summaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/caddyhttp.go
AgeCommit message (Collapse)Author
2024-11-04caddyhttp: Add `MatchWithError` to replace SetVar hack (#6596)Francis Lavoie
* caddyhttp: Add `MatchWithError` to replace SetVar hack * Error in IP matchers on TLS handshake not complete * Use MatchWithError everywhere possible * Move implementations to MatchWithError versions * Looser interface checking to allow fallback * CEL factories can return RequestMatcherWithError * Clarifying comment since it's subtle that an err is returned * Return 425 Too Early status in IP matchers * Keep AnyMatch signature the same for now * Apparently Deprecated can't be all-uppercase to get IDE linting * Linter
2024-06-02caddyhttp: properly sanitize requests for root path (#6360)Will Norris
SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352
2024-05-10caddyhttp: Alter log message when request is unhandled (close #5182)Matthew Holt
2024-04-24caddyhttp: Address some Go 1.20 features (#6252)Matt Holt
Co-authored-by: Francis Lavoie <[email protected]>
2023-08-07ci: Use gofumpt to format code (#5707)Jacob Gadikian
2023-02-06chore: Build with Go 1.20, keep minimum at 1.18 for now (#5353)Francis Lavoie
2022-08-16caddyhttp: Smarter path matching and rewriting (#4948)Matt Holt
Co-authored-by: RussellLuo <[email protected]>
2021-12-11fileserver: do not double-escape paths (#4447)Mohammed Al Sahaf
2021-09-16fileserver: properly handle escaped/non-ascii paths (#4332)Mohammed Al Sahaf
* fileserver: properly handle escaped/non-ascii paths * fileserver: tests: accommodate Windows hate of colons in files names
2021-06-17caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)v2.4.3Matt Holt
2020-11-23httpcaddyfile: Configure servers via global options (#3836)Francis Lavoie
* httpcaddyfile: First pass at implementing server options * httpcaddyfile: Add listener wrapper support * httpcaddyfile: Sort sbaddrs to make adapt output more deterministic * httpcaddyfile: Add server options adapt tests * httpcaddyfile: Windows line endings lol * caddytest: More windows line endings lol (sorry Matt) * Update caddyconfig/httpcaddyfile/serveroptions.go Co-authored-by: Matt Holt <[email protected]> * httpcaddyfile: Reword listener address "matcher" * Apply suggestions from code review Co-authored-by: Matt Holt <[email protected]> * httpcaddyfile: Deprecate experimental_http3 option (moved to servers) * httpcaddyfile: Remove validation step, no longer needed Co-authored-by: Matt Holt <[email protected]>
2020-11-22ci: Use golangci's github action for linting (#3794)Dave Henderson
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <[email protected]> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the misspell lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the unused lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the gosec lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <[email protected]> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <[email protected]> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <[email protected]> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <[email protected]> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <[email protected]> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <[email protected]> * single-line log message Co-authored-by: Matt Holt <[email protected]> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <[email protected]> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <[email protected]> * Ignore some of the write errors Signed-off-by: Dave Henderson <[email protected]> * Remove blank line Signed-off-by: Dave Henderson <[email protected]> * Use lifetime Signed-off-by: Dave Henderson <[email protected]> * close immediately Co-authored-by: Matt Holt <[email protected]> * Preallocate configVals Signed-off-by: Dave Henderson <[email protected]> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <[email protected]> Co-authored-by: Matt Holt <[email protected]>
2020-06-04reverseproxy: Enable changing only the status code (close #2920)Matthew Holt
2020-04-22caddyhttp: Fix trailers when recording responses (fixes #3236)Matthew Holt
2020-04-13core: Don't return error on RegisterModule() and RegisterAdapter()v2.0.0-rc.3Matthew Holt
These functions are called at init-time, and their inputs are hard-coded so there are no environmental or user factors that could make it fail or succeed; the error return values are often ignored, and when they're not, they are usually a fatal error anyway. To ensure that a programmer mistake is not missed, we now panic instead. Last breaking change 🤞
2020-03-28httpcaddyfile: Put root directive first, before redir and rewriteMatthew Holt
See https://caddy.community/t/v2-match-any-path-but-files/7326/8?u=matt If rewrites (or redirects, for that matter) match on file existence, the file matcher would need to know the root of the site. Making this change implies that root directives that depend on rewritten URIs will not work as expected. However, I think this is very uncommon, and am not sure I have ever seen that. Usually, dynamic roots are based on host, not paths or query strings. I suspect that rewrites based on file existence will be more common than roots based on rewritten URIs, so I am moving root to be the first in the list. Users can always override this ordering with the 'order' global option.
2020-03-15caddyhttp: Clean up; move some code aroundMatthew Holt
2020-03-15caddyhttp: Add support for listener wrapper modulesMatthew Holt
Wrapping listeners is useful for composing custom behavior related to accepting, closing, reading/writing connections (etc) below the application layer; for example, the PROXY protocol.
