github-mirror/caddy
github-mirror/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-04-19 10:49:17 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into forward-proxy

Browse Source
This commit is contained in:
Mohammed Al Sahaf 2025-03-14 04:44:41 +03:00 committed by GitHub
commit feebacf667
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
22 changed files with 356 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/ci.yml vendored
View File

@ -12,6 +12,10 @@ on:
- master
- 2.*
env:
# https://github.com/actions/setup-go/issues/491
GOTOOLCHAIN: local
jobs:
test:
strategy:
@ -95,7 +99,7 @@ jobs:
env:
CGO_ENABLED: 0
run: |
go build -tags nobadger -trimpath -ldflags="-w -s" -v
go build -tags nobadger,nomysql,nopgx -trimpath -ldflags="-w -s" -v
- name: Smoke test Caddy
working-directory: ./cmd/caddy
@ -118,7 +122,7 @@ jobs:
# continue-on-error: true
run: |
# (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
go test -tags nobadger -v -coverprofile="cover-profile.out" -short -race ./...
go test -tags nobadger,nomysql,nopgx -v -coverprofile="cover-profile.out" -short -race ./...
# echo "status=$?" >> $GITHUB_OUTPUT
# Relevant step if we reinvestigate publishing test/coverage reports
@ -166,7 +170,7 @@ jobs:
retries=3
exit_code=0
while ((retries > 0)); do
CGO_ENABLED=0 go test -p 1 -tags nobadger -v ./...
CGO_ENABLED=0 go test -p 1 -tags nobadger,nomysql,nopgx -v ./...
exit_code=$?
if ((exit_code == 0)); then
break

4
.github/workflows/cross-build.yml vendored
View File

@ -10,6 +10,10 @@ on:
- master
- 2.*
env:
# https://github.com/actions/setup-go/issues/491
GOTOOLCHAIN: local
jobs:
build:
strategy:

4
.github/workflows/lint.yml vendored
View File

@ -13,6 +13,10 @@ on:
permissions:
contents: read
env:
# https://github.com/actions/setup-go/issues/491
GOTOOLCHAIN: local
jobs:
# From https://github.com/golangci/golangci-lint-action
golangci:

4
.github/workflows/release.yml vendored
View File

@ -5,6 +5,10 @@ on:
tags:
- 'v*.*.*'
env:
# https://github.com/actions/setup-go/issues/491
GOTOOLCHAIN: local
jobs:
release:
name: Release

4
caddyconfig/httpcaddyfile/httptype.go
View File

@ -191,7 +191,7 @@ func (st ServerType) Setup(
metrics, _ := options["metrics"].(*caddyhttp.Metrics)
for _, s := range servers {
if s.Metrics != nil {
metrics = cmp.Or[*caddyhttp.Metrics](metrics, &caddyhttp.Metrics{})
metrics = cmp.Or(metrics, &caddyhttp.Metrics{})
metrics = &caddyhttp.Metrics{
PerHost: metrics.PerHost || s.Metrics.PerHost,
}
@ -350,7 +350,7 @@ func (st ServerType) Setup(
// avoid duplicates by sorting + compacting
sort.Strings(defaultLog.Exclude)
defaultLog.Exclude = slices.Compact[[]string, string](defaultLog.Exclude)
defaultLog.Exclude = slices.Compact(defaultLog.Exclude)
}
}
// we may have not actually added anything, so remove if empty

2
caddyconfig/httpcaddyfile/serveroptions.go
View File

@ -246,6 +246,8 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
switch d.Val() {
case "per_host":
serverOpts.Metrics.PerHost = true
default:
return nil, d.Errf("unrecognized metrics option '%s'", d.Val())
}
}

2
modules/caddyhttp/app.go
View File

@ -207,7 +207,7 @@ func (app *App) Provision(ctx caddy.Context) error {
if srv.Metrics != nil {
srv.logger.Warn("per-server 'metrics' is deprecated; use 'metrics' in the root 'http' app instead")
app.Metrics = cmp.Or[*Metrics](app.Metrics, &Metrics{
app.Metrics = cmp.Or(app.Metrics, &Metrics{
init: sync.Once{},
httpMetrics: &httpMetrics{},
})

