diff options
author | Francis Lavoie <[email protected]> | 2024-10-02 09:31:58 -0400 |
---|---|---|
committer | GitHub <[email protected]> | 2024-10-02 07:31:58 -0600 |
commit | 16724842d9b9096b800326d0b7667a4361552552 (patch) | |
tree | 212b53abe5ce73bce9cb1825b6c06cce0b467194 /modules | |
parent | 792f1c7ed759b97ee6dc80246cf2de054c09a12f (diff) | |
download | caddy-16724842d9b9096b800326d0b7667a4361552552.tar.gz caddy-16724842d9b9096b800326d0b7667a4361552552.zip |
caddyhttp: Implement `auto_https prefer_wildcard` option (#6146)
* Allow specifying multiple `auto_https` options
* Implement `auto_https prefer_wildcard` option
* Adapt tests, add mock DNS module for config testing
* Rebase fix
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddyhttp/autohttps.go | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index 79fdfd6ec..ccb610327 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -65,6 +65,12 @@ type AutoHTTPSConfig struct { // enabled. To force automated certificate management // regardless of loaded certificates, set this to true. IgnoreLoadedCerts bool `json:"ignore_loaded_certificates,omitempty"` + + // If true, automatic HTTPS will prefer wildcard names + // and ignore non-wildcard names if both are available. + // This allows for writing a config with top-level host + // matchers without having those names produce certificates. + PreferWildcard bool `json:"prefer_wildcard,omitempty"` } // automaticHTTPSPhase1 provisions all route matchers, determines @@ -157,6 +163,27 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er } } + if srv.AutoHTTPS.PreferWildcard { + wildcards := make(map[string]struct{}) + for d := range serverDomainSet { + if strings.HasPrefix(d, "*.") { + wildcards[d[2:]] = struct{}{} + } + } + for d := range serverDomainSet { + if strings.HasPrefix(d, "*.") { + continue + } + base := d + if idx := strings.Index(d, "."); idx != -1 { + base = d[idx+1:] + } + if _, ok := wildcards[base]; ok { + delete(serverDomainSet, d) + } + } + } + // nothing more to do here if there are no domains that qualify for // automatic HTTPS and there are no explicit TLS connection policies: // if there is at least one domain but no TLS conn policy (F&&T), we'll |