Commit Graph

212 Commits

Author SHA1 Message Date
vnxme
2d12fb7ac6
caddytls: Add sni_regexp matcher (#6569) 2024-09-11 20:51:59 -06:00
Bas Westerbaan
dcbf38d0b3
tls: use Go default kex for the moment that include PQC (#6542)
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
Tests / test (s390x on IBM Z) (push) Has been cancelled
Tests / goreleaser-check (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (ubuntu-latest, linux) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
Lint / govulncheck (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, aix) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, linux) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Has been cancelled
Cross-Build / build (~1.22.3, 1.22, windows) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, aix) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, linux) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Has been cancelled
Cross-Build / build (~1.23.0, 1.23, windows) (push) Has been cancelled
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement
method that is enabled by default on Chrome. Go 1.23 does not expose
the CurveID, so we cannot add it by specifying it in CurvePreferences.
The reason is that X25519Kyber768 is a preliminary key agreement that
will be supplanted by X25519MLKEM768. For the moment there is value
in enabling it.

A consequence of this is that by default Caddy will enable support
for P-384 and P-521.

This PR also removes the special code to add support for X25519Kyber768
via the Cloudflare Go branch.

Cf #6540
2024-08-27 17:08:16 -06:00
vnxme
7cf8376e63
matchers: fix a regression in #6480 (#6510)
The context may have no replacer
2024-08-12 10:01:09 +03:00
vnxme
59cbb2c83a
caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers (#6480)
* Runtime placeholders for caddytls matchers (1/3):

- remove IPs validation in UnmarshalCaddyfile

* Runtime placeholders for caddytls matchers (2/3):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddytls matchers (3/3):

- add placeholder replacement for other strings

* Runtime placeholders for caddyhttp matchers (1/1):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddyhttp/caddytls matchers:

- move PrivateRandesCIDR under internal
2024-08-07 11:02:23 -06:00
vnxme
3579815a6c
caddytls: Caddyfile support for TLS conn and cert sel policies (#6462)
* Caddyfile support for TLS custom certificate selection policy

* Caddyfile support for TLS connection policy
2024-07-24 11:01:06 -06:00
vnxme
61fe152c60
caddytls: Caddyfile support for TLS handshake matchers (#6461)
* Caddyfile support for TLS handshake matchers:

- caddytls.MatchLocalIP
- caddytls.MatchRemoteIP
- caddytls.MatchServerName

* Caddyfile support for TLS handshake matchers:

- fix imports order

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-24 09:26:09 -06:00
Andreas Kohn
e7ecc7ede2
Make it possible to configure the DisableStorageCheck setting for certmagic (#6368)
See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201
2024-06-04 07:00:15 -06:00
Matthew Holt
01308b4bae
I'm so tired of typos 2024-06-01 20:43:35 -06:00
Matthew Holt
b7280e6949 caddytls: Implement certmagic.RenewalInfoGetter
Fixes ARI errors reported here:
https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320
2024-06-01 18:02:49 -06:00
Francis Lavoie
a6a45ff6c5
context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* context: Add new `AppStrict()` method to avoid instantiating empty apps

* Rename AppStrict -> AppIfConfigured

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-20 11:14:58 -06:00
Matthew Holt
73e094e1dd
Fix lint error about deprecated method in smallstep/certificates/authority 2024-05-20 10:56:25 -06:00
Will Norris
db3e19b7b5
caddytls: fix permission requirement with AutomationPolicy (#6328)
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:

    https:// {
      tls {
        get_certificate tailscale
      }
      respond OK
    }

This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.

The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.

An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.

Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.

Also fix an inverted boolean check on this value when setting
failClosed.