17
modules/caddyhttp/autohttps.go
View File

@ -163,6 +163,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
}
}
// trim the list of domains covered by wildcards, if configured
if srv.AutoHTTPS.PreferWildcard {
wildcards := make(map[string]struct{})
for d := range serverDomainSet {
@ -184,6 +185,17 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
}
}
// build the list of domains that could be used with ECH (if enabled)
// so the TLS app can know to publish ECH configs for them; we do this
// after trimming domains covered by wildcards because, presumably,
// if the user wants to use wildcard certs, they also want to use the
// wildcard for ECH, rather than individual subdomains
echDomains := make([]string, 0, len(serverDomainSet))
for d := range serverDomainSet {
echDomains = append(echDomains, d)
}
app.tlsApp.RegisterServerNames(echDomains)
// nothing more to do here if there are no domains that qualify for
// automatic HTTPS and there are no explicit TLS connection policies:
// if there is at least one domain but no TLS conn policy (F&&T), we'll
@ -205,7 +217,6 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
// for all the hostnames we found, filter them so we have
// a deduplicated list of names for which to obtain certs
// (only if cert management not disabled for this server)
var echDomains []string
if srv.AutoHTTPS.DisableCerts {
logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName))
} else {
@ -232,14 +243,10 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
}
uniqueDomainsForCerts[d] = struct{}{}
echDomains = append(echDomains, d)
}
}
}
// let the TLS server know we have some hostnames that could be protected behind ECH
app.tlsApp.RegisterServerNames(echDomains)
// tell the server to use TLS if it is not already doing so
if srv.TLSConnPolicies == nil {
srv.TLSConnPolicies = caddytls.ConnectionPolicies{new(caddytls.ConnectionPolicy)}

5
modules/caddyhttp/headers/headers.go
View File

@ -78,7 +78,7 @@ func (h Handler) Validate() error {
return err
}
}
if h.Response != nil {
if h.Response != nil && h.Response.HeaderOps != nil {
err := h.Response.validate()
if err != nil {
return err
@ -133,6 +133,9 @@ type HeaderOps struct {
// Provision sets up the header operations.
func (ops *HeaderOps) Provision(_ caddy.Context) error {
if ops == nil {
return nil // it's possible no ops are configured; fix #6893
}
for fieldName, replacements := range ops.Replace {
for i, r := range replacements {
if r.SearchRegexp == "" {

2
modules/caddyhttp/matchers.go
View File

@ -1342,6 +1342,8 @@ func (m *MatchTLS) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
case "early_data":
var false bool
m.HandshakeComplete = &false
default:
return d.Errf("unrecognized option '%s'", d.Val())
}
}
if d.NextArg() {

6
modules/caddyhttp/requestbody/caddyfile.go
View File

@ -68,6 +68,12 @@ func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error)
}
rb.WriteTimeout = timeout
case "set":
var setStr string
if !h.AllArgs(&setStr) {
return nil, h.ArgErr()
}
rb.Set = setStr
default:
return nil, h.Errf("unrecognized request_body subdirective '%s'", h.Val())
}

17
modules/caddyhttp/requestbody/requestbody.go
View File

@ -18,6 +18,7 @@ import (
"errors"
"io"
"net/http"
"strings"
"time"
"go.uber.org/zap"
@ -43,6 +44,10 @@ type RequestBody struct {
// EXPERIMENTAL. Subject to change/removal.
WriteTimeout time.Duration `json:"write_timeout,omitempty"`
// This field permit to replace body on the fly
// EXPERIMENTAL. Subject to change/removal.
Set string `json:"set,omitempty"`
logger *zap.Logger
}
@ -60,6 +65,18 @@ func (rb *RequestBody) Provision(ctx caddy.Context) error {
}
func (rb RequestBody) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
if rb.Set != "" {
if r.Body != nil {
err := r.Body.Close()
if err != nil {
return err
}
}
repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
replacedBody := repl.ReplaceAll(rb.Set, "")
r.Body = io.NopCloser(strings.NewReader(replacedBody))
r.ContentLength = int64(len(replacedBody))
}
if r.Body == nil {
return next.ServeHTTP(w, r)
}

