summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYannick Ihmels <yannick@ihmels.org>2023-01-06 20:44:00 +0100
committerGitHub <noreply@github.com>2023-01-06 14:44:00 -0500
commit55035d327a2dbd32887db0b1dcbc25dba590798f (patch)
treeaa34b1c900009e6ae361e4d88d2ab7555618b578
parent4e9ad50f6503a347e85b7030afa616a83f145394 (diff)
caddytls: Add `dns_ttl` config, improve Caddyfile `tls` options (#5287)
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go94
-rw-r--r--caddytest/integration/caddyfile_adapt/tls_dns_ttl.txt70
-rw-r--r--modules/caddytls/acmeissuer.go18
3 files changed, 173 insertions, 9 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index f4c9ce0..3f1943c 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -24,6 +24,7 @@ import (
"reflect"
"strconv"
"strings"
+ "time"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -75,16 +76,22 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// trusted_leaf_cert <base64_der>
// trusted_leaf_cert_file <filename>
// }
-// alpn <values...>
-// load <paths...>
-// ca <acme_ca_endpoint>
-// ca_root <pem_file>
-// dns <provider_name> [...]
+// alpn <values...>
+// load <paths...>
+// ca <acme_ca_endpoint>
+// ca_root <pem_file>
+// key_type [ed25519|p256|p384|rsa2048|rsa4096]
+// dns <provider_name> [...]
+// propagation_delay <duration>
+// propagation_timeout <duration>
+// resolvers <dns_servers...>
+// dns_ttl <duration>
+// dns_challenge_override_domain <domain>
// on_demand
-// eab <key_id> <mac_key>
-// issuer <module_name> [...]
-// get_certificate <module_name> [...]
-// insecure_secrets_log <log_file>
+// eab <key_id> <mac_key>
+// issuer <module_name> [...]
+// get_certificate <module_name> [...]
+// insecure_secrets_log <log_file>
// }
func parseTLS(h Helper) ([]ConfigValue, error) {
cp := new(caddytls.ConnectionPolicy)
@@ -363,6 +370,75 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
acmeIssuer.Challenges.DNS.Resolvers = args
+ case "propagation_delay":
+ arg := h.RemainingArgs()
+ if len(arg) != 1 {
+ return nil, h.ArgErr()
+ }
+ delayStr := arg[0]
+ delay, err := caddy.ParseDuration(delayStr)
+ if err != nil {
+ return nil, h.Errf("invalid propagation_delay duration %s: %v", delayStr, err)
+ }
+ if acmeIssuer == nil {
+ acmeIssuer = new(caddytls.ACMEIssuer)
+ }
+ if acmeIssuer.Challenges == nil {
+ acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+ }
+ if acmeIssuer.Challenges.DNS == nil {
+ acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+ }
+ acmeIssuer.Challenges.DNS.PropagationDelay = caddy.Duration(delay)
+
+ case "propagation_timeout":
+ arg := h.RemainingArgs()
+ if len(arg) != 1 {
+ return nil, h.ArgErr()
+ }
+ timeoutStr := arg[0]
+ var timeout time.Duration
+ if timeoutStr == "-1" {
+ timeout = time.Duration(-1)
+ } else {
+ var err error
+ timeout, err = caddy.ParseDuration(timeoutStr)
+ if err != nil {
+ return nil, h.Errf("invalid propagation_timeout duration %s: %v", timeoutStr, err)
+ }
+ }
+ if acmeIssuer == nil {
+ acmeIssuer = new(caddytls.ACMEIssuer)
+ }
+ if acmeIssuer.Challenges == nil {
+ acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+ }
+ if acmeIssuer.Challenges.DNS == nil {
+ acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+ }
+ acmeIssuer.Challenges.DNS.PropagationTimeout = caddy.Duration(timeout)
+
+ case "dns_ttl":
+ arg := h.RemainingArgs()
+ if len(arg) != 1 {
+ return nil, h.ArgErr()
+ }
+ ttlStr := arg[0]
+ ttl, err := caddy.ParseDuration(ttlStr)
+ if err != nil {
+ return nil, h.Errf("invalid dns_ttl duration %s: %v", ttlStr, err)
+ }
+ if acmeIssuer == nil {
+ acmeIssuer = new(caddytls.ACMEIssuer)
+ }
+ if acmeIssuer.Challenges == nil {
+ acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
+ }
+ if acmeIssuer.Challenges.DNS == nil {
+ acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
+ }
+ acmeIssuer.Challenges.DNS.TTL = caddy.Duration(ttl)
+
case "dns_challenge_override_domain":
arg := h.RemainingArgs()
if len(arg) != 1 {
diff --git a/caddytest/integration/caddyfile_adapt/tls_dns_ttl.txt b/caddytest/integration/caddyfile_adapt/tls_dns_ttl.txt
new file mode 100644
index 0000000..b1b2941
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/tls_dns_ttl.txt
@@ -0,0 +1,70 @@
+localhost
+
+respond "hello from localhost"
+tls {
+ issuer acme {
+ dns_ttl 5m10s
+ }
+}
+----------
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "localhost"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "hello from localhost",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ]
+ }
+ }
+ },
+ "tls": {
+ "automation": {
+ "policies": [
+ {
+ "subjects": [
+ "localhost"
+ ],
+ "issuers": [
+ {
+ "challenges": {
+ "dns": {
+ "ttl": 310000000000
+ }
+ },
+ "module": "acme"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+} \ No newline at end of file
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 2f752ed..12e300e 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -266,6 +266,7 @@ func (iss *ACMEIssuer) GetACMEIssuer() *ACMEIssuer { return iss }
// propagation_delay <duration>
// propagation_timeout <duration>
// resolvers <dns_servers...>
+// dns_ttl <duration>
// dns_challenge_override_domain <domain>
// preferred_chains [smallest] {
// root_common_name <common_names...>
@@ -445,6 +446,23 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.ArgErr()
}
+ case "dns_ttl":
+ if !d.NextArg() {
+ return d.ArgErr()
+ }
+ ttlStr := d.Val()
+ ttl, err := caddy.ParseDuration(ttlStr)
+ if err != nil {
+ return d.Errf("invalid dns_ttl duration %s: %v", ttlStr, err)
+ }
+ if iss.Challenges == nil {
+ iss.Challenges = new(ChallengesConfig)
+ }
+ if iss.Challenges.DNS == nil {
+ iss.Challenges.DNS = new(DNSChallengeConfig)
+ }
+ iss.Challenges.DNS.TTL = caddy.Duration(ttl)
+
case "dns_challenge_override_domain":
arg := d.RemainingArgs()
if len(arg) != 1 {