Commit Graph

1002 Commits

Author SHA1 Message Date
Matthew Holt
11103bd8d6 Major refactor of all HTTPS/TLS/ACME code
Biggest change is no longer using standard library's tls.Config.getCertificate function to get a certificate during TLS handshake. Implemented our own cache which can be changed dynamically at runtime, even during TLS handshakes. As such, restarts are no longer required after certificate renewals or OCSP updates.

We also allow loading multiple certificates and keys per host, even by specifying a directory (tls got a new 'load' command for that).

Renamed the letsencrypt package to https in a gradual effort to become more generic; and https is more fitting for what the package does now.

There are still some known bugs, e.g. reloading where a new certificate is required but port 80 isn't currently listening, will cause the challenge to fail. There's still plenty of cleanup to do and tests to write. It is especially confusing right now how we enable "on-demand" TLS during setup and keep track of that. But this change should basically work so far.
2016-02-11 00:06:05 -07:00
Matthew Holt
f1b2637d44 letsencrypt: Enable activation on empty hosts; fix email bug 2016-01-25 20:21:08 -07:00
Matthew Holt
178c4d11d9 Merge branch 'master' into getcertificate 2016-01-25 13:47:13 -07:00
Matthew Holt
7613ae3bf0 Change to Windows line endings for poor Notepad 2016-01-25 13:46:07 -07:00
Matthew Holt
ad664e5bba browse: Render names with multiple consecutive spaces correctly 2016-01-25 13:43:35 -07:00
Matthew Holt
cf06abd691 Log restarts 2016-01-25 13:41:51 -07:00
Matthew Holt
a6abec8210 letsencrypt: Update to match upstream refactor
Challenge names now have their own type and constants
2016-01-25 08:47:28 -07:00
Matthew Holt
82b049229b proxy: Add basic proxying test and InsecureSkipVerify transport test 2016-01-23 10:14:13 -07:00
Matt Holt
fae612d53b Merge pull request #529 from FiloSottile/filippo/insecure
proxy: add a insecure_skip_verify option - closes #320
2016-01-23 09:13:30 -07:00
Filippo Valsorda
bae4ac9764 proxy: add a insecure_skip_verify option - closes #320 2016-01-23 03:26:31 +00:00
Matt Holt
6e340cb1d6 Merge pull request #514 from upsuper/fix-user-key-perm
letsencrypt: Fix perm of user key
2016-01-16 00:46:45 -07:00
Xidorn Quan
0d8d0ba5a0 letsencrypt: Fix perm of user key 2016-01-16 13:12:03 +11:00
Matt Holt
8655ea671b Merge pull request #510 from alehano/master
gzip: Add .svg to default ext list
2016-01-15 15:33:15 -07:00
Matthew Holt
0d8526b7d9 gzip: Allow empty extension (#509) 2016-01-15 11:59:05 -07:00
Alexey Khalyapin
c9e0517e5e Add .svg to default ext list in gzip middleware 2016-01-14 11:52:03 +03:00
Matthew Holt
e74558eaea browse: Fix for files and dirs with ':' in name 2016-01-13 13:17:58 -07:00
Matthew Holt
b0ccab7b4a tls: Fix failing test 2016-01-13 09:24:03 -07:00
Matthew Holt
47079c3d24 PoC: on-demand TLS
Implements "on-demand TLS" as I call it, which means obtaining TLS certificates on-the-fly during TLS handshakes if a certificate for the requested hostname is not already available. Only the first request for a new hostname will experience higher latency; subsequent requests will get the new certificates right out of memory.

Code still needs lots of cleanup but the feature is basically working.
2016-01-13 00:32:46 -07:00
Matthew Holt
b4cab78bec Starting transition to Go 1.6 (http2 compatibility)
I've built this on Go 1.6 beta 1 and made some changes to be more compatible. Namely, I removed the use of the /x/net/http2 package and let net/http enable h2 by default; updated the way h2 is disabled (if the user requires it); moved TLS_FALLBACK_SCSV to the front of the cipher suites list (all values not accepted by http2 must go after those allowed by it); removed the NextProto default of http/1.1; set the http.Server.TLSConfig value to the TLS config used by the listener (we left it nil before, but this prevents automatic enabling of h2).