84
modules/caddyhttp/reverseproxy/buffering_test.go Normal file
View File

@ -0,0 +1,84 @@
package reverseproxy
import (
"io"
"testing"
)
type zeroReader struct{}
func (zeroReader) Read(p []byte) (int, error) {
for i := range p {
p[i] = 0
}
return len(p), nil
}
func TestBuffering(t *testing.T) {
var (
h Handler
zr zeroReader
)
type args struct {
body io.ReadCloser
limit int64
}
tests := []struct {
name string
args args
resultCheck func(io.ReadCloser, int64, args) bool
}{
{
name: "0 limit, body is returned as is",
args: args{
body: io.NopCloser(&zr),
limit: 0,
},
resultCheck: func(res io.ReadCloser, read int64, args args) bool {
return res == args.body && read == args.limit && read == 0
},
},
{
name: "negative limit, body is read completely",
args: args{
body: io.NopCloser(io.LimitReader(&zr, 100)),
limit: -1,
},
resultCheck: func(res io.ReadCloser, read int64, args args) bool {
brc, ok := res.(bodyReadCloser)
return ok && brc.body == nil && brc.buf.Len() == 100 && read == 100
},
},
{
name: "positive limit, body is read partially",
args: args{
body: io.NopCloser(io.LimitReader(&zr, 100)),
limit: 50,
},
resultCheck: func(res io.ReadCloser, read int64, args args) bool {
brc, ok := res.(bodyReadCloser)
return ok && brc.body != nil && brc.buf.Len() == 50 && read == 50
},
},
{
name: "positive limit, body is read completely",
args: args{
body: io.NopCloser(io.LimitReader(&zr, 100)),
limit: 101,
},
resultCheck: func(res io.ReadCloser, read int64, args args) bool {
brc, ok := res.(bodyReadCloser)
return ok && brc.body == nil && brc.buf.Len() == 100 && read == 100
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
res, read := h.bufferedBody(tt.args.body, tt.args.limit)
if !tt.resultCheck(res, read, tt.args) {
t.Error("Handler.bufferedBody() test failed")
return
}
})
}
}

4
modules/caddyhttp/reverseproxy/reverseproxy.go
View File

@ -1234,6 +1234,10 @@ func (h Handler) provisionUpstream(upstream *Upstream) {
// then returns a reader for the buffer along with how many bytes were buffered. Always close
// the return value when done with it, just like if it was the original body! If limit is 0
// (which it shouldn't be), this function returns its input; i.e. is a no-op, for safety.
// Otherwise, it returns bodyReadCloser, the original body will be closed and body will be nil
// if it's explicitly configured to buffer all or EOF is reached when reading.
// TODO: the error during reading is discarded if the limit is negative, should the error be propagated
// to upstream/downstream?
func (h Handler) bufferedBody(originalBody io.ReadCloser, limit int64) (io.ReadCloser, int64) {
if limit == 0 {
return originalBody, 0

19
modules/caddytls/acmeissuer.go
View File

@ -149,8 +149,8 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
iss.AccountKey = accountKey
}
// DNS challenge provider
if iss.Challenges != nil && iss.Challenges.DNS != nil {
// DNS challenge provider, if not already established
if iss.Challenges != nil && iss.Challenges.DNS != nil && iss.Challenges.DNS.solver == nil {
var prov certmagic.DNSProvider
if iss.Challenges.DNS.ProviderRaw != nil {
// a challenge provider has been locally configured - use it
@ -522,21 +522,20 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
iss.TrustedRootsPEMFiles = d.RemainingArgs()
case "dns":
if !d.NextArg() {
return d.ArgErr()
}
provName := d.Val()
if iss.Challenges == nil {
iss.Challenges = new(ChallengesConfig)
}
if iss.Challenges.DNS == nil {
iss.Challenges.DNS = new(DNSChallengeConfig)
}
unm, err := caddyfile.UnmarshalModule(d, "dns.providers."+provName)
if err != nil {
return err
if d.NextArg() {
provName := d.Val()
unm, err := caddyfile.UnmarshalModule(d, "dns.providers."+provName)
if err != nil {
return err
}
iss.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, nil)
}
iss.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, nil)
case "propagation_delay":
if !d.NextArg() {

23
modules/caddytls/connpolicy.go
View File

@ -798,10 +798,14 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
// if we have TrustedCACerts explicitly set, create an 'inline' CA and return
if len(clientauth.TrustedCACerts) > 0 {
clientauth.ca = InlineCAPool{
caPool := InlineCAPool{
TrustedCACerts: clientauth.TrustedCACerts,
}
return nil
err := caPool.Provision(ctx)
if err != nil {
return nil
}
clientauth.ca = caPool
}
// if we don't have any CARaw set, there's not much work to do
@ -936,17 +940,10 @@ func setDefaultTLSParams(cfg *tls.Config) {
cfg.CurvePreferences = defaultCurves
}
if cfg.MinVersion == 0 {
// crypto/tls docs:
// "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
if cfg.EncryptedClientHelloKeys == nil {
cfg.MinVersion = tls.VersionTLS12
} else {
cfg.MinVersion = tls.VersionTLS13
}
}
if cfg.MaxVersion == 0 {
cfg.MaxVersion = tls.VersionTLS13
// crypto/tls docs:
// "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
if cfg.EncryptedClientHelloKeys != nil && cfg.MinVersion != 0 && cfg.MinVersion < tls.VersionTLS13 {
cfg.MinVersion = tls.VersionTLS13
}
}

