aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/autohttps.go
AgeCommit message (Collapse)Author
2024-10-04caddyhttp: Use internal issuer for IPs when no APs configuredMatthew Holt
This fixes a regression in 2.8 where IP addresses would be considered qualifying for public certs by auto-HTTPS. The default issuers do not issue IP certs at this time, so if no APs are explicitly configured, we assign them to the internal issuer. We have to add a couple lines of code because CertMagic can no longer consider IPs as not qualifying for public certs, since there are public CAs that issue IP certs. This edge case is specific to Caddy's auto-HTTPS. Without this patch, Caddy will try using Let's Encrypt or ZeroSSL's ACME endpoint to get IP certs, neither of which support that.
2024-10-02caddyhttp: Implement `auto_https prefer_wildcard` option (#6146)Francis Lavoie
* Allow specifying multiple `auto_https` options * Implement `auto_https prefer_wildcard` option * Adapt tests, add mock DNS module for config testing * Rebase fix
2024-10-01cmd: Better error handling when reloading (#6601)Matt Holt
* caddyhttp: Limit auto-HTTPS error logs to 100 domains * Improve error message and increase error size limit
2024-09-25chore: Use slices package where possible (#6585)Francis Lavoie
* chore: Use slices package where possible * More, mostly using ContainsFunc * Even more slice operations
2024-05-20autohttps: Move log WARN to INFO, reduce confusion (#6185)v2.8.0-rc.1Francis Lavoie
* autohttps: Move log WARN to INFO, reduce confusion * Change implicit condition back to WARN --------- Co-authored-by: Matthew Holt <[email protected]>
2024-04-13caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)Matt Holt
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades * caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME * Fix go.mod * caddytls: Fix automation related to managers (fix #6060) * Fix typo (appease linter) * Fix HTTP validation with ZeroSSL API
2024-04-12caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)Matthew Holt
2023-08-14ci: use gci linter (#5708)Jacob Gadikian
* use gofmput to format code * use gci to format imports * reconfigure gci * linter autofixes * rearrange imports a little * export GOOS=windows golangci-lint run ./... --fix
2023-07-11caddytls: Reuse certificate cache through reloads (#5623)Matt Holt
* caddytls: Don't purge cert cache on config reload * Update CertMagic This actually avoids reloading managed certs from storage when already in the cache, d'oh. * Fix bug; re-implement HasCertificateForSubject * Update go.mod: CertMagic tag
2023-05-15caddyhttp: Refactor cert Managers (fix #5415) (#5533)Matt Holt
2023-03-27caddytls: Eval replacer on automation policy subjects (#5459)Francis Lavoie
Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.
2022-09-19caddyhttp: Skip inserting HTTP->HTTPS redir if catch-all for both exist (#5051)Francis Lavoie
2022-09-02Minor style adjustments for HTTP redir loggingMatthew Holt
2022-09-01caddyhttp: Copy logger config to HTTP server during AutoHTTPS (#4990)Francis Lavoie
2022-06-01Fix #4822 and fix #4779Matthew Holt
The fix for 4822 is the change at the top of the file, and 4779's fix is toward the bottom of the file.
2022-04-28caddyhttp: Improve listen addr error message for IPv6 (#4740)Francis Lavoie
2022-03-25go.mod: Upgrade CertMagic to v0.16.0Matthew Holt
Includes several breaking changes; code base updated accordingly. - Added lots of context arguments - Use fs.ErrNotExist - Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
2022-03-02caddyhttp: Don't attempt to manage Tailscale certsMatthew Holt
If .ts.net domains are explicitly added to config, don't try to manage a cert for them (it will fail, and our implicit Tailscale module will get those certs at run-time).