It is very likely there is more to do, but at least already Caddy uses HTTP/2 when built with Go 1.6.
2016-01-13 00:29:22 -07:00
Matthew Holt
3c96718027 Version 0.8.1 2016-01-12 10:01:57 -07:00
Matthew Holt
4b6e0e9369 tls: Fix failing test 2016-01-12 08:55:01 -07:00
Matthew Holt
2bcbdd6a17 Merge branch 'getcertificate' 2016-01-12 08:52:52 -07:00
Matthew Holt
8f2196c047 tls: No arguments to directive and no block is an error 2016-01-12 08:52:43 -07:00
Matthew Holt
c7d4d051cb letsencrypt: Ensure no prompt if user is not there
Also only set custom address if alternate port is specified (rather than using a blank address; just cleaner this way)
2016-01-12 08:52:08 -07:00
Matt Holt
e283af4d9b Merge pull request #502 from abiosoft/gzip-fix
gzip: Fix for wrong content-type when templates is used.
2016-01-12 08:32:09 -07:00
Abiola Ibrahim
12cd2d528c Gzip: Fix for wrong content-type when templates is used. 2016-01-12 15:06:08 +01:00
Matthew Holt
8a6c778c8d Log if host is not configured for server 2016-01-11 09:07:14 -07:00
Matthew Holt
77eae62d9f letsencrypt: Don't prompt if user is not there
This change fixes the scenario where you reload the config and it tries to obtain a cert from the ACME server, but no email address is found or terms have not been agreed to in-process. This is unfortunate but it should not stop the server from reloading, so we assume empty email address in this case.
2016-01-10 23:40:55 -07:00
Matthew Holt
97c8c9582a Updated changelog 2016-01-10 21:52:56 -07:00
Matthew Holt
ed0c0db6a3 If scheme and port defy convention, it is an error
This prevents serving HTTPS over port 80 or HTTP over 443. It's confusing and we don't allow it.
2016-01-10 20:51:50 -07:00
Matthew Holt
202849055c tls: Extra requirements to set port to 443
It is unexpected to serve localhost on port 443 or any server on 443 if TLS is disabled, even if the port is blank. Also don't warn about how to force TLS on the HTTP port.
2016-01-10 20:47:43 -07:00
Matthew Holt
060ab92d29 Reorder a few things
The docs link to this structure and all its methods related to the browse template; keeping them together makes it possible to link to the whole block of code that is relevant.
2016-01-10 09:47:26 -07:00
Matthew Holt
0830c728fe Remove pidfile when program exits (closes #495) 2016-01-09 21:48:07 -07:00
Matthew Holt
dab679df86 import: Fix multiple imports (closes #480) 2016-01-09 10:52:21 -07:00
Matthew Holt
9453224639 Merge branch 'letsencryptfix' 2016-01-08 23:59:15 -07:00
Matthew Holt
fd1765973a letsencrypt: Tests for handler that proxies challenge requests
Doesn't test the SkipInsecureVerify proxy setting, but that can be done at another time.
2016-01-08 16:44:54 -07:00
Matthew Holt
0efe39a705 Switch back to LE production endpoint 2016-01-08 14:13:21 -07:00
Matthew Holt
a3f3bc67e1 Merge branch 'browse-tpl' 2016-01-08 14:02:55 -07:00
Matthew Holt
8b93bfe751 letsencrypt: More tests! \o/ 2016-01-08 13:49:06 -07:00
Matthew Holt
897b6c5b0e letsencrypt: More tests, other minor improvements 2016-01-08 12:32:47 -07:00
Matthew Holt
fc928e0b3b letsencrypt: Couple minor refactors/fixes 2016-01-08 11:55:31 -07:00
Matthew Holt
93b301372b rewrite: Fix a lint suggestion 2016-01-06 22:23:18 -07:00
Matthew Holt
ce4981d046 Merge branch 'master' into letsencryptfix
# Conflicts:
#	caddy/letsencrypt/letsencrypt.go
#	caddy/letsencrypt/letsencrypt_test.go
2016-01-06 22:21:15 -07:00
Matthew Holt
62b210b544 browse: Minor changes to improve icon positioning in template
Also make sure column header cells don't wrap
2016-01-06 22:18:17 -07:00
Matt Holt
5f6a0a4c0b Merge pull request #479 from abiosoft/rewrite-patch
rewrite: not_has, not_match, multiple to, and status codes
2016-01-06 22:08:16 -07:00
Matt Holt
cae9880800 Merge pull request #483 from benschumacher/master
letsencrypt: Make plaintext redirect hosts honor the Bind settings
2016-01-06 22:06:53 -07:00
Matthew Holt
6d49392602 Improve tests, fix a few lint warnings 2016-01-06 16:04:33 -07:00
Matthew Holt
4593982065 letsencrypt: Major refactor of Activate(), fixes #474 and closes #397
Makes restarts cleaner and improves configuration usability related to the tls directive
2016-01-06 16:04:08 -07:00
Matthew Holt
94100a7ba6 Fix failing tests 2016-01-04 17:34:10 -07:00
Matthew Holt
e9c2e50684 Merge branch 'master' into letsencryptfix
# Conflicts:
#	caddy/letsencrypt/letsencrypt.go
2016-01-03 23:56:22 -07:00