47
modules/caddytls/connpolicy_test.go
View File

@ -20,6 +20,7 @@ import (
"reflect"
"testing"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
)
@ -278,3 +279,49 @@ func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
})
}
}
func TestClientAuthenticationProvision(t *testing.T) {
tests := []struct {
name string
ca ClientAuthentication
wantErr bool
}{
{
name: "specifying both 'CARaw' and 'TrustedCACerts' produces an error",
ca: ClientAuthentication{
CARaw: json.RawMessage(`{"provider":"inline","trusted_ca_certs":["foo"]}`),
TrustedCACerts: []string{"foo"},
},
wantErr: true,
},
{
name: "specifying both 'CARaw' and 'TrustedCACertPEMFiles' produces an error",
ca: ClientAuthentication{
CARaw: json.RawMessage(`{"provider":"inline","trusted_ca_certs":["foo"]}`),
TrustedCACertPEMFiles: []string{"foo"},
},
wantErr: true,
},
{
name: "setting 'TrustedCACerts' provisions the cert pool",
ca: ClientAuthentication{
TrustedCACerts: []string{test_der_1},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := tt.ca.provision(caddy.Context{})
if (err != nil) != tt.wantErr {
t.Errorf("ClientAuthentication.provision() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !tt.wantErr {
if tt.ca.ca.CertPool() == nil {
t.Error("CertPool is nil, expected non-nil value")
}
}
})
}
}