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <[email protected]> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <[email protected]>
2022-01-18caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530)Francis Lavoie
2021-04-19caddyhttp: Implement better logic for inserting the HTTP->HTTPS redirs (#4033)Francis Lavoie
* caddyhttp: Implement better logic for inserting the HTTP->HTTPS redirs * caddyhttp: Add integration test
2021-02-02httpcaddyfile: Fix default issuers when email providedMatthew Holt
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
2021-01-28caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983)Matt Holt
* caddyhttp: Implement handler abort; new 'abort' directive (close #3871) * Move abort directive ordering; clean up redirects Seems logical for the end-all of handlers to go at the... end. The Connection header no longer needs to be set there, since Close is true, and the static_response handler now does that.
2020-12-10caddyhttp: Clean up internal auto-HTTPS redirect codeMatthew Holt
Refactor redirect route creation into own function. Improve condition for appending port. Fixes a bug manifested through new test case: TestAutoHTTPRedirectsWithHTTPListenerFirstInAddresses
2020-11-22ci: Use golangci's github action for linting (#3794)Dave Henderson
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <[email protected]> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the misspell lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the unused lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the gosec lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <[email protected]> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <[email protected]> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <[email protected]> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <[email protected]> * single-line log message Co-authored-by: Matt Holt <[email protected]> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <[email protected]> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <[email protected]> * Ignore some of the write errors Signed-off-by: Dave Henderson <[email protected]> * Remove blank line Signed-off-by: Dave Henderson <[email protected]> * Use lifetime Signed-off-by: Dave Henderson <[email protected]> * close immediately Co-authored-by: Matt Holt <[email protected]> * Preallocate configVals Signed-off-by: Dave Henderson <[email protected]> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <[email protected]> Co-authored-by: Matt Holt <[email protected]>
2020-11-16caddytls: Support multiple issuers (#3862)Matt Holt
* caddytls: Support multiple issuers Defaults are Let's Encrypt and ZeroSSL. There are probably bugs. * Commit updated integration tests, d'oh * Update go.mod
2020-08-11caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)v2.2.0-rc.1Matt Holt
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers Configuring issuers explicitly in a Caddyfile is not easily compatible with existing ACME-specific parameters such as email or acme_ca which infer the kind of issuer it creates (this is complicated now because the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit that later if we need to. New Caddyfile global option: { cert_issuer <name> ... } Or, alternatively, as a tls subdirective: tls { issuer <name> ... } For example, to use ZeroSSL with an API key: { cert_issuser zerossl API_KEY } For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB credentials for you. You can also provide the EAB credentials directly just like any other ACME endpoint: { cert_issuer acme { eab KEY_ID MAC_KEY } } All these examples use the new global option (or tls subdirective). You can still use traditional/existing options with ZeroSSL, since it's just another ACME endpoint: { acme_ca https://acme.zerossl.com/v2/DV90 acme_eab KEY_ID MAC_KEY } That's all there is to it. You just can't mix-and-match acme_* options with cert_issuer, because it becomes confusing/ambiguous/complicated to merge the settings. * Fix broken test This test was asserting buggy behavior, oops - glad this branch both discovers and fixes the bug at the same time! * Fix broken test (post-merge) * Update modules/caddytls/acmeissuer.go Fix godoc comment Co-authored-by: Francis Lavoie <[email protected]> * Add support for ZeroSSL's EAB-by-email endpoint Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to generate EAB if not already provided); this is now possible with either an API key or an email address. * go.mod: Use latest certmagic, acmez, and x/net * Wrap underlying logic rather than repeating it Oops, duh * Form-encode email info into request body for EAB endpoint Co-authored-by: Francis Lavoie <[email protected]>
2020-06-03caddyhttp: Auto-redirects from all bind addresses (fix #3443)Matthew Holt
2020-04-24httpcaddyfile: Add nil check to prevent panic, fix validation logicMatthew Holt
Panic would happen if an automation policy was specified in a singular server block that had no hostnames in its address. Definitely an edge case. Fixed a bug related to checking for server blocks with a host-less key that tried to make an automation policy. Previously if you had only two server blocks like ":443" and another one at ":80", the one at ":443" could not create a TLS automation policy because it thought it would interfere with TLS automation for the block at ":80", but obviously that key doesn't enable TLS because it is on the HTTP port. So now we are a little smarter and count only non-HTTP-empty-hostname keys. Also fixed a bug so that a key like "https://:1234" is sure to have TLS enabled by giving it a TLS connection policy. (Relaxed conditions slightly; the previous conditions were too strict, requiring there to be a TLS conn policy already or a default SNI to be non-empty.) Also clarified a comment thanks to feedback from @Mohammed90
2020-04-24dangit, of course I would bork my git commitMatthew Holt
2020-04-24caddyhttp: Fix auto redirects for catch-all HTTPS sitesMatthew Holt
Prior logic was not setting up redirects for the case when domain names are not known, but the server still clearly has TLS enabled.
