Age | Commit message (Collapse) | Author |
|
|
|
* Removed newline characters from precomputed etags
* Update modules/caddyhttp/fileserver/staticfiles.go
---------
Co-authored-by: Matt Holt <[email protected]>
|
|
|
|
* reverseproxy: add Max-Age option to sticky cookie
* Update selectionpolicies.go
Co-authored-by: Francis Lavoie <[email protected]>
* Update selectionpolicies.go
Co-authored-by: Francis Lavoie <[email protected]>
---------
Co-authored-by: Francis Lavoie <[email protected]>
|
|
* a
* a
* a
* a
* a
* a
|
|
101d3e7 introduced a configuration option to set the log file mode.
This option was not taken into account if the file already exists,
making users having to delete their logs to have new logs created
with the right mode.
|
|
|
|
The latest tscert allows callers to provide a custom http.Transport for
calling Tailscale's local API.
Updates tailscale/caddy-tailscale#66
|
|
Commit 101d3e7 introduced file mode setting,
but was missing a JSON Marshaller so that
CaddyFile can be converted to JSON safely.
|
|
|
|
* Split `run` into a public `BuildContext` and a private part
`BuildContext` can be used to set up a caddy context from a config, but not start any listeners
or active components: The returned context has the configured apps provisioned, but otherwise is
inert.
This is EXPERIMENTAL: Minimally it's missing documentation and the example for how this can be
used to run unit tests.
* Use the config from the context
The config passed into `BuildContext` can be nil, in which case `BuildContext` will just make one
up that works. In either case that will end up in the finished context.
* Rename `BuildContext` to `ProvisionContext` to better match the function
* Hide the `replaceAdminServer` parts
The admin server is a global thing, and in the envisioned use case for `ProvisionContext`
shouldn't actually exist. Hide this detail in a private `provisionContext` instead, and
only expose it publicly with `replaceAdminServer` set to `false`.
This should reduce foot-shooting potential further; in addition the documentation comment
now clearly spells out that the exact interface and implementation details of `ProvisionContext`
are experimental and subject to change.
|
|
Adding a "mode" option to overwrite the default logfile permissions.
Default remains "0600" which is the one currently used by lumberjack.
|
|
|
|
Signed-off-by: Mohammed Al Sahaf <[email protected]>
|
|
* cmd: remove zealous check of Caddyfile auto-detection
* add test case
* remove redundant check, add comment
* one more case
|
|
* caddyhttp: Add test case to corpus
* One more test case
* Clean up stray comment
* More tests
|
|
certmagic (#6368)
See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201
|
|
* cmd: fix regression in auto-detect of Caddyfile
Signed-off-by: Mohammed Al Sahaf <[email protected]>
* fix typo
Co-authored-by: Git'Fellow <[email protected]>
* add tests
* address review comments
---------
Signed-off-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Git'Fellow <[email protected]>
|
|
* cmd: fix auto-detetction of .caddyfile extension
Signed-off-by: Mohammed Al Sahaf <[email protected]>
* move conditions around and add clarifying comment
Signed-off-by: Mohammed Al Sahaf <[email protected]>
* reject ambiguous config file name
Signed-off-by: Mohammed Al Sahaf <[email protected]>
---------
Signed-off-by: Mohammed Al Sahaf <[email protected]>
|
|
SanitizePathJoin protects against directory traversal attacks by
checking for requests whose URL path look like they are trying to
request something other than a local file, and returns the root
directory in those cases.
The method is also careful to ensure that requests which contain a
trailing slash include a trailing slash in the returned value. However,
for requests that contain only a slash (requests for the root path), the
IsLocal check returns early before the matching trailing slash is
re-added.
This change updates SanitizePathJoin to only perform the
filepath.IsLocal check if the cleaned request URL path is non-empty.
---
This change also updates the existing SanitizePathJoin tests to use
filepath.FromSlash rather than filepath.Join. This makes the expected
value a little easier to read, but also has the advantage of not being
processed by filepath.Clean like filepath.Join is. This means that the
exact expect value will be compared, not the result of first cleaning
it.
Fixes #6352
|
|
|
|
Fixes ARI errors reported here:
https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320
|
|
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5 to 6.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v5...v6)
---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
|
|
appDataDir components should be searchable (u+x) when they are
created, or else Caddy is unable to start with an empty HOME.
|
|
* Added sign_with_root option available in the Caddyfile
* Added tests for sign_with_root to validate the adapted JSON config
|
|
|
|
|
|
|
|
* autohttps: Move log WARN to INFO, reduce confusion
* Change implicit condition back to WARN
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
Closes #5086
|
|
(#6292)
* context: Add new `AppStrict()` method to avoid instantiating empty apps
* Rename AppStrict -> AppIfConfigured
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
|
|
|
|
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:
https:// {
tls {
get_certificate tailscale
}
respond OK
}
This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.
The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.
An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.
Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.
Also fix an inverted boolean check on this value when setting
failClosed.
Updates #6060
Updates #6229
Updates #6327
Signed-off-by: Will Norris <[email protected]>
|
|
|
|
* caddyhttp: Trace individual middleware handlers
* Fix typo
|
|
* use url.PathEscape in file-server browse template
- add `pathEscape` to c.tpl.Funcs, using `url.PathEscape`
- use `pathEscape` in browse.html in place of `replace`
* document `pathEscape`
* Remove unnecessary pipe of img src to `html`
|
|
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.
Signed-off-by: Will Norris <[email protected]>
|
|
* chore: downgrade minimum Go version in go.mod
* Upgrade certmagic and zerossl
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
* caddytest: normalize the JSON config
|
|
* feat: add generic response interceptors
* fix: cs
* rename intercept
* add some docs
* @francislavoie review (first round)
* Update modules/caddyhttp/intercept/intercept.go
Co-authored-by: Francis Lavoie <[email protected]>
* shorthands: ir to resp
* mark exported symbols as experimental
---------
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
Not sure how it got unstaged
|
|
|
|
|
|
Seeing if this assists with some Go tooling logic
|
|
* Fix typos
* Revert
* Revert to "htlm"
* fix indentations
|