summaryrefslogtreecommitdiffhomepage
path: root/modules
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2024-10-02 09:31:58 -0400
committerGitHub <[email protected]>2024-10-02 07:31:58 -0600
commit16724842d9b9096b800326d0b7667a4361552552 (patch)
tree212b53abe5ce73bce9cb1825b6c06cce0b467194 /modules
parent792f1c7ed759b97ee6dc80246cf2de054c09a12f (diff)
downloadcaddy-16724842d9b9096b800326d0b7667a4361552552.tar.gz
caddy-16724842d9b9096b800326d0b7667a4361552552.zip
caddyhttp: Implement `auto_https prefer_wildcard` option (#6146)
* Allow specifying multiple `auto_https` options * Implement `auto_https prefer_wildcard` option * Adapt tests, add mock DNS module for config testing * Rebase fix
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/autohttps.go27
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go
index 79fdfd6ec..ccb610327 100644
--- a/modules/caddyhttp/autohttps.go
+++ b/modules/caddyhttp/autohttps.go
@@ -65,6 +65,12 @@ type AutoHTTPSConfig struct {
// enabled. To force automated certificate management
// regardless of loaded certificates, set this to true.
IgnoreLoadedCerts bool `json:"ignore_loaded_certificates,omitempty"`
+
+ // If true, automatic HTTPS will prefer wildcard names
+ // and ignore non-wildcard names if both are available.
+ // This allows for writing a config with top-level host
+ // matchers without having those names produce certificates.
+ PreferWildcard bool `json:"prefer_wildcard,omitempty"`
}
// automaticHTTPSPhase1 provisions all route matchers, determines
@@ -157,6 +163,27 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
}
}
+ if srv.AutoHTTPS.PreferWildcard {
+ wildcards := make(map[string]struct{})
+ for d := range serverDomainSet {
+ if strings.HasPrefix(d, "*.") {
+ wildcards[d[2:]] = struct{}{}
+ }
+ }
+ for d := range serverDomainSet {
+ if strings.HasPrefix(d, "*.") {
+ continue
+ }
+ base := d
+ if idx := strings.Index(d, "."); idx != -1 {
+ base = d[idx+1:]
+ }
+ if _, ok := wildcards[base]; ok {
+ delete(serverDomainSet, d)
+ }
+ }
+ }
+
// nothing more to do here if there are no domains that qualify for
// automatic HTTPS and there are no explicit TLS connection policies:
// if there is at least one domain but no TLS conn policy (F&&T), we'll