diff options
| author | Đỗ Trọng Hải <41283691+hainenber@users.noreply.github.com> | 2023-10-11 04:46:39 +0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-10 21:46:39 +0000 |
| commit | df9950297793fbe3930cd3151b6f1a3cea893a38 (patch) | |
| tree | 94c887fec0c54d8d44858a23fafab89d77743bd3 | |
| parent | e0aaefab80d75293783a5551b094cf57b49da8d5 (diff) | |
httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)
| -rw-r--r-- | caddyconfig/httpcaddyfile/httptype.go | 12 | ||||
| -rw-r--r-- | caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt | 37 |
2 files changed, 48 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go index 78fb7f0..79442c8 100644 --- a/caddyconfig/httpcaddyfile/httptype.go +++ b/caddyconfig/httpcaddyfile/httptype.go @@ -716,10 +716,20 @@ func (st *ServerType) serversFromPairings( } } + // If TLS is specified as directive, it will also result in 1 or more connection policy being created + // Thus, catch-all address with non-standard port, e.g. :8443, can have TLS enabled without + // specifying prefix "https://" + // Second part of the condition is to allow creating TLS conn policy even though `auto_https` has been disabled + // ensuring compatibility with behavior described in below link + // https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761 + createdTLSConnPolicies, ok := sblock.pile["tls.connection_policy"] + hasTLSEnabled := (ok && len(createdTLSConnPolicies) > 0) || + (addr.Host != "" && srv.AutoHTTPS != nil && !sliceContains(srv.AutoHTTPS.Skip, addr.Host)) + // we'll need to remember if the address qualifies for auto-HTTPS, so we // can add a TLS conn policy if necessary if addr.Scheme == "https" || - (addr.Scheme != "http" && addr.Host != "" && addr.Port != httpPort) { + (addr.Scheme != "http" && addr.Port != httpPort && hasTLSEnabled) { addressQualifiesForTLS = true } // predict whether auto-HTTPS will add the conn policy for us; if so, we diff --git a/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt b/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt new file mode 100644 index 0000000..b37b40c --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/enable_tls_for_catch_all_site.txt @@ -0,0 +1,37 @@ +:8443 { + tls internal { + on_demand + } +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":8443" + ], + "tls_connection_policies": [ + {} + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "issuers": [ + { + "module": "internal" + } + ], + "on_demand": true + } + ] + } + } + } +} + |