When client certificate is enabled Caddy check only last certificate from
request. When this cert is not in list of trusted leaf certificates,
connection is rejected. According to RFC TLS1.x the sender's certificate
must come first in the list. Each following certificate must directly
certify the one preceding it.
This patch fix this problem - first certificate is checked instead of last.
This can lead to nicer, smaller JSON output for Caddyfiles like this:
a {
tls internal
}
b {
tls foo@bar.com
}
i.e. where the tls directive only configures automation policies, and
is merely meant to enable TLS on a server block (if it wasn't implied).
This helps keeps implicit config implicit.
Needs a little more testing to ensure it doesn't break anything
important.
* pki: Initial commit of embedded ACME server (#3021)
* reverseproxy: Support auto-managed TLS client certificates (#3021)
* A little cleanup after today's review session
Previously, matching by trying files other than the actual path of the
URI was:
file {
try_files <files...>
}
Now, the same can be done in one line:
file <files...>
As before, an empty file matcher:
file
still matches if the request URI exists as a file in the site root.
* reverse_proxy: Initial attempt at H2C transport/client support (#3218)
I have not tested this yet
* Experimentally enabling H2C server support (closes#3227)
See also #3218
I have not tested this
* reverseproxy: Clean up H2C transport a bit
* caddyhttp: Update godoc for h2c server; clarify experimental status
* caddyhttp: Fix trailers when recording responses (fixes#3236)
* caddyhttp: Tweak h2c config settings and docs
Moving to https://github.com/caddyserver/circuitbreaker
Nobody was using it anyway -- it works well, but something got fumbled
in a refactoring *months* ago. Turns out that we forgot the interface
guards AND botched a method name (my bad) - Ok() should have been OK().
So it would always have thrown a runtime panic if it tried to be loaded.
The module itself works well, but obviously nobody used it because
nobody reported the error. Fixing this while we move it to the new repo.
Removing this removes the last Bazaar/Launchpad dependency (I think).
* httpcaddyfile: Exclude access logs written to files from default log
Even though any logs can just be ignored, most users don't seem to like
configuring an access log to go to a file only to have it doubly appear
in the default log.
Related to:
- #3294
- https://caddy.community/t/v2-logging-format/7642/4?u=matt
- https://caddy.community/t/caddyfile-questions/7651/3?u=matt
* caddyhttp: General improvements to access log controls (fixes#3310)
* caddyhttp: Move log config nil check higher
* Rename LoggerName -> DefaultLoggerName
* matcher: Add `split_path` option to file matcher; used in php_fastcgi
* matcher: Skip try_files split if not the final part of the filename
* matcher: Add MatchFile tests
* matcher: Clarify SplitPath godoc
Sigh, apparently Linux is incapable of distinguishing host interfaces
in socket addresses, even though it works fine on Mac. I suppose we just
have to assume that any listeners with the same port are the same
address, completely ignoring the host interface on Linux... oh well.
* ci: Enable GoReleaser .deb support
* ci: Test .deb build
* ci: Fix typo
* ci: Turn off snapshot (breaks due to go mod edit)
* ci: Force the tag to rc3 for now
* ci: Let's try to publish the .debs
* ci: Attempt to enable build cache, rebuild after fixed line endings
* ci: Fix yml dupe ID issue, add caddy-api.service
* ci: Split cache keys between files so they're separate
* ci: Fix bindir
* ci: Update the script files
* ci: Retrigger
* ci: Push to gemfury
* ci: Use loop, fix bad env var
* ci: Retrigger
* ci: Try to force blank password?
* ci: Check if the token is actually present
* ci: Cleanup, remove debugging stuff
* ci: Remove useless comment
Panic would happen if an automation policy was specified in a singular
server block that had no hostnames in its address. Definitely an edge
case.
Fixed a bug related to checking for server blocks with a host-less key
that tried to make an automation policy. Previously if you had only two
server blocks like ":443" and another one at ":80", the one at ":443"
could not create a TLS automation policy because it thought it would
interfere with TLS automation for the block at ":80", but obviously that
key doesn't enable TLS because it is on the HTTP port. So now we are a
little smarter and count only non-HTTP-empty-hostname keys.
Also fixed a bug so that a key like "https://:1234" is sure to have TLS
enabled by giving it a TLS connection policy. (Relaxed conditions
slightly; the previous conditions were too strict, requiring there to be
a TLS conn policy already or a default SNI to be non-empty.)
Also clarified a comment thanks to feedback from @Mohammed90
* ci: Let's see if caching GOCACHE helps...
* ci: Use GOCACHE env instead (fixes windows), remove build -a
* ci: Hack to pull the GOCACHE env up to CI vars
* ci: Change cache key (mainly to wipe cache now)
* docs: Pull contributing document from v1 branch
* Update .github/CONTRIBUTING.md
Co-Authored-By: Matt Holt <mholt@users.noreply.github.com>
* docs: [Responsible -> Coordinated] Disclosure
* docs: Link to the new security policy page
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
To clarify, listening on wildcard interfaces is NOT the default and
should only be done under certain circumstances and when you know
what you're doing. Emits a warning in the log.
Fixes https://github.com/caddyserver/caddy-docker/issues/71
