This adds the ask sub-directive to tls that defines the URL of a backend HTTP service to be queried during the TLS handshake to determine if an on-demand TLS certificate should be acquired for incoming hostnames. When the ask sub-directive is defined, Caddy will query the URL for permission to acquire a cert by making a HTTP GET request to the URL including the requested domain in the query string. If the backend service returns a 2xx response Caddy will acquire a cert. Any other response code (including 3xx redirects) are be considered a rejection and the certificate will not be acquired.
The rc.subr framework already takes care of substituting user. So, using
daemon's -u option is double user-substitution and fails if $caddy_user
is non-root.
caddy.go:569: could be simplified
sigtrap_posix.go:87: value of inst is never used
upgrade.go:151: should omit nil check; len() for nil slices is defined as zero
A default of true is risky when protecting assets by matching base path.
It's not obvious that protecting /foo/ will allow /Foo/ through, and if
accessing static files on a case-insensitive file system... that's no
good. So the default is now to be case-INsensitive when matching paths.
When two Caddyfiles with the same name, but different paths, are
imported, it can cause a weird bug because isNewLine() returned false
when it should return true, since the files are actually different,
but it couldn't know that because only the base name was stored,
not the whole path.
This change eliminates the `[ERROR] Could not write pidfile: open /var/run/caddy.pid: permission denied` from caddy.log.
The start-stop-daemon writes the file as root so the DAEMONUSER that caddy runs as cannot write to the .pid file.
* Proxy can now use QUIC for upstream connections
Add HandshakeTimeout, change h2quic syntax
* Add setup and upstream test
Test QUIC proxy with actual h2quic instance
Use different port fo QUIC test server
Add quic host to CI config
Added testdata to vendor
Revert "Added testdata to vendor"
This reverts commit 959512282deed8623168d090e5ca5e5a7933019c.
* Use local testdata
Renewed certificates would not be reloaded into the cache because their
names conflict with names of certificates already in the cache; this
was intentional when loading new certs to avoid confusion, but is
problematic when renewing, since the old certificate doesn't get
evicted from the cache. (Oops.)
Here, I remedy this situation by explicitly deleting the old cert from
the cache before adding the renewed one back in.