2020-04-09caddytls: Don't initialize default internal issuer unless necessaryMatthew Holt
Otherwise, a password prompt can occur unnecessarily.
2020-04-07core: Rename ParsedAddress -> NetworkAddressMatthew Holt
2020-03-23caddyhttp: Always provision ACME issuers (fix terms agree error)Matthew Holt
2020-03-20tls/http: Fix auto-HTTPS logic w/rt default issuers (fixes #3164)Matthew Holt
The comments in the code should explain the new logic thoroughly. The basic problem for the issue was that we were overriding a catch-all automation policy's explicitly-configured issuer with our own, for names that we thought looked like public names. In other words, one could configure an internal issuer for all names, but then our auto HTTPS would create a new policy for public-looking names that uses the default ACME issuer, because we assume public<==>ACME and nonpublic<==>Internal, but that is not always the case. The new logic still assumes nonpublic<==>Internal (on catch-all policies only), but no longer assumes that public-looking names always use an ACME issuer. Also fix a bug where HTTPPort and HTTPSPort from the HTTP app weren't being carried through to ACME issuers properly. It required a bit of refactoring.
2020-03-17httpcaddyfile: Many tls-related improvements including on-demand supportMatthew Holt
Holy heck this was complicated
2020-03-15caddytls: Clean up some code related to automationMatthew Holt
2020-03-15Add missing license textsMatthew Holt
2020-03-13Some hotfixes for beta 16v2.0.0-beta.17Matthew Holt
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod
2020-03-09caddyhttp: New algorithm for auto HTTP->HTTPS redirects (fix #3127) (#3128)Matt Holt
It's still not perfect but I think it should be more correct for slightly more complex configs. Might still fall apart for complex configs that use on-demand TLS or at a large scale (workarounds are to just implement your own redirects, very easy to do anyway).
2020-03-07tls: Couple of quick fixes for 4d18587192e4fffe5b34b714eaabcfc212914c1eMatthew Holt
2020-03-06Refactor for CertMagic v0.10; prepare for PKI appMatthew Holt
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
2020-02-14tls: Avoid duplication AutomationPolicies for large quantities of namesMatthew Holt
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
2020-02-05http: Split 2-phase auto-HTTPS into 3 phasesMatthew Holt
This is necessary to avoid a race for sockets. Both the HTTP servers and CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to make sure that our HTTP servers bind first. This is kind of a new thing now that management is async in Caddy 2. Also update to CertMagic 0.9.2, which fixes some async use cases at scale.
2020-01-16httpcaddyfile: Fix nested blocks; add handle directive; refactorMatthew Holt
The fix that was initially put forth in #2971 was good, but only for up to one layer of nesting. The real problem was that we forgot to increment nesting when already inside a block if we saw another open curly brace that opens another block (dispenser.go L157-158). The new 'handle' directive allows HTTP Caddyfiles to be designed more like nginx location blocks if the user prefers. Inside a handle block, directives are still ordered just like they are outside of them, but handler blocks at a given level of nesting are mutually exclusive. This work benefitted from some refactoring and cleanup.
2020-01-13http: Refactor automatic HTTPS (fixes #2972)Matthew Holt
This splits automatic HTTPS into two phases. The first provisions the route matchers and uses them to build the domain set and configure auto HTTP->HTTPS redirects. This happens before the rest of the provisioning does. The second phase takes place at the beginning of the app start. It attaches pointers to the tls app to each server, and begins certificate management for the domains that were found in the first phase.