Age | Commit message (Collapse) | Author |
|
|
|
|
|
* Allow log sampling configuration from Caddyfile
* Add log sampling adapt tests
|
|
* caddy adapt for listen_protocols
* adapt listen_socket
* allow multiple listen sockets for port ranges and readd socket fd listen logic
* readd logic to start servers according to listener protocols
* gofmt
* adapt caddytest
* gosec
* fmt and rename listen to listenWithSocket
* fmt and rename listen to listenWithSocket
* more consistent error msg
* non unix listenReusableWithSocketFile
* remove unused func
* doc comment typo
* nonosec
* commit
* doc comments
* more doc comments
* comment was misleading, cardinality did not change
* addressesWithProtocols
* update test
* fd/ and fdgram/
* rm addr
* actually write...
* i guess we doin' "skip": now
* wrong var in placeholder
* wrong var in placeholder II
* update param name in comment
* dont save nil file pointers
* windows
* key -> parsedKey
* osx
* multiple default_bind with protocols
* check for h1 and h2 listener netw
|
|
|
|
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades
* caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME
* Fix go.mod
* caddytls: Fix automation related to managers (fix #6060)
* Fix typo (appease linter)
* Fix HTTP validation with ZeroSSL API
|
|
* logging: Implement `extra_log` handler
* Rename to `log_append`
* Rename `skip_log` to `log_skip`
---------
Co-authored-by: Matt Holt <[email protected]>
|
|
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <[email protected]>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
directive (#5965)
Co-authored-by: Aziz Rmadi <[email protected]>
|
|
matcher (#5844)
|
|
|
|
|
|
* Added verifier case
Update author
* Update verifier to match struct tag
* gci run
|
|
|
|
|
|
|
|
* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix
|
|
(#5643)
* httpcaddyfile: Allow `hostnames` override for log directive
* Implement access logger name overrides
* Fix panic & default logger clobbering edgecase
|
|
* caddyhttp: Implement named routes, `invoke` directive
* gofmt
* Add experimental marker
* Adjust route compile comments
|
|
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
Fix #4859
|
|
* Add SSL key logging.
* Resolve merge conflict with master
* Add Caddyfile support; various fixes
* Also commit go.mod and go.sum, oops
* Appease linter
* Minor tweaks
* Add doc comment
Co-authored-by: Matt Holt <[email protected]>
|
|
* caddyhttp: Implement `skip_log` handler
* Refactor to use vars middleware
Co-authored-by: Matt Holt <[email protected]>
|
|
The intent of "html" is to redirect browser clients only, or those which can evaluate JS and/or meta tags. So return HTTP 200 and no Location header. See #4940.
|
|
|
|
Includes several breaking changes; code base updated accordingly.
- Added lots of context arguments
- Use fs.ErrNotExist
- Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
|
|
See discussion in #4650
|
|
* Add a override_domain option to allow DNS chanllenge delegation
CNAME can be used to delegate answering the chanllenge to another DNS
zone. One usage is to reduce the exposure of the DNS credential [1].
Based on the discussion in caddy/certmagic#160, we are adding an option
to allow the user explicitly specify the domain to delegate, instead of
following the CNAME chain.
This needs caddy/certmagic#160.
* rename override_domain to dns_challenge_override_domain
* Update CertMagic; fix spelling
Co-authored-by: Matthew Holt <[email protected]>
|
|
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible!
This is a great feature for Caddy and Tailscale is a great fit for a standard implementation.
* caddytls: GetCertificate modules; Tailscale
* Caddyfile support for get_certificate
Also fix AP provisioning in case of empty subject list (persist loaded
module on struct, much like Issuers, to surive reprovisioning).
And implement start of HTTP cert getter, still WIP.
* Update modules/caddytls/automation.go
Co-authored-by: Francis Lavoie <[email protected]>
* Use tsclient package, check status for name
* Implement HTTP cert getter
And use reuse CertMagic's PEM functions for private keys.
* Remove cache option from Tailscale getter
Tailscale does its own caching and we don't need the added complexity...
for now, at least.
* Several updates
- Option to disable cert automation in auto HTTPS
- Support multiple cert managers
- Remove cache feature from cert manager modules
- Minor improvements to auto HTTPS logging
* Run go mod tidy
* Try to get certificates from Tailscale implicitly
Only for domains ending in .ts.net.
I think this is really cool!
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
|
|
* httpcaddyfile: Add `error` directive for the existing handler
* httpcaddyfile: Move `error` to the end of the order
|
|
This change is aimed at enhancing the logging module within the
Caddyfile directive to allow users to configure logs other than the HTTP
access log stream, which is the current capability of the Caddyfile [1].
