Commit Graph

650 Commits

Author SHA1 Message Date
Christoffer Andersson
a6761153cb
Fix misspelling in onDemandAskRequest error (#3308) 2020-04-25 10:34:56 -06:00
Matthew Holt
02845bc9fd
docs: Improve template documentation slightly; use const, not literal 2020-04-24 21:05:09 -06:00
Matthew Holt
97ed9e111d
httpcaddyfile: Add nil check to prevent panic, fix validation logic
Panic would happen if an automation policy was specified in a singular
server block that had no hostnames in its address. Definitely an edge
case.

Fixed a bug related to checking for server blocks with a host-less key
that tried to make an automation policy. Previously if you had only two
server blocks like ":443" and another one at ":80", the one at ":443"
could not create a TLS automation policy because it thought it would
interfere with TLS automation for the block at ":80", but obviously that
key doesn't enable TLS because it is on the HTTP port. So now we are a
little smarter and count only non-HTTP-empty-hostname keys.

Also fixed a bug so that a key like "https://:1234" is sure to have TLS
enabled by giving it a TLS connection policy. (Relaxed conditions
slightly; the previous conditions were too strict, requiring there to be
a TLS conn policy already or a default SNI to be non-empty.)

Also clarified a comment thanks to feedback from @Mohammed90
2020-04-24 20:57:51 -06:00
Matthew Holt
100d19e3af
dangit, of course I would bork my git commit 2020-04-24 17:48:33 -06:00
Matthew Holt
ebf07f853b
caddyhttp: Fix auto redirects for catch-all HTTPS sites
Prior logic was not setting up redirects for the case when domain names
are not known, but the server still clearly has TLS enabled.
2020-04-24 17:36:52 -06:00
Matthew Holt
1b061815b2
reverseproxy: Don't forget to provision embedded headers handler
https://caddy.community/t/set-cookie-manipulation-in-reverse-proxy/7666?u=matt
2020-04-22 19:57:06 -06:00
Matthew Holt
026937fab5
caddyhttp: Fix trailers when recording responses (fixes #3236) 2020-04-22 11:10:13 -06:00
Matthew Holt
295604d6df
httpcaddyfile: Why was this code repeated?? 2020-04-22 09:20:39 -06:00
Francis Lavoie
bacf50a59e
caddyhttp: Fix common_log format's user ID placeholder (#3300) 2020-04-22 09:05:26 -06:00
westwin
da8686c4b9
reverseproxy: always set req.URL.Host with upstream (#3297) 2020-04-21 20:34:00 -06:00
Matthew Holt
e3a8f72f1c
docs: Minor improvements 2020-04-21 19:30:04 -06:00
Mohammed Al Sahaf
bae4f15fad
ci: fuzz: remove the fuzzer of the Caddyfile parser (#3288) 2020-04-20 15:21:19 -06:00
Francis Lavoie
0798459e44
readme: Fix broken links (#3283)
Credit to @kanagawa41 for spotting these!

Fixes #3282
2020-04-19 17:37:03 -06:00
Matthew Holt
f980170909
doc: Improve comment 2020-04-17 12:03:57 -06:00
Francis Lavoie
6963a72a63
ci: Cache the GOCACHE directory to speed up builds and tests (#3273)
* ci: Let's see if caching GOCACHE helps...

* ci: Use GOCACHE env instead (fixes windows), remove build -a

* ci: Hack to pull the GOCACHE env up to CI vars

* ci: Change cache key (mainly to wipe cache now)
2020-04-17 11:54:35 -06:00
Matt Holt
76bbb473a5
reverseproxy: Set X-Forwarded-Proto (closes #3275) (#3276) 2020-04-17 09:53:06 -06:00
Francis Lavoie
3c70950fa1
docs: Pull contributing document from v1 branch (#3270)
* docs: Pull contributing document from v1 branch

* Update .github/CONTRIBUTING.md

Co-Authored-By: Matt Holt <mholt@users.noreply.github.com>

* docs: [Responsible -> Coordinated] Disclosure

* docs: Link to the new security policy page

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-04-16 18:32:42 -06:00
Matthew Holt
7c171542ed
Add security policy 2020-04-16 17:20:03 -06:00
Matthew Holt
9a572635f5
admin: Close admin endpoint when shutting down (fixes #3269) 2020-04-16 12:34:28 -06:00
Matthew Holt
f5ccb904a3
admin: Disable host checking if wildcard interface is specified
To clarify, listening on wildcard interfaces is NOT the default and
should only be done under certain circumstances and when you know
what you're doing. Emits a warning in the log.

Fixes https://github.com/caddyserver/caddy-docker/issues/71
2020-04-16 11:41:32 -06:00
Matthew Holt
829e36d535
httpcaddyfile: Don't lowercase placeholder contents (fixes #3264) 2020-04-14 16:11:46 -06:00
Matthew Holt
2609a72893
go.mod: Update dependencies including CertMagic (fixes #3202) 2020-04-14 11:28:41 -06:00
Matthew Holt
ec456811bb
core: Don't return error on RegisterModule() and RegisterAdapter()
These functions are called at init-time, and their inputs are hard-coded
so there are no environmental or user factors that could make it fail
or succeed; the error return values are often ignored, and when they're
not, they are usually a fatal error anyway. To ensure that a programmer
mistake is not missed, we now panic instead.

