* added new modular ca providers to caddy tls HttpTransport
* reverse-proxy, httptransport: added tests and caddyfile support for ca module
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Added plaintext support to file_server browser
This commit is twofold: First it adds a new optional
field, `return_type`, to `browser` for setting the
default format of the returned index (html, json or plaintext).
This is used when the `Accept` header is set to `/*`.
Second, it adds a preliminary `text/plain`
support to the `file_server` browser that
returns a text representation of the file
system, when an `Accept: text/plain` header
is present, with the behavior discussed above.
* Added more details and better formatting to plaintext browser
* Replaced returnType conditions with a switch statement
* Simplify
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddyhttp: add `http.request.local{,.host,.port}` placeholder
This is the counterpart of `http.request.remote{,.host,.port}`.
`http.request.remote` operates on the remote client's address, while
`http.request.local` operates on the address the connection arrived on.
Take the following example:
- Caddy serving on `203.0.113.1:80`
- Client on `203.0.113.2`
`http.request.remote.host` would return `203.0.113.2` (client IP)
`http.request.local.host` would return `203.0.113.1` (server IP)
`http.request.local.port` would return `80` (server port)
I find this helpful for debugging setups with multiple servers and/or
multiple network paths (multiple IPs, AnyIP, Anycast).
Co-authored-by: networkException <git@nwex.de>
* caddyhttp: add unit test for `http.request.local{,.host,.port}`
* caddyhttp: add integration test for `http.request.local.port`
* caddyhttp: fix `http.request.local.host` placeholder handling with unix sockets
The implementation matches the one of `http.request.remote.host` now and
returns the unix socket path (just like `http.request.local` already did)
instead of an empty string.
---------
Co-authored-by: networkException <git@nwex.de>
* update quic-go to v0.42.0
* use a rate limiter to control QUIC source address verification
* Lint
* remove deprecated ListenQUIC
* remove number of requests tracking
* increase the number of handshakes before source address verification is needed
* remove references to request counters
* remove deprecated listen*
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: WeidiDeng <weidi_deng@icloud.com>
* reverseproxy: active health check allows configurable health_passes and health_fails
* Need to reset counters after recovery
* rename methods to be more clear that these are coming from active health checks
* do not export methods
* upgrade to cel v0.20.0
* Attempt to address feedback and fix linter
* Let's try this
* Take that, you linter!
* Oh there's more
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Tristan Swadell @TristonianJones
* Implemented basic uri query operations
* Added support for query operations block
* Applied Replacer on all query keys and values
* Implemented rename query key opration
* Rewrite struct: Changed QueryOperations field to Query and comments cleanup
* Cleaned up comments, changed the order of operations and added more tests
* Changed order of fields in queryOps struct to match the operations order
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* acmeserver: add `policy` field to define allow/deny rules
* allow `omitempty` to work
* add caddyfile support for `policy`
* remove "uri domain" policy
* fmt the files
* add docs
* do not support `CommonName`; the field is deprecated
* r/DNSDomains/Domains/g
* Caddyfile docs
* add tests
* move `Policy` to top of file
* reverseproxy: cookie should be Secure and SameSite=None when TLS
* Update modules/caddyhttp/reverseproxy/selectionpolicies_test.go
Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
---------
Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* introduce basic acme_server test
* skip acme test on unsuitable environments
* skip integration tests of ACME
* documentation
* add negative-scenario test for mismatched allowed challenges
* a bit more docs
* fix tests for ACME challenges
* appease the linter
* skip ACME tests on s390x
* enable ACME challenge tests on all machines
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: Make on-demand 'ask' permission modular
This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.
Kicking myself that we didn't do it this way at the beginning, but who coulda known...
* Lint
* Error on conflicting config
* Fix bad merge
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
previously the `caddy respond` command would treat the argument
passed to --listen as a TCP socket address, iterating over a possible
port range.
this patch factors the server creation out into a separate function,
allowing this to be reused in case the listen address is a unix network
address.
* browse: Add total file size to directory listing
* Apply suggestion to remove "in "
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* templates: Offically make templates extensible
This supercedes #4757 (and #4568) by making template extensions
configurable.
The previous implementation was never documented AFAIK and had only
1 consumer, which I'll notify as a courtesy.
* templates: Add 'maybe' function for optional components
* Try to fix lint error
This commit upgrades the router used in the acmeserver to
github.com/go-chi/chi/v5. In the latest release of step-ca, the router
used by certificates was upgraded to that version.
Fixes#5911
Signed-off-by: Mariano Cano <mariano.cano@gmail.com>
* core: quic listener will manage the underlying socket by itself.