The intent here is to leverage the same syntax as the server log
directive at a global level, so that similar customizations can be added
without needing to resort to a JSON-based configuration.
Discussion for this approach happened in the referenced issue.
Closes https://github.com/caddyserver/caddy/issues/3958
[1] https://caddyserver.com/docs/caddyfile/directives/log
|
|
Allows conveniently setting the resolvers for the DNS challenge using a TLS subdirective, which applies to default issuers, rather than having to explicitly define the issuers and overwrite the defaults.
|
|
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL.
We also consolidate some annoying logic and improve config validity checks.
Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
|
|
* Fix html redir code, improve flow
* Fix integer check error and add tests
|
|
* caddyhttp: Implement handler abort; new 'abort' directive (close #3871)
* Move abort directive ordering; clean up redirects
Seems logical for the end-all of handlers to go at the... end.
The Connection header no longer needs to be set there, since Close is
true, and the static_response handler now does that.
|
|
* caddytls: add 'key_type' subdirective
* Suggested change
* *string -> string
* test
|
|
Eliminates a fair amount of repeated code
|
|
* ci: Use golangci's github action for linting
Signed-off-by: Dave Henderson <[email protected]>
* Fix most of the staticcheck lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the prealloc lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the misspell lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the varcheck lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the errcheck lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the bodyclose lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the deadcode lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the unused lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the gosec lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the gosimple lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the ineffassign lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Fix the staticcheck lint errors
Signed-off-by: Dave Henderson <[email protected]>
* Revert the misspell change, use a neutral English
Signed-off-by: Dave Henderson <[email protected]>
* Remove broken golangci-lint CI job
Signed-off-by: Dave Henderson <[email protected]>
* Re-add errantly-removed weakrand initialization
Signed-off-by: Dave Henderson <[email protected]>
* don't break the loop and return
* Removing extra handling for null rootKey
* unignore RegisterModule/RegisterAdapter
Co-authored-by: Mohammed Al Sahaf <[email protected]>
* single-line log message
Co-authored-by: Matt Holt <[email protected]>
* Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged
Signed-off-by: Dave Henderson <[email protected]>
* Revert ticker change, ignore it instead
Signed-off-by: Dave Henderson <[email protected]>
* Ignore some of the write errors
Signed-off-by: Dave Henderson <[email protected]>
* Remove blank line
Signed-off-by: Dave Henderson <[email protected]>
* Use lifetime
Signed-off-by: Dave Henderson <[email protected]>
* close immediately
Co-authored-by: Matt Holt <[email protected]>
* Preallocate configVals
Signed-off-by: Dave Henderson <[email protected]>
* Update modules/caddytls/distributedstek/distributedstek.go
Co-authored-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Matt Holt <[email protected]>
|
|
* caddytls: Support multiple issuers
Defaults are Let's Encrypt and ZeroSSL.
There are probably bugs.
* Commit updated integration tests, d'oh
* Update go.mod
|
|
|
|
|
|
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers
Configuring issuers explicitly in a Caddyfile is not easily compatible
with existing ACME-specific parameters such as email or acme_ca which
infer the kind of issuer it creates (this is complicated now because
the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit
that later if we need to.
New Caddyfile global option:
{
cert_issuer <name> ...
}
Or, alternatively, as a tls subdirective:
tls {
issuer <name> ...
}
For example, to use ZeroSSL with an API key:
{
cert_issuser zerossl API_KEY
}
For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB
credentials for you. You can also provide the EAB credentials directly
just like any other ACME endpoint:
{
cert_issuer acme {
eab KEY_ID MAC_KEY
}
}
All these examples use the new global option (or tls subdirective). You
can still use traditional/existing options with ZeroSSL, since it's
just another ACME endpoint:
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab KEY_ID MAC_KEY
}
That's all there is to it. You just can't mix-and-match acme_* options
with cert_issuer, because it becomes confusing/ambiguous/complicated to
merge the settings.
* Fix broken test
This test was asserting buggy behavior, oops - glad this branch both
discovers and fixes the bug at the same time!
* Fix broken test (post-merge)
* Update modules/caddytls/acmeissuer.go
Fix godoc comment
Co-authored-by: Francis Lavoie <[email protected]>
* Add support for ZeroSSL's EAB-by-email endpoint
Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to
the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to
generate EAB if not already provided); this is now possible with either
an API key or an email address.
* go.mod: Use latest certmagic, acmez, and x/net
* Wrap underlying logic rather than repeating it
Oops, duh
* Form-encode email info into request body for EAB endpoint
Co-authored-by: Francis Lavoie <[email protected]>
|
|
|
|
* Replace lego with acmez; upgrade CertMagic
* Update integration test
|