Age | Commit message (Collapse) | Author |
|
* Added sign_with_root option available in the Caddyfile
* Added tests for sign_with_root to validate the adapted JSON config
|
|
|
|
|
|
|
|
* autohttps: Move log WARN to INFO, reduce confusion
* Change implicit condition back to WARN
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
Closes #5086
|
|
(#6292)
* context: Add new `AppStrict()` method to avoid instantiating empty apps
* Rename AppStrict -> AppIfConfigured
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
|
|
|
|
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:
https:// {
tls {
get_certificate tailscale
}
respond OK
}
This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.
The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.
An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.
Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.
Also fix an inverted boolean check on this value when setting
failClosed.
Updates #6060
Updates #6229
Updates #6327
Signed-off-by: Will Norris <[email protected]>
|
|
|
|
* caddyhttp: Trace individual middleware handlers
* Fix typo
|
|
* use url.PathEscape in file-server browse template
- add `pathEscape` to c.tpl.Funcs, using `url.PathEscape`
- use `pathEscape` in browse.html in place of `replace`
* document `pathEscape`
* Remove unnecessary pipe of img src to `html`
|
|
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.
Signed-off-by: Will Norris <[email protected]>
|
|
* chore: downgrade minimum Go version in go.mod
* Upgrade certmagic and zerossl
---------
Co-authored-by: Matthew Holt <[email protected]>
|
|
* caddytest: normalize the JSON config
|
|
* feat: add generic response interceptors
* fix: cs
* rename intercept
* add some docs
* @francislavoie review (first round)
* Update modules/caddyhttp/intercept/intercept.go
Co-authored-by: Francis Lavoie <[email protected]>
* shorthands: ir to resp
* mark exported symbols as experimental
---------
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
Not sure how it got unstaged
|
|
|
|
|
|
Seeing if this assists with some Go tooling logic
|
|
* Fix typos
* Revert
* Revert to "htlm"
* fix indentations
|
|
(#6307)
* use pointer when loading modules
* change method to pointer type and remove LazyCertPool
* remove lazy pool test
* remove yet another lazy pool test
|
|
|
|
|
|
* added health_follow_redirect in active health checks
* chore: code format
* chore: refactore reversproxy healthcheck redirect variable name and description of the same
* chore: formatting
* changed reverse proxy health check status code range to be between 200-299
* chore: formatting
---------
Co-authored-by: aliasgar <[email protected]>
|
|
* Allow usage of root CA without a key. Fixes #6290
* Update modules/caddypki/crypto.go
---------
Co-authored-by: Matt Holt <[email protected]>
|
|
|
|
|
|
|
|
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 5.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v4...v5)
---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
|
|
* caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.
This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
* Make sure new TLS app manages configured certs
* Actually make it work
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Add option to configure certificate lifetime
* Bump CertMagic dep to latest master commit
* Apply suggestions and ran go mod tidy
* Update modules/caddytls/acmeissuer.go
Co-authored-by: Matt Holt <[email protected]>
---------
Co-authored-by: Matt Holt <[email protected]>
|
|
Co-authored-by: Matt Holt <[email protected]>
Co-authored-by: Mohammed Al Sahaf <[email protected]>
|
|
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
|
|
|