aboutsummaryrefslogtreecommitdiffhomepage
path: root/caddytest
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2024-10-30 13:09:12 -0400
committerGitHub <[email protected]>2024-10-30 17:09:12 +0000
commitb129ed6be88e40667a843bfab74abb3e5239bc8f (patch)
tree0d4e1b47ded49079123b0f1fcd8f558c2d2c28fc /caddytest
parentd398898b352a6a7e8ac5c24da01dd948fc334d77 (diff)
downloadcaddy-b129ed6be88e40667a843bfab74abb3e5239bc8f.tar.gz
caddy-b129ed6be88e40667a843bfab74abb3e5239bc8f.zip
httpcaddyfile: Fixes for `prefer_wildcard` mode (#6636)
* httpcaddyfile: Fixes for prefer_wildcard mode The wildcard hosts need to be collected first, then considered after, because there's no guarantee that all non-wildcards will appear after all wildcards when looping. Also we should not add a domain to Skip if it doesn't qualify for TLS anyway. * Alternate solution by avoiding adding APs altogether if covered by wildcard
Diffstat (limited to 'caddytest')
-rw-r--r--caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest3
-rw-r--r--caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest268
2 files changed, 271 insertions, 0 deletions
diff --git a/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest
index 8880d71ae..04f2c4665 100644
--- a/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard.caddyfiletest
@@ -74,6 +74,9 @@ foo.example.com {
}
],
"automatic_https": {
+ "skip_certificates": [
+ "foo.example.com"
+ ],
"prefer_wildcard": true
}
}
diff --git a/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest
new file mode 100644
index 000000000..4f8c26a5d
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/auto_https_prefer_wildcard_multi.caddyfiletest
@@ -0,0 +1,268 @@
+{
+ auto_https prefer_wildcard
+}
+
+# Covers two domains
+*.one.example.com {
+ tls {
+ dns mock
+ }
+ respond "one fallback"
+}
+
+# Is covered, should not get its own AP
+foo.one.example.com {
+ respond "foo one"
+}
+
+# This one has its own tls config so it doesn't get covered (escape hatch)
+bar.one.example.com {
+ respond "bar one"
+}
+
+# Covers nothing but AP gets consolidated with the first
+*.two.example.com {
+ tls {
+ dns mock
+ }
+ respond "two fallback"
+}
+
+# Is HTTP so it should not cover
+http://*.three.example.com {
+ respond "three fallback"
+}
+
+# Has no wildcard coverage so it gets an AP
+foo.three.example.com {
+ respond "foo three"
+}
+----------
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "foo.three.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "foo three",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
+ "host": [
+ "foo.one.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "foo one",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
+ "host": [
+ "bar.one.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "bar one",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
+ "host": [
+ "*.one.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "one fallback",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ },
+ {
+ "match": [
+ {
+ "host": [
+ "*.two.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "two fallback",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ],
+ "automatic_https": {
+ "skip_certificates": [
+ "foo.one.example.com",
+ "bar.one.example.com"
+ ],
+ "prefer_wildcard": true
+ }
+ },
+ "srv1": {
+ "listen": [
+ ":80"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "*.three.example.com"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "three fallback",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ],
+ "automatic_https": {
+ "prefer_wildcard": true
+ }
+ }
+ }
+ },
+ "tls": {
+ "automation": {
+ "policies": [
+ {
+ "subjects": [
+ "foo.three.example.com"
+ ]
+ },
+ {
+ "subjects": [
+ "bar.one.example.com"
+ ],
+ "issuers": [
+ {
+ "email": "[email protected]",
+ "module": "acme"
+ },
+ {
+ "ca": "https://acme.zerossl.com/v2/DV90",
+ "email": "[email protected]",
+ "module": "acme"
+ }
+ ]
+ },
+ {
+ "subjects": [
+ "*.one.example.com",
+ "*.two.example.com"
+ ],
+ "issuers": [
+ {
+ "challenges": {
+ "dns": {
+ "provider": {
+ "name": "mock"
+ }
+ }
+ },
+ "module": "acme"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+} \ No newline at end of file