summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2017-04-17 19:53:15 -0600
committerMatthew Holt <[email protected]>2017-04-17 19:53:15 -0600
commit4462e3978b7f66ee9d633e82f481264b73b4b9e3 (patch)
tree84da530170d8ddb0d22f92dc900ea3a19ad0ee71
parenta56a8334230af1a5f2474730ef57a7fceebb4b50 (diff)
downloadcaddy-4462e3978b7f66ee9d633e82f481264b73b4b9e3.tar.gz
caddy-4462e3978b7f66ee9d633e82f481264b73b4b9e3.zip
httpserver: max_certs now forces On-Demand TLS even if name is known
Original feature request in forum: https://forum.caddyserver.com/t/caddy-with-specific-hosts-but-on-demand-tls/1704?u=matt Before, Caddy obtained certificates for every name it could at startup. And it would only obtain certificates during the handshake for sites defined with a hostname that didn't qualify at startup (like "*.example.com" or ":443"). This made sense for most situations, and helped ensure that certificates were obtained as early and reliably as possible. With this change, Caddy will NOT obtain certificates for hostnames it knows at startup (even if they qualify) if OnDemand is enabled. But I think this change generalizes well, because a user who specifies max_certs is deliberately turning on On-Demand TLS, fully aware of the consequences. It seems dubious to ignore that config when the user deliberately put it there. We'll see how this goes.
-rw-r--r--caddyhttp/httpserver/https.go17
1 files changed, 10 insertions, 7 deletions
diff --git a/caddyhttp/httpserver/https.go b/caddyhttp/httpserver/https.go
index fcbd2d909..75ff8c6c4 100644
--- a/caddyhttp/httpserver/https.go
+++ b/caddyhttp/httpserver/https.go
@@ -23,6 +23,9 @@ func activateHTTPS(cctx caddy.Context) error {
// place certificates and keys on disk
for _, c := range ctx.siteConfigs {
+ if c.TLS.OnDemand {
+ continue // obtain these certificates on-demand instead
+ }
err := c.TLS.ObtainCert(c.TLS.Hostname, operatorPresent)
if err != nil {
return err
@@ -65,15 +68,15 @@ func markQualifiedForAutoHTTPS(configs []*SiteConfig) {
}
// enableAutoHTTPS configures each config to use TLS according to default settings.
-// It will only change configs that are marked as managed, and assumes that
-// certificates and keys are already on disk. If loadCertificates is true,
-// the certificates will be loaded from disk into the cache for this process
-// to use. If false, TLS will still be enabled and configured with default
-// settings, but no certificates will be parsed loaded into the cache, and
-// the returned error value will always be nil.
+// It will only change configs that are marked as managed but not on-demand, and
+// assumes that certificates and keys are already on disk. If loadCertificates is
+// true, the certificates will be loaded from disk into the cache for this process
+// to use. If false, TLS will still be enabled and configured with default settings,
+// but no certificates will be parsed loaded into the cache, and the returned error
+// value will always be nil.
func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error {
for _, cfg := range configs {
- if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed {
+ if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed || cfg.TLS.OnDemand {
continue
}
cfg.TLS.Enabled = true