2020-03-13Some hotfixes for beta 16v2.0.0-beta.17Matthew Holt
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod
2020-03-06Merge branch 'certmagic-refactor' into v2Matthew Holt
2020-03-06Refactor for CertMagic v0.10; prepare for PKI appMatthew Holt
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
2020-02-27It might be HTTP->HTTPS in the comment (#3086)Success Go
2020-02-26Initial implementation of global default SNI option (#3047)Mark Sargent
* add global default sni * fixed grammar * httpcaddyfile: Reduce some duplicated code * Um, re-commit already-committed commit, I guess? (sigh) Co-authored-by: Matt Holt <[email protected]>
2020-02-25Expose TLS placeholders (#2982)Cameron Moore
* caddytls: Add CipherSuiteName and ProtocolName functions The cipher_suites.go file is derived from a commit to the Go master branch that's slated for Go 1.14. Once Go 1.14 is released, this file can be removed. * caddyhttp: Use commonLogEmptyValue in common_log replacer * caddyhttp: Add TLS placeholders * caddytls: update unsupportedProtocols Don't export unsupportedProtocols and update its godoc to mention that it's used for logging only. * caddyhttp: simplify getRegTLSReplacement signature getRegTLSReplacement should receive a string instead of a pointer. * caddyhttp: Remove http.request.tls.client.cert replacer The previous behavior of printing the raw certificate bytes was ported from Caddy 1, but the usefulness of that approach is suspect. Remove the client cert replacer from v2 until a use case is presented. * caddyhttp: Use tls.CipherSuiteName from Go 1.14 Remove ported version of CipherSuiteName in the process.
2020-02-20caddyhttp: Add handler for unhandled errors in errorChain (#3063)Robin Lambertz
* Add handler for unhandled errors in errorChain Currently, when an error chain is defined, the default error handler is bypassed entirely - even if the error chain doesn't handle every error. This results in pages returning a blank 200 OK page. For instance, it's possible for an error chain to match on the error status code and only handle a certain subtype of errors (like 403s). In this case, we'd want any other errors to still go through the default handler and return an empty page with the status code. This PR changes the "suffix handler" passed to errorChain.Compile to set the status code of the response to the error status code. Fixes #3053 * Move the errorHandlerChain middleware to variable * Style fix
2020-02-18http: Close HTTP/3 servers and listeners; upstream bug irreproducibleMatthew Holt
See https://github.com/lucas-clemente/quic-go/issues/2103 and https://github.com/caddyserver/caddy/pull/2727
2020-02-05http: Split 2-phase auto-HTTPS into 3 phasesMatthew Holt
This is necessary to avoid a race for sockets. Both the HTTP servers and CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to make sure that our HTTP servers bind first. This is kind of a new thing now that management is async in Caddy 2. Also update to CertMagic 0.9.2, which fixes some async use cases at scale.
2020-02-04caddyhttp: Fix orig_uri placeholder docs (#3002)Francis Lavoie
Fixes #3001
2020-01-13http: Refactor automatic HTTPS (fixes #2972)Matthew Holt
This splits automatic HTTPS into two phases. The first provisions the route matchers and uses them to build the domain set and configure auto HTTP->HTTPS redirects. This happens before the rest of the provisioning does. The second phase takes place at the beginning of the app start. It attaches pointers to the tls app to each server, and begins certificate management for the domains that were found in the first phase.
2020-01-12http: Fix subroutes, ensure that next handlers can still be calledMatthew Holt
2020-01-12http: Fix empty responsesMatthew Holt
Sigh... this is what I get for writing code when I'm tired and sick. See https://github.com/caddyserver/caddy/commit/8be1f0ea668492000cdefbd937e0359bdc24bfc1#r36764627
2020-01-11http: Ensure primary routes always get compiled (fix #2972)Matthew Holt
Including servers for HTTP->HTTPS redirects which do not get provisioned like the rest.
2020-01-10http: Remove {...query_string} placeholder, in favor of {...query}Matthew Holt
I am not sure if the query_string one is necessary or useful yet. We can always add it later if needed.
