mirror of
https://github.com/caddyserver/caddy.git
synced 2024-11-25 17:56:34 +08:00
6ca5828221
Certificate selection used to be a module, but this seems unnecessary, especially since the built-in CustomSelectionPolicy allows quite complex selection logic on a number of fields in certs. If we need to extend that logic, we can, but I don't think there are SO many possibilities that we need modules. This update also allows certificate selection to choose between multiple matching certs based on client compatibility and makes a number of other improvements in the default cert selection logic, both here and in the latest CertMagic. The hardest part of this was the conn policy consolidation logic (Caddyfile only, of course). We have to merge connection policies that we can easily combine, because if two certs are manually loaded in a Caddyfile site block, that produces two connection policies, and each cert is tagged with a different tag, meaning only the first would ever be selected. So given the same matchers, we can merge the two, but this required improving the Tag selection logic to support multiple tags to choose from, hence "tags" changed to "any_tag" or "all_tags" (but we use any_tag in our Caddyfile logic). Combining conn policies with conflicting settings is impossible, so that should return an error if two policies with the exact same matchers have non-empty settings that are not the same (the one exception being any_tag which we can merge because the logic for them is to OR them). It was a bit complicated. It seems to work in numerous tests I've conducted, but we'll see how it pans out in the release candidates.
275 lines
6.4 KiB
Go
275 lines
6.4 KiB
Go
package integration
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/caddyserver/caddy/v2/caddytest"
|
|
)
|
|
|
|
func TestDefaultSNI(t *testing.T) {
|
|
|
|
// arrange
|
|
caddytest.InitServer(t, `{
|
|
"apps": {
|
|
"http": {
|
|
"http_port": 9080,
|
|
"https_port": 9443,
|
|
"servers": {
|
|
"srv0": {
|
|
"listen": [
|
|
":9443"
|
|
],
|
|
"routes": [
|
|
{
|
|
"handle": [
|
|
{
|
|
"handler": "subroute",
|
|
"routes": [
|
|
{
|
|
"handle": [
|
|
{
|
|
"body": "hello from a.caddy.localhost",
|
|
"handler": "static_response",
|
|
"status_code": 200
|
|
}
|
|
],
|
|
"match": [
|
|
{
|
|
"path": [
|
|
"/version"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"match": [
|
|
{
|
|
"host": [
|
|
"127.0.0.1"
|
|
]
|
|
}
|
|
],
|
|
"terminal": true
|
|
}
|
|
],
|
|
"tls_connection_policies": [
|
|
{
|
|
"certificate_selection": {
|
|
"any_tag": ["cert0"]
|
|
},
|
|
"match": {
|
|
"sni": [
|
|
"127.0.0.1"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"default_sni": "*.caddy.localhost"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"tls": {
|
|
"certificates": {
|
|
"load_files": [
|
|
{
|
|
"certificate": "/caddy.localhost.crt",
|
|
"key": "/caddy.localhost.key",
|
|
"tags": [
|
|
"cert0"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"pki": {
|
|
"certificate_authorities" : {
|
|
"local" : {
|
|
"install_trust": false
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
`, "json")
|
|
|
|
// act and assert
|
|
// makes a request with no sni
|
|
caddytest.AssertGetResponse(t, "https://127.0.0.1:9443/version", 200, "hello from a")
|
|
}
|
|
|
|
func TestDefaultSNIWithNamedHostAndExplicitIP(t *testing.T) {
|
|
|
|
// arrange
|
|
caddytest.InitServer(t, `
|
|
{
|
|
"apps": {
|
|
"http": {
|
|
"http_port": 9080,
|
|
"https_port": 9443,
|
|
"servers": {
|
|
"srv0": {
|
|
"listen": [
|
|
":9443"
|
|
],
|
|
"routes": [
|
|
{
|
|
"handle": [
|
|
{
|
|
"handler": "subroute",
|
|
"routes": [
|
|
{
|
|
"handle": [
|
|
{
|
|
"body": "hello from a",
|
|
"handler": "static_response",
|
|
"status_code": 200
|
|
}
|
|
],
|
|
"match": [
|
|
{
|
|
"path": [
|
|
"/version"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"match": [
|
|
{
|
|
"host": [
|
|
"a.caddy.localhost",
|
|
"127.0.0.1"
|
|
]
|
|
}
|
|
],
|
|
"terminal": true
|
|
}
|
|
],
|
|
"tls_connection_policies": [
|
|
{
|
|
"certificate_selection": {
|
|
"any_tag": ["cert0"]
|
|
},
|
|
"default_sni": "a.caddy.localhost",
|
|
"match": {
|
|
"sni": [
|
|
"a.caddy.localhost",
|
|
"127.0.0.1",
|
|
""
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"default_sni": "a.caddy.localhost"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"tls": {
|
|
"certificates": {
|
|
"load_files": [
|
|
{
|
|
"certificate": "/a.caddy.localhost.crt",
|
|
"key": "/a.caddy.localhost.key",
|
|
"tags": [
|
|
"cert0"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"pki": {
|
|
"certificate_authorities" : {
|
|
"local" : {
|
|
"install_trust": false
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
`, "json")
|
|
|
|
// act and assert
|
|
// makes a request with no sni
|
|
caddytest.AssertGetResponse(t, "https://127.0.0.1:9443/version", 200, "hello from a")
|
|
}
|
|
|
|
func TestDefaultSNIWithPortMappingOnly(t *testing.T) {
|
|
|
|
// arrange
|
|
caddytest.InitServer(t, `
|
|
{
|
|
"apps": {
|
|
"http": {
|
|
"http_port": 9080,
|
|
"https_port": 9443,
|
|
"servers": {
|
|
"srv0": {
|
|
"listen": [
|
|
":9443"
|
|
],
|
|
"routes": [
|
|
{
|
|
"handle": [
|
|
{
|
|
"body": "hello from a.caddy.localhost",
|
|
"handler": "static_response",
|
|
"status_code": 200
|
|
}
|
|
],
|
|
"match": [
|
|
{
|
|
"path": [
|
|
"/version"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"tls_connection_policies": [
|
|
{
|
|
"certificate_selection": {
|
|
"any_tag": ["cert0"]
|
|
},
|
|
"default_sni": "a.caddy.localhost"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"tls": {
|
|
"certificates": {
|
|
"load_files": [
|
|
{
|
|
"certificate": "/a.caddy.localhost.crt",
|
|
"key": "/a.caddy.localhost.key",
|
|
"tags": [
|
|
"cert0"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"pki": {
|
|
"certificate_authorities" : {
|
|
"local" : {
|
|
"install_trust": false
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
`, "json")
|
|
|
|
// act and assert
|
|
// makes a request with no sni
|
|
caddytest.AssertGetResponse(t, "https://127.0.0.1:9443/version", 200, "hello from a")
|
|
}
|