diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-12-28 23:56:08 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-12-28 23:56:08 -0700 |
commit | 2b33d9a5e5d1bd12d27bea2cfe8341fd1e5703b2 (patch) | |
tree | 8dbf34223bc9a89783ab953459df7a6f2591339c | |
parent | 5c8b502964457646ada348c6bc8ba7180771b7ca (diff) |
http: Enable TLS for servers listening only on HTTPS port
It seems silly to have to add a single, empty TLS connection policy to
a server to enable TLS when it's only listening on the HTTPS port. We
now do this for the user as part of automatic HTTPS (thus, it can be
disabled / overridden).
See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
-rw-r--r-- | modules/caddyhttp/caddyhttp.go | 12 | ||||
-rw-r--r-- | modules/caddytls/connpolicy.go | 1 |
2 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index 756a6c3..d3be288 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -326,6 +326,18 @@ func (app *App) automaticHTTPS() error { continue } + // if all listeners are on the HTTPS port, make sure + // there is at least one TLS connection policy; it + // should be obvious that they want to use TLS without + // needing to specify one empty policy to enable it + if !srv.listenersUseAnyPortOtherThan(app.httpsPort()) && len(srv.TLSConnPolicies) == 0 { + app.logger.Info("server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS", + zap.String("server_name", srvName), + zap.Int("https_port", app.httpsPort()), + ) + srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy)) + } + // find all qualifying domain names, de-duplicated domainSet := make(map[string]struct{}) for routeIdx, route := range srv.Routes { diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 6ce6b9e..658adb9 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -106,6 +106,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) (*tls.Config, error) { } // ConnectionPolicy specifies the logic for handling a TLS handshake. +// An empty policy is valid; safe and sensible defaults will be used. type ConnectionPolicy struct { // How to match this policy with a TLS ClientHello. If // this policy is the first to match, it will be used. |