aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddytls/tls.go
diff options
context:
space:
mode:
authorMatt Holt <[email protected]>2024-01-30 16:11:29 -0700
committerGitHub <[email protected]>2024-01-30 16:11:29 -0700
commit57c5b921a4283b4efa44d2fd77dce50f3113fb5a (patch)
tree4b1650088468472ef82bff5f3898efa61e46761f /modules/caddytls/tls.go
parente1b9a9d7b08f6f0c21feb8edf122585891aa7099 (diff)
downloadcaddy-57c5b921a4283b4efa44d2fd77dce50f3113fb5a.tar.gz
caddy-57c5b921a4283b4efa44d2fd77dce50f3113fb5a.zip
caddytls: Make on-demand 'ask' permission modular (#6055)
* caddytls: Make on-demand 'ask' permission modular This makes the 'ask' endpoint a module, which means that developers can write custom plugins for granting permission for on-demand certificates. Kicking myself that we didn't do it this way at the beginning, but who coulda known... * Lint * Error on conflicting config * Fix bad merge --------- Co-authored-by: Francis Lavoie <[email protected]>
Diffstat (limited to 'modules/caddytls/tls.go')
-rw-r--r--modules/caddytls/tls.go51
1 files changed, 31 insertions, 20 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index b66b09c4d..2ec7bd8fb 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -164,6 +164,36 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
}
+ // on-demand permission module
+ if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
+ if t.Automation.OnDemand.Ask != "" {
+ return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
+ }
+ val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
+ if err != nil {
+ return fmt.Errorf("loading on-demand TLS permission module: %v", err)
+ }
+ t.Automation.OnDemand.permission = val.(OnDemandPermission)
+ }
+
+ // on-demand rate limiting
+ if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
+ onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
+ onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
+ } else {
+ // remove any existing rate limiter
+ onDemandRateLimiter.SetWindow(0)
+ onDemandRateLimiter.SetMaxEvents(0)
+ }
+
+ // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
+ if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
+ t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
+ if err != nil {
+ return fmt.Errorf("preparing 'ask' endpoint: %v", err)
+ }
+ }
+
// automation/management policies
if t.Automation == nil {
t.Automation = new(AutomationConfig)
@@ -204,24 +234,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
}
}
- // on-demand rate limiting
- if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
- onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
- onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
- } else {
- // remove any existing rate limiter
- onDemandRateLimiter.SetWindow(0)
- onDemandRateLimiter.SetMaxEvents(0)
- }
-
- // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
- if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
- t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
- if err != nil {
- return fmt.Errorf("preparing 'ask' endpoint: %v", err)
- }
- }
-
// load manual/static (unmanaged) certificates - we do this in
// provision so that other apps (such as http) can know which
// certificates have been manually loaded, and also so that
@@ -288,8 +300,7 @@ func (t *TLS) Validate() error {
// Start activates the TLS module.
func (t *TLS) Start() error {
// warn if on-demand TLS is enabled but no restrictions are in place
- if t.Automation.OnDemand == nil ||
- (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
+ if t.Automation.OnDemand == nil || (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.permission == nil) {
for _, ap := range t.Automation.Policies {
if ap.OnDemand && ap.isWildcardOrDefault() {
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",