diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-06-09 14:34:59 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-06-09 14:35:09 -0600 |
commit | 05656a60b3b089ce1735a1ebb02539cca9f68fb4 (patch) | |
tree | 3fb0db25f2c0a21225c89dc85fc438792ac64978 | |
parent | 1e92258dd670dc62a55b100d1e68e7f482da14a1 (diff) |
httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
-rw-r--r-- | caddyconfig/httpcaddyfile/directives.go | 21 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 2 | ||||
-rw-r--r-- | caddytest/integration/caddyfile_adapt/tls_automation_policies_7.txt | 68 |
3 files changed, 90 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go index 5e19474..75fd473 100644 --- a/caddyconfig/httpcaddyfile/directives.go +++ b/caddyconfig/httpcaddyfile/directives.go @@ -478,6 +478,27 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string { return sblockHosts } +func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string { + // ensure each entry in our list is unique + hostMap := make(map[string]struct{}) + for _, addr := range sb.keys { + if addr.Host == "" { + continue + } + if addr.Scheme != "http" && addr.Port != httpPort { + hostMap[addr.Host] = struct{}{} + } + } + + // convert map to slice + sblockHosts := make([]string, 0, len(hostMap)) + for host := range hostMap { + sblockHosts = append(sblockHosts, host) + } + + return sblockHosts +} + // hasHostCatchAllKey returns true if sb has a key that // omits a host portion, i.e. it "catches all" hosts. func (sb serverBlock) hasHostCatchAllKey() bool { diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index b7a8f02..1bfddda 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -189,7 +189,7 @@ func (st ServerType) buildTLSApp( } // associate our new automation policy with this server block's hosts - ap.Subjects = sblockHosts + ap.Subjects = sblock.hostsFromKeysNotHTTP(httpPort) sort.Strings(ap.Subjects) // solely for deterministic test results // if a combination of public and internal names were given diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_7.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_7.txt new file mode 100644 index 0000000..4b17bf3 --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_7.txt @@ -0,0 +1,68 @@ +# (this Caddyfile is contrived, but based on issues #4176 and #4198) + +http://example.com { +} + +https://example.com { + tls internal +} + +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "example.com" + ] + } + ], + "terminal": true + } + ] + }, + "srv1": { + "listen": [ + ":80" + ], + "routes": [ + { + "match": [ + { + "host": [ + "example.com" + ] + } + ], + "terminal": true + } + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "example.com" + ], + "issuers": [ + { + "module": "internal" + } + ] + } + ] + } + } + } +}
\ No newline at end of file |