Updates #6060
Updates #6229
Updates #6327

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-20 09:48:59 -06:00
Will Norris
1fc151faec
caddytls: remove ClientHelloSNICtxKey (#6326) 2024-05-18 22:47:46 -04:00
Will Norris
e66040a6f0
caddytls: set server name in context (#6324)
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-18 03:52:19 -06:00
Viktor Szépe
d7e3a1974b
Fix typos (#6311)
* Fix typos

* Revert

* Revert to "htlm"

* fix indentations
2024-05-10 08:08:54 -06:00
WeidiDeng
e60148ecc3
reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
* use pointer when loading modules

* change method to pointer type and remove LazyCertPool

* remove lazy pool test

* remove yet another lazy pool test
2024-05-08 19:13:37 -06:00
Matthew Holt
8d7ac18402
caddytls: Ability to drop connections (close #6294) 2024-05-06 19:59:42 -06:00
Matt Holt
d129ae6aec
caddytls: Evict internal certs from cache based on issuer (#6266)
* caddytls: Evict internal certs from cache based on issuer

During a config reload, we would keep certs in the cache fi they were used  by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.

This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.

* Make sure new TLS app manages configured certs

* Actually make it work
2024-04-30 16:15:54 -06:00
Mohammed Al Sahaf
87c7127c28
chore: add warn logs when using deprecated fields (#6276) 2024-04-27 15:51:00 -04:00
Mohammed Al Sahaf
c6eb186064
run golangci-lint run --fix --fast (#6270) 2024-04-24 15:17:23 -06:00
clauverjat
76c4cf5a56
caddytls: Option to configure certificate lifetime (#6253)
* Add option to configure certificate lifetime

* Bump CertMagic dep to latest master commit

* Apply suggestions and ran go mod tidy

* Update modules/caddytls/acmeissuer.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-24 14:35:14 -06:00
Mohammed Al Sahaf
d2668cdbb0
doc: add verifier in ClientAuthentication caddyfile marshaler doc (#6263) 2024-04-23 07:01:54 -06:00
Matthew Holt
6a02999054
caddytls: Add Caddyfile support for on-demand permission module (close #6260) 2024-04-22 15:47:09 -06:00
Aziz Rmadi
3609a4af75
caddytls: Remove shim code supporting deprecated lego-dns (#6231)
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:26:56 +00:00
Mohammed Al Sahaf
26748d06b4
connection policy: add local_ip matcher (#6074)
* connection policy: add `local_ip`

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:13:24 +03:00
Matt Holt
81413caea2
caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades

* caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME

* Fix go.mod

* caddytls: Fix automation related to managers (fix #6060)

* Fix typo (appease linter)

* Fix HTTP validation with ZeroSSL API
2024-04-13 21:31:43 -04:00
Matthew Holt
dc9dd2e4b3
caddytls: Still provision permission module if ask is specified
Only needed for JSON configs, and only temporarily as the ask property is deprecated and will be removed.
2024-04-13 17:08:11 -06:00
reallylowest
e0bf179c1a
modules: fix some typo in conments (#6206)
Signed-off-by: reallylowest <sunjinping@outlook.com>
2024-03-30 02:45:42 +00:00
Aziz Rmadi
3ae07a73dc
caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
* Made trusted leaf certificates pluggable into the tls.client_auth.leaf
module

* Added leaf loaders modules: file, folder, pem aand storage

* Cleaned implementation of leaf cert loader modules

* Added tests for leaf certs file and folder loaders

* cmd: fix the output of the `Usage` section (#6138)

* core: OnExit hooks (#6128)

* core: OnExit callbacks

* core: Process-global OnExit callbacks

* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added more leaf certificate loaders tests and cleaned up code

* Modified leaf cert loaders json field names and cleaned up storage loader comment

* Update modules/caddytls/leaffileloader.go

* Update LeafStorageLoader certificates field name

* Upgraded  protobuf version

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-05 14:55:37 -07:00
Mohammed Al Sahaf
03f703a00e
caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* caddytls: verifier: caddyfile: re-add Caddyfile support

* appease the linter

* caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
2024-02-26 00:13:48 +03:00
Matt Holt
57c5b921a4
caddytls: Make on-demand 'ask' permission modular (#6055)
* caddytls: Make on-demand 'ask' permission modular

This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.

Kicking myself that we didn't do it this way at the beginning, but who coulda known...

