summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorĐỗ Trọng Hải <[email protected]>2023-10-11 04:46:39 +0700
committerGitHub <[email protected]>2023-10-10 21:46:39 +0000
commitdf9950297793fbe3930cd3151b6f1a3cea893a38 (patch)
tree94c887fec0c54d8d44858a23fafab89d77743bd3
parente0aaefab80d75293783a5551b094cf57b49da8d5 (diff)
downloadcaddy-df9950297793fbe3930cd3151b6f1a3cea893a38.tar.gz
caddy-df9950297793fbe3930cd3151b6f1a3cea893a38.zip
httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)
-rw-r--r--caddyconfig/httpcaddyfile/httptype.go12
-rw-r--r--caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt37
2 files changed, 48 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
index 78fb7f062..79442c8f7 100644
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@@ -716,10 +716,20 @@ func (st *ServerType) serversFromPairings(
}
}
+ // If TLS is specified as directive, it will also result in 1 or more connection policy being created
+ // Thus, catch-all address with non-standard port, e.g. :8443, can have TLS enabled without
+ // specifying prefix "https://"
+ // Second part of the condition is to allow creating TLS conn policy even though `auto_https` has been disabled
+ // ensuring compatibility with behavior described in below link
+ // https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
+ createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"]
+ hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) ||
+ (addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host))
+
// we'll need to remember if the address qualifies for auto-HTTPS, so we
// can add a TLS conn policy if necessary
if addr.Scheme == "https" ||
- (addr.Scheme != "http" && addr.Host != "" && addr.Port != httpPort) {
+ (addr.Scheme != "http" && addr.Port != httpPort && hasTLSEnabled) {
addressQualifiesForTLS = true
}
// predict whether auto-HTTPS will add the conn policy for us; if so, we
diff --git a/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt b/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt
new file mode 100644
index 000000000..b37b40c00
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt
@@ -0,0 +1,37 @@
+:8443 {
+ tls internal {
+ on_demand
+ }
+}
+----------
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":8443"
+ ],
+ "tls_connection_policies": [
+ {}
+ ]
+ }
+ }
+ },
+ "tls": {
+ "automation": {
+ "policies": [
+ {
+ "issuers": [
+ {
+ "module": "internal"
+ }
+ ],
+ "on_demand": true
+ }
+ ]
+ }
+ }
+ }
+}
+