* format code
* rename sharedQUICTLSConfig to sharedQUICState, and it will now manage the number of active requests
* add comment
* strict unwrap type
* fix unwrap
* remove comment
* Browse.html: Add canonical URL and home-link
When contents are equal, but maybe just a sort order is different, it is good to add `<link rel="canonical" href="base-path/" />`. This helps search engines propeely index the page.
I also added a link to the home page with the name of `{{.Host}}` just above the bread crumbs to make the page clearer.
https://paste.tnonline.net/files/28Wun5CQZiqA_Screenshot_20231007_134435_Opera.png
* Update browse.html
* reverseproxy: Add more debug logs
This makes debug logging very noisy when reverse proxying, but I guess
that's the point.
This has shown to be useful in troubleshooting infrastructure issues.
* Update modules/caddyhttp/reverseproxy/streaming.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Update modules/caddyhttp/reverseproxy/streaming.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Add opt-in `trace_logs` option
* Rename to VerboseLogs
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Enhancement: Allow X-Forwarded-For Header in httpInclude Virtual Requests
The goal of this enhancement is to modify the funcHTTPInclude function in the Caddy codebase to include the X-Forwarded-For header in the virtual request. This change will enable reverse proxies to set the X-Forwarded-For header, ensuring that the client's IP address is correctly provided to the target endpoint. This modification is essential for applications that depend on the X-Forwarded-For header for various functionalities, such as authentication, logging, or content customization.
* Updated tplcontext.go - set `virtReq.RemoteAddr = "127.0.0.1"`
i have made the suggested changes
* Apply suggestions from code review
* Update modules/caddyhttp/templates/tplcontext.go
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
fix a nil pointer dereference in AUpstreams.GetUpstreams when AUpstreams.Versions is not set (fixes caddyserver#5809)
Signed-off-by: Pascal Vorwerk <info@fossores.de>
* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix
* reverseproxy: do not parse upstream address too early if it contains replaceble parts
* remove unused method
* cleanup
* accommodate partially replaceable port
* caddyhttp: Make use of http.ResponseController
Also syncs the reverseproxy implementation with stdlib's which now uses ResponseController as well 2449bbb5e6
* Enable full-duplex for HTTP/1.1
* Appease linter
* Add warning for builds with Go 1.20, so it's less surprising to users
* Improved godoc for EnableFullDuplex, copied text from stdlib
* Only wrap in encode if not already wrapped
* update quic-go to v0.37.0
* Bump to Go 1.20
* Bump golangci-lint version, yml syntax consistency
* Use skip-pkg-cache workaround
* Workaround needed for both?
* Seeding weakrand is no longer necessary
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* added weighted round robin algorithm to load balancer
* added an adapt integration test for wrr and fixed a typo
* changed args format to Caddyfile args convention
* added provisioner and validator for wrr
* simplified the code and improved doc
Allow registering a custom network mapping for HTTP/3. This is useful
if the original network for HTTP/1.1 and HTTP/2 is not a standard `unix`,
`tcp4`, or `tcp6` network. To keep backwards compatibility, we fall back
to `udp` if the original network is not registered in the mapping.
Fixes#5555
* Create an includeRaw template function to include a file without parsing it as a template.
Some formatting fixes
* Rename to readFile, various docs adjustments
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Make grid entries take up full width on mobile and fix breadcrumb color issue in dark mode
Signed-off-by: Pistasj <odyssey346@disroot.org>
* Do mholt's suggestions
Signed-off-by: Pistasj <odyssey346@disroot.org>
---------
Signed-off-by: Pistasj <odyssey346@disroot.org>
When only a single request has the least amount of requests, there's no need to compute a random number, because the modulo of 1 will always be 0 anyways.
* Add isDir template function
* Update modules/caddyhttp/templates/tplcontext.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Fix funcIsDir return value on error
* Fix funcIsDir return false when root file system not specified
* Add stat function, remove isDir function
* Remove isDir function (really)
* Rename stat to fileStat
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Serve http2 when listener wrapper doesn't return *tls.Conn
* close conn when h2server serveConn returns
* merge from upstream
* rebase from latest
* run New and Closed ConnState hook for h2 conns
* go fmt
* fix lint
* Add comments
* reorder import
* log: make `sink` encodable
* deduplicate logger fields
* extract common fields into `BaseLog` and embed it into `SinkLog`
* amend godoc on `BaseLog` and `SinkLog`
* minor style change
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Delete all existing fields when fieldName is `*`
* Rearrange deletion before addition in headers
* Revert "Rearrange deletion before addition in headers"
This reverts commit 1b50eeeccc92ccd660c7896d8283c7d9e5d1fcb0.
* Treat deleting all headers as a special case
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddyhttp: Determine real client IP if trusted proxies configured
* Support customizing client IP header
* Implement client_ip matcher, deprecate remote_ip's forwarded option