2020-01-09http: Don't use a Host matcher for HTTP->HTTPS redirectsMatthew Holt
In case on-demand TLS is enabled, in that case we don't know the only names that have automatic HTTPS. See https://caddy.community/t/v2-http-to-https-redirects-fail-for-on-demand-ssl-certs/6742?u=matt
2020-01-09http: Change routes to sequential matcher evaluation (#2967)Matt Holt
Previously, all matchers in a route would be evaluated before any handlers were executed, and a composite route of the matching routes would be created. This made rewrites especially tricky, since the only way to defer later matchers' evaluation was to wrap them in a subroute, or to invoke a "rehandle" which often caused bugs. Instead, this new sequential design evaluates each route's matchers then its handlers in lock-step; matcher-handlers-matcher-handlers... If the first matching route consists of a rewrite, then the second route will be evaluated against the rewritten request, rather than the original one, and so on. This should do away with any need for rehandling. I've also taken this opportunity to avoid adding new values to the request context in the handler chain, as this creates a copy of the Request struct, which may possibly lead to bugs like it has in the past (see PR #1542, PR #1481, and maybe issue #2463). We now add all the expected context values in the top-level handler at the server, then any new values can be added to the variable table via the VarsCtxKey context key, or just the GetVar/SetVar functions. In particular, we are using this facility to convey dial information in the reverse proxy. Had to be careful in one place as the middleware compilation logic has changed, and moved a bit. We no longer compile a middleware chain per- request; instead, we can compile it at provision-time, and defer only the evaluation of matchers to request-time, which should slightly improve performance. Doing this, however, we take advantage of multiple function closures, and we also changed the use of HandlerFunc (function pointer) to Handler (interface)... this led to a situation where, if we aren't careful, allows one request routed a certain way to permanently change the "next" handler for all/most other requests! We avoid this by making a copy of the interface value (which is a lightweight pointer copy) and using exclusively that within our wrapped handlers. This way, the original stack frame is preserved in a "read-only" fashion. The comments in the code describe this phenomenon. This may very well be a breaking change for some configurations, however I do not expect it to impact many people. I will make it clear in the release notes that this change has occurred.
2019-12-29Improve docs, especially w.r.t. placeholders and template actionsMatthew Holt
2019-12-28http: Enable TLS for servers listening only on HTTPS portMatthew Holt
It seems silly to have to add a single, empty TLS connection policy to a server to enable TLS when it's only listening on the HTTPS port. We now do this for the user as part of automatic HTTPS (thus, it can be disabled / overridden). See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
2019-12-10v2: Module documentation; refactor LoadModule(); new caddy struct tags (#2924)Matt Holt
This commit goes a long way toward making automated documentation of Caddy config and Caddy modules possible. It's a broad, sweeping change, but mostly internal. It allows us to automatically generate docs for all Caddy modules (including future third-party ones) and make them viewable on a web page; it also doubles as godoc comments. As such, this commit makes significant progress in migrating the docs from our temporary wiki page toward our new website which is still under construction. With this change, all host modules will use ctx.LoadModule() and pass in both the struct pointer and the field name as a string. This allows the reflect package to read the struct tag from that field so that it can get the necessary information like the module namespace and the inline key. This has the nice side-effect of unifying the code and documentation. It also simplifies module loading, and handles several variations on field types for raw module fields (i.e. variations on json.RawMessage, such as arrays and maps). I also renamed ModuleInfo.Name -> ModuleInfo.ID, to make it clear that the ID is the "full name" which includes both the module namespace and the name. This clarity is helpful when describing module hierarchy. As of this change, Caddy modules are no longer an experimental design. I think the architecture is good enough to go forward.
2019-11-30http: Don't listen 1 port beyond port rangeMatthew Holt
2019-11-15http: Only enable access logs if configuredMatthew Holt
2019-11-11core: Use port ranges to avoid OOM with bad inputs (#2859)Mohammed Al Sahaf
* fix OOM issue caught by fuzzing * use ParsedAddress as the struct name for the result of ParseNetworkAddress * simplify code using the ParsedAddress type * minor cleanups
2019-11-11http: Use permanent redirects for HTTP->HTTPSMatthew Holt
2019-10-31http: Ensure server loggers are not nil (fixes #2849)Matthew Holt
2019-10-28v2: Logging! (#2831)Matt Holt
* logging: Initial implementation * logging: More encoder formats, better defaults * logging: Fix repetition bug with FilterEncoder; add more presets * logging: DiscardWriter; delete or no-op logs that discard their output * logging: Add http.handlers.log module; enhance Replacer methods The Replacer interface has new methods to customize how to handle empty or unrecognized placeholders. Closes #2815. * logging: Overhaul HTTP logging, fix bugs, improve filtering, etc. * logging: General cleanup, begin transitioning to using new loggers * Fixes after merge conflict
2019-10-15caddyhttp: Improve ResponseRecorder to buffer headersMatthew Holt
2019-10-14caddyhttp: Support placeholders in MatchHost (#2810)v2.0.0-beta6Pascal
* Replace global placeholders in host matcher * caddyhttp: Fix panic on MatchHost tests
2019-10-10Miscellaneous cleanups / commentsMatthew Holt
2019-09-30tls: Change struct fields to pointers, add nil checks; rate.Burst updateMatthew Holt
Making them pointers makes for cleaner JSON when adapting configs, if the struct is empty now it will be omitted entirely. The x/time/rate package was updated to support changing the burst, so we've incorporated that here and removed a TODO.
2019-09-18http: Improve auto HTTP->HTTPS redirects, fix edge casesMatthew Holt
See https://caddy.community/t/v2-issues-with-multiple-server-blocks-in-caddyfile-style-config/6206/13?u=matt Also print pid when using `caddy start`