94
modules/caddytls/ech.go
View File

@ -44,6 +44,10 @@ func init() {
// each individual publication config object. (Requires a custom build with a
// DNS provider module.)
//
// ECH requires at least TLS 1.3, so any TLS connection policies with ECH
// applied will automatically upgrade the minimum TLS version to 1.3, even if
// configured to a lower version.
//
// Note that, as of Caddy 2.10.0 (~March 2025), ECH keys are not automatically
// rotated due to a limitation in the Go standard library (see
// https://github.com/golang/go/issues/71920). This should be resolved when
@ -294,31 +298,36 @@ func (t *TLS) publishECHConfigs() error {
// publish this ECH config list with this publisher
pubTime := time.Now()
err := publisher.PublishECHConfigList(t.ctx, dnsNamesToPublish, echCfgListBin)
if err != nil {
t.logger.Error("publishing ECH configuration list",
zap.Strings("for_domains", publication.Domains),
if err == nil {
t.logger.Info("published ECH configuration list",
zap.Strings("domains", publication.Domains),
zap.Uint8s("config_ids", configIDs),
zap.Error(err))
}
// update publication history, so that we don't unnecessarily republish every time
for _, cfg := range echCfgList {
if cfg.meta.Publications == nil {
cfg.meta.Publications = make(publicationHistory)
}
if _, ok := cfg.meta.Publications[publisherKey]; !ok {
cfg.meta.Publications[publisherKey] = make(map[string]time.Time)
}
for _, name := range dnsNamesToPublish {
cfg.meta.Publications[publisherKey][name] = pubTime
}
metaBytes, err := json.Marshal(cfg.meta)
if err != nil {
return fmt.Errorf("marshaling ECH config metadata: %v", err)
}
metaKey := path.Join(echConfigsKey, strconv.Itoa(int(cfg.ConfigID)), "meta.json")
if err := t.ctx.Storage().Store(t.ctx, metaKey, metaBytes); err != nil {
return fmt.Errorf("storing updated ECH config metadata: %v", err)
// update publication history, so that we don't unnecessarily republish every time
for _, cfg := range echCfgList {
if cfg.meta.Publications == nil {
cfg.meta.Publications = make(publicationHistory)
}
if _, ok := cfg.meta.Publications[publisherKey]; !ok {
cfg.meta.Publications[publisherKey] = make(map[string]time.Time)
}
for _, name := range dnsNamesToPublish {
cfg.meta.Publications[publisherKey][name] = pubTime
}
metaBytes, err := json.Marshal(cfg.meta)
if err != nil {
return fmt.Errorf("marshaling ECH config metadata: %v", err)
}
metaKey := path.Join(echConfigsKey, strconv.Itoa(int(cfg.ConfigID)), "meta.json")
if err := t.ctx.Storage().Store(t.ctx, metaKey, metaBytes); err != nil {
return fmt.Errorf("storing updated ECH config metadata: %v", err)
}
}
} else {
t.logger.Error("publishing ECH configuration list",
zap.Strings("domains", publication.Domains),
zap.Uint8s("config_ids", configIDs),
zap.Error(err))
}
}
}
@ -594,7 +603,7 @@ func (ECHDNSPublisher) CaddyModule() caddy.ModuleInfo {
}
}
func (dnsPub ECHDNSPublisher) Provision(ctx caddy.Context) error {
func (dnsPub *ECHDNSPublisher) Provision(ctx caddy.Context) error {
dnsProvMod, err := ctx.LoadModule(dnsPub, "ProviderRaw")
if err != nil {
return fmt.Errorf("loading ECH DNS provider module: %v", err)
@ -630,8 +639,16 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
continue
}
// get any existing HTTPS record for this domain, and augment
// our ech SvcParamKey with any other existing SvcParams
relName := libdns.RelativeName(domain+".", zone)
// TODO: libdns.RelativeName should probably return "@" instead of "". (The latest commits of libdns do this, so remove this logic once upgraded.)
if relName == "" {
relName = "@"
}
// get existing records for this domain; we need to make sure another
// record exists for it so we don't accidentally trample a wildcard; we
// also want to get any HTTPS record that may already exist for it so
// we can augment the ech SvcParamKey with any other existing SvcParams
recs, err := dnsPub.provider.GetRecords(ctx, zone)
if err != nil {
dnsPub.logger.Error("unable to get existing DNS records to publish ECH data to HTTPS DNS record",
@ -639,13 +656,29 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
zap.Error(err))
continue
}
relName := libdns.RelativeName(domain+".", zone)
var httpsRec libdns.Record
var nameHasExistingRecord bool
for _, rec := range recs {
if rec.Name == relName && rec.Type == "HTTPS" && (rec.Target == "" || rec.Target == ".") {
httpsRec = rec
if rec.Name == relName {
nameHasExistingRecord = true
if rec.Type == "HTTPS" && (rec.Target == "" || rec.Target == ".") {
httpsRec = rec
break
}
}
}
if !nameHasExistingRecord {
// Turns out if you publish a DNS record for a name that doesn't have any DNS record yet,
// any wildcard records won't apply for the name anymore, meaning if a wildcard A/AAAA record
// is used to resolve the domain to a server, publishing an HTTPS record could break resolution!
// In theory, this should be a non-issue, at least for A/AAAA records, if the HTTPS record
// includes ipv[4|6]hint SvcParamKeys,
dnsPub.logger.Warn("domain does not have any existing records, so skipping publication of HTTPS record",
zap.String("domain", domain),
zap.String("relative_name", relName),
zap.String("zone", zone))
continue
}
params := make(svcParams)
if httpsRec.Value != "" {
params, err = parseSvcParams(httpsRec.Value)
@ -674,8 +707,11 @@ func (dnsPub *ECHDNSPublisher) PublishECHConfigList(ctx context.Context, innerNa
},
})
if err != nil {
// TODO: Maybe this should just stop and return the error...
dnsPub.logger.Error("unable to publish ECH data to HTTPS DNS record",
zap.String("domain", domain),
zap.String("zone", zone),
zap.String("dns_record_name", relName),
zap.Error(err))
continue
}

3
modules/caddytls/internalissuer.go
View File

@ -178,6 +178,9 @@ func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr()
}
iss.SignWithRoot = true
default:
return d.Errf("unrecognized subdirective '%s'", d.Val())
}
}
return nil

