summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-12-13 16:32:27 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2019-12-13 16:32:27 -0700
commit6ea121ddf8c5be6de892971782d6f0fe2938ebbf (patch)
tree055f6f78c8e779787e365fadd7f6cf05ff01defb
parent8005b7ab73c264ee3c1d7b10c39bc5565ef57c02 (diff)
tls: Ensure conn policy is created when providing certs in Caddyfile
Fixes #2929
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go39
-rw-r--r--caddyconfig/httpcaddyfile/httptype.go21
2 files changed, 44 insertions, 16 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index e92aa9d..b523d95 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -81,7 +81,7 @@ func parseRoot(h Helper) ([]ConfigValue, error) {
func parseTLS(h Helper) ([]ConfigValue, error) {
var configVals []ConfigValue
- cp := new(caddytls.ConnectionPolicy)
+ var cp *caddytls.ConnectionPolicy
var fileLoader caddytls.FileLoader
var folderLoader caddytls.FolderLoader
var mgr caddytls.ACMEManagerMaker
@@ -131,12 +131,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedProtocols[args[0]]; !ok {
return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0])
}
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
cp.ProtocolMin = args[0]
}
if len(args) > 1 {
if _, ok := caddytls.SupportedProtocols[args[1]]; !ok {
return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1])
}
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
cp.ProtocolMax = args[1]
}
case "ciphers":
@@ -144,6 +150,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok {
return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
}
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
cp.CipherSuites = append(cp.CipherSuites, h.Val())
}
case "curves":
@@ -151,6 +160,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedCurves[h.Val()]; !ok {
return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val())
}
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
cp.Curves = append(cp.Curves, h.Val())
}
case "alpn":
@@ -158,6 +170,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if len(args) == 0 {
return nil, h.ArgErr()
}
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
cp.ALPN = args
// certificate folder loader
@@ -183,24 +198,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
}
- // connection policy
- configVals = append(configVals, ConfigValue{
- Class: "tls.connection_policy",
- Value: cp,
- })
-
// certificate loaders
if len(fileLoader) > 0 {
configVals = append(configVals, ConfigValue{
Class: "tls.certificate_loader",
Value: fileLoader,
})
+ // ensure server uses HTTPS by setting non-nil conn policy
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
}
if len(folderLoader) > 0 {
configVals = append(configVals, ConfigValue{
Class: "tls.certificate_loader",
Value: folderLoader,
})
+ // ensure server uses HTTPS by setting non-nil conn policy
+ if cp == nil {
+ cp = new(caddytls.ConnectionPolicy)
+ }
+ }
+
+ // connection policy
+ if cp != nil {
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.connection_policy",
+ Value: cp,
+ })
}
// automation policy
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
index 2b2855d..d8fde46 100644
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@@ -275,6 +275,9 @@ func (st *ServerType) hostsFromServerBlockKeys(sb caddyfile.ServerBlock) ([]stri
return nil, fmt.Errorf("parsing server block key: %v", err)
}
addr = addr.Normalize()
+ if addr.Host == "" {
+ continue
+ }
hostMap[addr.Host] = struct{}{}
}
@@ -328,20 +331,20 @@ func (st *ServerType) serversFromPairings(
// tls connection policies
for _, cpVal := range cpVals {
cp := cpVal.Value.(*caddytls.ConnectionPolicy)
- // only create if there is a non-empty policy
- if !reflect.DeepEqual(cp, new(caddytls.ConnectionPolicy)) {
- // make sure the policy covers all hostnames from the block
- hosts, err := st.hostsFromServerBlockKeys(sblock.block)
- if err != nil {
- return nil, err
- }
- // TODO: are matchers needed if every hostname of the config is matched?
+ // make sure the policy covers all hostnames from the block
+ hosts, err := st.hostsFromServerBlockKeys(sblock.block)
+ if err != nil {
+ return nil, err
+ }
+
+ // TODO: are matchers needed if every hostname of the config is matched?
+ if len(hosts) > 0 {
cp.MatchersRaw = caddy.ModuleMap{
"sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones
}
- srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
}
+ srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
}
// TODO: consolidate equal conn policies
}