Last breaking change 🤞
2020-04-13 09:48:54 -06:00
Matthew Holt
68cebb28d0
Fix some godocs 2020-04-11 09:01:40 -06:00
Matthew Holt
a3bdc22234
admin: Always enforce Host header checks
With a simple heuristic for loopback addresses, we can enable this by
default without adding unnecessary inconvenience.
2020-04-10 17:31:38 -06:00
Matthew Holt
d3383ced2a
Update link in readme 2020-04-10 09:19:03 -06:00
Matthew Holt
c024ae096d
tests: Clean up redundant type declarations 2020-04-10 08:48:21 -06:00
Matthew Holt
3bee569a8a
httpcaddyfile: Don't remove empty TLS conn policies (fix #3249)
Not sure why I thought that would be a good idea
2020-04-10 08:24:12 -06:00
Matthew Holt
999ab22b8c
caddyhttp: Add nil check (fixes #3248 and fixes #3250) 2020-04-10 08:12:42 -06:00
Matthew Holt
9991fdc495
Update readme 2020-04-10 08:10:35 -06:00
Matthew Holt
f29023bf8f
reverseproxy: Minor tweaks
We'll need that context in v2.1 when the transport can manage its own
client certificates; see #3198
2020-04-09 13:22:05 -06:00
Matthew Holt
85f5f47f31
caddytls: Don't initialize default internal issuer unless necessary
Otherwise, a password prompt can occur unnecessarily.
2020-04-09 13:09:48 -06:00
Matthew Holt
6e4132eb89
logging: Colorize output in all cases of stdout/stderr 2020-04-09 13:06:06 -06:00
Matt Holt
d89ad2fd5b
caddytls: Fix for TLS conn policy being applied to HTTP-only servers (#3243)
* httpcaddyfile: Don't add TLS policy to HTTP-only server (#3193, #3223)

* Account for HTTP port

* Add integration test written by @sarge
2020-04-09 12:39:05 -06:00
Matthew Holt
d33926b63f
go.mod: Update certmagic 2020-04-09 12:32:57 -06:00
Matthew Holt
c5f9227a48
go.mod: Try smallstep again
See if the broken dependency cycle has been... well, broken
2020-04-09 12:10:52 -06:00
Matthew Holt
88d391c1f5
go.mod: Update smallstep/cli 2020-04-09 11:16:47 -06:00
Matthew Holt
b4a7d6267f
go.mod: Update dependencies
Should fix the builds with GOPROXY=direct!
2020-04-09 10:57:23 -06:00
Matthew Holt
e5dc76b054 caddyhttp: CEL matcher checks return type; slight refactor
As per https://github.com/caddyserver/caddy/issues/3051#issuecomment-611200414
2020-04-08 15:39:30 -06:00
Mohammed Al Sahaf
7dfd69cdc5
chore: make the linter happier (#3245)
* chore: make the linter happier

* chore: remove reference to maligned linter in .golangci.yml
2020-04-08 15:31:51 -06:00
Matthew Holt
28fdf64dc5
httpcaddyfile, caddytls: Multiple edge case fixes; add tests
- Create two default automation policies; if the TLS app is used in
  isolation with the 'automate' certificate loader, it will now use
  an internal issuer for internal-only names, and an ACME issuer for
  all other names by default.
- If the HTTP Caddyfile adds an 'automate' loader, it now also adds an
  automation policy for any names in that loader that do not qualify
  for public certificates so that they will be issued internally. (It
  might be nice if this wasn't necessary, but the alternative is to
  either make auto-HTTPS logic way more complex by scanning the names in
  the 'automate' loader, or to have an automation policy without an
  issuer switch between default issuer based on the name being issued
  a certificate - I think I like the latter option better, right now we
  do something kind of like that but at a level above each individual
  automation policies, we do that switch only when no automation
  policies match, rather than when a policy without an issuer does
  match.)
- Set the default LoggerName rather than a LoggerNames with an empty
  host value, which is now taken literally rather than as a catch-all.
- hostsFromKeys, the function that gets a list of hosts from server
  block keys, no longer returns an empty string in its resulting slice,
  ever.
2020-04-08 14:46:44 -06:00
Matthew Holt
0fe98038b6
caddyhttp: Fix logging name associations by adding a default 2020-04-08 14:39:20 -06:00
Matthew Holt
6e4c688ea7
logging: Only colorize console output 2020-04-08 14:37:37 -06:00
Francis Lavoie
5110643201
httpcaddyfile: Add key_type global option (#3231) 2020-04-08 11:09:38 -06:00
Matthew Holt
4d9b63d909 cel: Leverage DefaultAdapter to extend CEL's type system
Thanks to @TristonianJones for the tip!
105acfa086 (r38358983)
2020-04-08 10:44:40 -06:00
Matthew Holt
e30deedcc1 caddyhttp: Return port placeholders as ints 2020-04-08 10:44:40 -06:00
Matt Holt
fbd9515d35
basicauth: Re-prompt after invalid credentials (fix #3239) (#3240) 2020-04-07 20:39:13 -06:00
Matthew Holt
95f6bd7e5c
templates: Update docs 2020-04-07 12:29:09 -06:00
Matthew Holt
b1ce9d4db7
templates: Add env function (closes #3237) 2020-04-07 12:26:08 -06:00
Matthew Holt
61679b74f5 Merge branch 'remove-ntlm' 2020-04-07 11:41:49 -06:00