120
modules/caddytls/tls.go
View File

@ -182,17 +182,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.dns = dnsMod
}
// ECH (Encrypted ClientHello) initialization
if t.EncryptedClientHello != nil {
t.EncryptedClientHello.configs = make(map[string][]echConfig)
outerNames, err := t.EncryptedClientHello.Provision(ctx)
if err != nil {
return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
}
// outer names should have certificates to reduce client brittleness
t.automateNames = append(t.automateNames, outerNames...)
}
// set up a new certificate cache; this (re)loads all certificates
cacheOpts := certmagic.CacheOptions{
GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
@ -243,31 +232,34 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
}
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
// using the certificate loaders we just initialized, load
// manual/static (unmanaged) certificates - we do this in
// provision so that other apps (such as http) can know which
// certificates have been manually loaded, and also so that
// commands like validate can be a better test
certCacheMu.RLock()
magic := certmagic.New(certCache, certmagic.Config{
Storage: ctx.Storage(),
Logger: t.logger,
OnEvent: t.onEvent,
OCSP: certmagic.OCSPConfig{
DisableStapling: t.DisableOCSPStapling,
},
DisableStorageCheck: t.DisableStorageCheck,
})
certCacheMu.RUnlock()
for _, loader := range t.certificateLoaders {
certs, err := loader.LoadCertificates()
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
return fmt.Errorf("loading certificates: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
if err != nil {
return fmt.Errorf("preparing 'ask' endpoint: %v", err)
for _, cert := range certs {
hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
if err != nil {
return fmt.Errorf("caching unmanaged certificate: %v", err)
}
t.loaded[hash] = ""
}
perm := PermissionByHTTP{
Endpoint: t.Automation.OnDemand.Ask,
}
if err := perm.Provision(ctx); err != nil {
return fmt.Errorf("provisioning 'ask' module: %v", err)
}
t.Automation.OnDemand.permission = perm
}
// automation/management policies
@ -302,6 +294,33 @@ func (t *TLS) Provision(ctx caddy.Context) error {
}
}
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
if err != nil {
return fmt.Errorf("preparing 'ask' endpoint: %v", err)
}
perm := PermissionByHTTP{
Endpoint: t.Automation.OnDemand.Ask,
}
if err := perm.Provision(ctx); err != nil {
return fmt.Errorf("provisioning 'ask' module: %v", err)
}
t.Automation.OnDemand.permission = perm
}
// session ticket ephemeral keys (STEK) service and provider
if t.SessionTickets != nil {
err := t.SessionTickets.provision(ctx)
@ -310,32 +329,19 @@ func (t *TLS) Provision(ctx caddy.Context) error {
}
}
// load manual/static (unmanaged) certificates - we do this in
// provision so that other apps (such as http) can know which
// certificates have been manually loaded, and also so that
// commands like validate can be a better test
certCacheMu.RLock()
magic := certmagic.New(certCache, certmagic.Config{
Storage: ctx.Storage(),
Logger: t.logger,
OnEvent: t.onEvent,
OCSP: certmagic.OCSPConfig{
DisableStapling: t.DisableOCSPStapling,
},
DisableStorageCheck: t.DisableStorageCheck,
})
certCacheMu.RUnlock()
for _, loader := range t.certificateLoaders {
certs, err := loader.LoadCertificates()
// ECH (Encrypted ClientHello) initialization
if t.EncryptedClientHello != nil {
t.EncryptedClientHello.configs = make(map[string][]echConfig)
outerNames, err := t.EncryptedClientHello.Provision(ctx)
if err != nil {
return fmt.Errorf("loading certificates: %v", err)
return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
}
for _, cert := range certs {
hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
if err != nil {
return fmt.Errorf("caching unmanaged certificate: %v", err)
// outer names should have certificates to reduce client brittleness
for _, outerName := range outerNames {
if !t.HasCertificateForSubject(outerName) {
t.automateNames = append(t.automateNames, outerNames...)
}
t.loaded[hash] = ""
}
}
@ -557,7 +563,7 @@ func (t *TLS) Manage(names []string) error {
// (keeping only the hotsname) and filters IP addresses, which can't be
// used with ECH.
//
// EXPERIMENTAL: This function and its behavior are subject to change.
// EXPERIMENTAL: This function and its semantics/behavior are subject to change.
func (t *TLS) RegisterServerNames(dnsNames []string) {
t.serverNamesMu.Lock()
for _, name := range dnsNames {

3
modules/logging/filewriter.go
View File

@ -313,6 +313,9 @@ func (fw *FileWriter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.Errf("negative roll_keep_for duration: %v", keepFor)
}
fw.RollKeepDays = int(math.Ceil(keepFor.Hours() / 24))
default:
return d.Errf("unrecognized subdirective '%s'", d.Val())
}
}
return nil

3
modules/logging/netwriter.go
View File

@ -145,6 +145,9 @@ func (nw *NetWriter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr()
}
nw.SoftStart = true
default:
return d.Errf("unrecognized subdirective '%s'", d.Val())
}
}
return nil