 {
+		return nil, d.ArgErr()
+	}
+
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "dns":
+			if !d.Next() {
+				return nil, d.ArgErr()
+			}
+			providerName := d.Val()
+			modID := "dns.providers." + providerName
+			unm, err := caddyfile.UnmarshalModule(d, modID)
+			if err != nil {
+				return nil, err
+			}
+			ech.Publication = append(ech.Publication, &caddytls.ECHPublication{
+				Configs: publicNames,
+				PublishersRaw: caddy.ModuleMap{
+					"dns": caddyconfig.JSON(caddytls.ECHDNSPublisherList{
+						{
+							ProviderRaw: caddyconfig.JSONModuleObject(unm, "name", providerName, nil),
+						},
+					}, nil),
+				},
+			})
+		default:
+			return nil, d.Errf("ech: unrecognized subdirective '%s'", d.Val())
+		}
+	}
+
+	return ech, nil
+}
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -359,6 +359,11 @@ func (st ServerType) buildTLSApp(
 		tlsApp.Automation.OnDemand = onDemand
 	}

+	// set up ECH from Caddyfile options
+	if ech, ok := options["ech"].(*caddytls.ECH); ok {
+		tlsApp.EncryptedClientHello = ech
+	}
+
 	// if the storage clean interval is a boolean, then it's "off" to disable cleaning
 	if sc, ok := options["storage_check"].(string); ok && sc == "off" {
 		tlsApp.DisableStorageCheck = true