diff options
author | Francis Lavoie <lavofr@gmail.com> | 2023-02-22 13:41:01 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-22 11:41:01 -0700 |
commit | be53e432fcac0a9b9accbc36885304639e8ca70b (patch) | |
tree | d7dbf7e9492e6e4a6e80876c346b85b2041a262e | |
parent | 79de6df93d0404790c3bfecfefa9e1458ffcff75 (diff) |
caddytls: Relax the warning for on-demand (#5384)
-rw-r--r-- | modules/caddytls/tls.go | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 8051653..92004b8 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -22,6 +22,7 @@ import ( "log" "net/http" "runtime/debug" + "strings" "sync" "time" @@ -259,7 +260,17 @@ func (t *TLS) Start() error { if t.Automation.OnDemand == nil || (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) { for _, ap := range t.Automation.Policies { - if ap.OnDemand { + isWildcardOrDefault := false + if len(ap.Subjects) == 0 { + isWildcardOrDefault = true + } + for _, sub := range ap.Subjects { + if strings.HasPrefix(sub, "*") { + isWildcardOrDefault = true + break + } + } + if ap.OnDemand && isWildcardOrDefault { t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place", zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) break |