aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/matchers.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/matchers.go')
-rw-r--r--modules/caddyhttp/matchers.go64
1 files changed, 64 insertions, 0 deletions
diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index 392312b6c..b7952ab69 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -178,6 +178,22 @@ type (
// "http/2", "http/3", or minimum versions: "http/2+", etc.
MatchProtocol string
+ // MatchTLS matches HTTP requests based on the underlying
+ // TLS connection state. If this matcher is specified but
+ // the request did not come over TLS, it will never match.
+ // If this matcher is specified but is empty and the request
+ // did come in over TLS, it will always match.
+ MatchTLS struct {
+ // Matches if the TLS handshake has completed. QUIC 0-RTT early
+ // data may arrive before the handshake completes. Generally, it
+ // is unsafe to replay these requests if they are not idempotent;
+ // additionally, the remote IP of early data packets can more
+ // easily be spoofed. It is conventional to respond with HTTP 425
+ // Too Early if the request cannot risk being processed in this
+ // state.
+ HandshakeComplete *bool `json:"handshake_complete,omitempty"`
+ }
+
// MatchNot matches requests by negating the results of its matcher
// sets. A single "not" matcher takes one or more matcher sets. Each
// matcher set is OR'ed; in other words, if any matcher set returns
@@ -213,6 +229,7 @@ func init() {
caddy.RegisterModule(MatchHeader{})
caddy.RegisterModule(MatchHeaderRE{})
caddy.RegisterModule(new(MatchProtocol))
+ caddy.RegisterModule(MatchTLS{})
caddy.RegisterModule(MatchNot{})
}
@@ -1237,6 +1254,53 @@ func (MatchProtocol) CELLibrary(_ caddy.Context) (cel.Library, error) {
}
// CaddyModule returns the Caddy module information.
+func (MatchTLS) CaddyModule() caddy.ModuleInfo {
+ return caddy.ModuleInfo{
+ ID: "http.matchers.tls",
+ New: func() caddy.Module { return new(MatchTLS) },
+ }
+}
+
+// Match returns true if r matches m.
+func (m MatchTLS) Match(r *http.Request) bool {
+ if r.TLS == nil {
+ return false
+ }
+ if m.HandshakeComplete != nil {
+ if (!*m.HandshakeComplete && r.TLS.HandshakeComplete) ||
+ (*m.HandshakeComplete && !r.TLS.HandshakeComplete) {
+ return false
+ }
+ }
+ return true
+}
+
+// UnmarshalCaddyfile parses Caddyfile tokens for this matcher. Syntax:
+//
+// ... tls [early_data]
+//
+// EXPERIMENTAL SYNTAX: Subject to change.
+func (m *MatchTLS) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+ // iterate to merge multiple matchers into one
+ for d.Next() {
+ if d.NextArg() {
+ switch d.Val() {
+ case "early_data":
+ var false bool
+ m.HandshakeComplete = &false
+ }
+ }
+ if d.NextArg() {
+ return d.ArgErr()
+ }
+ if d.NextBlock(0) {
+ return d.Err("malformed tls matcher: blocks are not supported yet")
+ }
+ }
+ return nil
+}
+
+// CaddyModule returns the Caddy module information.
func (MatchNot) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
ID: "http.matchers.not",