* Lint

* Error on conflicting config

* Fix bad merge

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-30 16:11:29 -07:00
Yolan Romailler
2fe69a828f
chore: enabling a few more linters (#5961)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 15:24:58 +00:00
Mohammed Al Sahaf
e965b111cd
tls: modularize trusted CA providers (#5784)
* tls: modularize client authentication trusted CA

* add `omitempty` to `CARaw`

* docs

* initial caddyfile support

* revert anything related to leaf cert validation

The certs are used differently than the CA pool flow

* complete caddyfile unmarshalling implementation

* Caddyfile syntax documentation

* enhance caddyfile parsing and documentation

Apply suggestions from code review

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* add client_auth caddyfile tests

* add caddyfile unmarshalling tests

* fix and add missed adapt tests

* fix rebase issue

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 11:44:41 +03:00
Francis Lavoie
750d0b8331
caddyfile: Normalize & flatten all unmarshalers (#6037) 2024-01-23 19:36:59 -05:00
Rithvik Vibhu
ed41c924cf
tls: add reuse_private_keys (#6025) 2024-01-09 16:00:31 -07:00
Matt Holt
4a09cf0dc0
caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Log out remote addr to detect abuse

* caddytls: Sync distributed storage cleaning

* Handle errors

* Update certmagic to fix tiny bug

* Split off port when logging remote IP

* Upgrade CertMagic
2023-12-07 11:00:02 -07:00
Andreas Kohn
b24ae63ea6
caddytls: Context to DecisionFunc (#5923)
See https://github.com/caddyserver/certmagic/pull/255
2023-12-07 10:40:13 -07:00
Mohammed Al Sahaf
4173e2c77a
tls: accept placeholders in string values of certificate loaders (#5963)
* tls: loader: accept placeholders in string values

* appease the linter
2023-12-04 09:23:15 -07:00
Bas Westerbaan
289934f3d1
tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)
… when compiled with cfgo (https://github.com/cloudflare/go).
2023-10-11 13:45:37 -06:00
Matt Holt
b377208ede
chore: Appease gosec linter (#5777)
These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.
2023-08-23 20:47:54 -06:00
Jacob Gadikian
d6f86cccf5
ci: use gci linter (#5708)
* use gofmput to format code

* use gci to format imports

* reconfigure gci

* linter autofixes

* rearrange imports a little

* export GOOS=windows golangci-lint run ./... --fix
2023-08-14 09:41:15 -06:00
Matthew Holt
080db93817
caddytls: Update docs for on-demand config 2023-08-09 11:15:01 -06:00
Jacob Gadikian
b32f265eca
ci: Use gofumpt to format code (#5707) 2023-08-07 19:40:31 +00:00
Matt Holt
0e2c7e1d35
caddytls: Reuse certificate cache through reloads (#5623)
* caddytls: Don't purge cert cache on config reload

* Update CertMagic

This actually avoids reloading managed certs from storage
when already in the cache, d'oh.

* Fix bug; re-implement HasCertificateForSubject

* Update go.mod: CertMagic tag
2023-07-11 19:10:58 +00:00
Matthew Holt
4ba03c9d38
caddytls: Clarify some JSON config docs 2023-06-04 22:15:50 -06:00
Matt Holt
96919acc9d
caddyhttp: Refactor cert Managers (fix #5415) (#5533) 2023-05-15 10:47:30 -06:00
Matt Holt
a02ecb0f88
caddytls: Check for nil ALPN; close #5470 (#5473)
* Check for nil ALPN; close #5470

* Apply patch

* Actually I want to try this
2023-05-13 07:09:20 -06:00
Matt Holt
faf0399e80
caddytls: Configurable fallback SNI (#5527)
* Initial implementation of fallback_sni

* Apply upstream patch
2023-05-10 14:29:29 -06:00
Francis Lavoie
e16a886814
caddytls: Eval replacer on automation policy subjects (#5459)
Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.
2023-03-27 21:16:22 +00:00
Matt Holt
0cc49c053f
caddytls: Zero out throttle window first (#5443)
* caddytls: Zero out throttle window first

* Don't error for on-demand 

Fixes b97c76fb47

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2023-03-20 12:06:00 -06:00