summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2020-03-15 21:28:42 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2020-03-15 21:28:42 -0600
commite42514ad4af007799374aeb6eeea3bd884aac55b (patch)
tree284936269228ba5800008f9bec85927e23035f75
parentf596fd77bb6880485d2bfc6b18a775b5572da260 (diff)
caddyhttp: Clean up; move some code around
-rw-r--r--modules/caddyhttp/app.go433
-rw-r--r--modules/caddyhttp/caddyhttp.go412
2 files changed, 436 insertions, 409 deletions
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
new file mode 100644
index 0000000..97290f4
--- /dev/null
+++ b/modules/caddyhttp/app.go
@@ -0,0 +1,433 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddyhttp
+
+import (
+ "context"
+ "crypto/tls"
+ "fmt"
+ "net"
+ "net/http"
+ "strconv"
+ "time"
+
+ "github.com/caddyserver/caddy/v2"
+ "github.com/caddyserver/caddy/v2/modules/caddytls"
+ "github.com/lucas-clemente/quic-go/http3"
+ "go.uber.org/zap"
+)
+
+func init() {
+ err := caddy.RegisterModule(App{})
+ if err != nil {
+ caddy.Log().Fatal(err.Error())
+ }
+}
+
+// App is a robust, production-ready HTTP server.
+//
+// HTTPS is enabled by default if host matchers with qualifying names are used
+// in any of routes; certificates are automatically provisioned and renewed.
+// Additionally, automatic HTTPS will also enable HTTPS for servers that listen
+// only on the HTTPS port but which do not have any TLS connection policies
+// defined by adding a good, default TLS connection policy.
+//
+// In HTTP routes, additional placeholders are available (replace any `*`):
+//
+// Placeholder | Description
+// ------------|---------------
+// `{http.request.cookie.*}` | HTTP request cookie
+// `{http.request.header.*}` | Specific request header field
+// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo
+// `{http.request.host}` | The host part of the request's Host header
+// `{http.request.hostport}` | The host and port from the request's Host header
+// `{http.request.method}` | The request method
+// `{http.request.orig_method}` | The request's original method
+// `{http.request.orig_uri.path.dir}` | The request's original directory
+// `{http.request.orig_uri.path.file}` | The request's original filename
+// `{http.request.orig_uri.path}` | The request's original path
+// `{http.request.orig_uri.query}` | The request's original query string (without `?`)
+// `{http.request.orig_uri}` | The request's original URI
+// `{http.request.port}` | The port part of the request's Host header
+// `{http.request.proto}` | The protocol of the request
+// `{http.request.remote.host}` | The host part of the remote client's address
+// `{http.request.remote.port}` | The port part of the remote client's address
+// `{http.request.remote}` | The address of the remote client
+// `{http.request.scheme}` | The request scheme
+// `{http.request.tls.version}` | The TLS version name
+// `{http.request.tls.cipher_suite}` | The TLS cipher suite
+// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection
+// `{http.request.tls.proto}` | The negotiated next protocol
+// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server
+// `{http.request.tls.server_name}` | The server name requested by the client, if any
+// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate
+// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate
+// `{http.request.tls.client.serial}` | The serial number of the client certificate
+// `{http.request.tls.client.subject}` | The subject DN of the client certificate
+// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left)
+// `{http.request.uri.path.dir}` | The directory, excluding leaf filename
+// `{http.request.uri.path.file}` | The filename of the path, excluding directory
+// `{http.request.uri.path}` | The path component of the request URI
+// `{http.request.uri.query.*}` | Individual query string value
+// `{http.request.uri.query}` | The query string (without `?`)
+// `{http.request.uri}` | The full request URI
+// `{http.response.header.*}` | Specific response header field
+// `{http.vars.*}` | Custom variables in the HTTP handler chain
+type App struct {
+ // HTTPPort specifies the port to use for HTTP (as opposed to HTTPS),
+ // which is used when setting up HTTP->HTTPS redirects or ACME HTTP
+ // challenge solvers. Default: 80.
+ HTTPPort int `json:"http_port,omitempty"`
+
+ // HTTPSPort specifies the port to use for HTTPS, which is used when
+ // solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed
+ // but no specific port number is given. Default: 443.
+ HTTPSPort int `json:"https_port,omitempty"`
+
+ // GracePeriod is how long to wait for active connections when shutting
+ // down the server. Once the grace period is over, connections will
+ // be forcefully closed.
+ GracePeriod caddy.Duration `json:"grace_period,omitempty"`
+
+ // Servers is the list of servers, keyed by arbitrary names chosen
+ // at your discretion for your own convenience; the keys do not
+ // affect functionality.
+ Servers map[string]*Server `json:"servers,omitempty"`
+
+ servers []*http.Server
+ h3servers []*http3.Server
+ h3listeners []net.PacketConn
+
+ ctx caddy.Context
+ logger *zap.Logger
+ tlsApp *caddytls.TLS
+
+ // used temporarily between phases 1 and 2 of auto HTTPS
+ allCertDomains []string
+}
+
+// CaddyModule returns the Caddy module information.
+func (App) CaddyModule() caddy.ModuleInfo {
+ return caddy.ModuleInfo{
+ ID: "http",
+ New: func() caddy.Module { return new(App) },
+ }
+}
+
+// Provision sets up the app.
+func (app *App) Provision(ctx caddy.Context) error {
+ // store some references
+ tlsAppIface, err := ctx.App("tls")
+ if err != nil {
+ return fmt.Errorf("getting tls app: %v", err)
+ }
+ app.tlsApp = tlsAppIface.(*caddytls.TLS)
+ app.ctx = ctx
+ app.logger = ctx.Logger(app)
+
+ repl := caddy.NewReplacer()
+
+ // this provisions the matchers for each route,
+ // and prepares auto HTTP->HTTPS redirects, and
+ // is required before we provision each server
+ err = app.automaticHTTPSPhase1(ctx, repl)
+ if err != nil {
+ return err
+ }
+
+ // prepare each server
+ for srvName, srv := range app.Servers {
+ srv.tlsApp = app.tlsApp
+ srv.logger = app.logger.Named("log")
+ srv.errorLogger = app.logger.Named("log.error")
+
+ // only enable access logs if configured
+ if srv.Logs != nil {
+ srv.accessLogger = app.logger.Named("log.access")
+ }
+
+ // if not explicitly configured by the user, disallow TLS
+ // client auth bypass (domain fronting) which could
+ // otherwise be exploited by sending an unprotected SNI
+ // value during a TLS handshake, then putting a protected
+ // domain in the Host header after establishing connection;
+ // this is a safe default, but we allow users to override
+ // it for example in the case of running a proxy where
+ // domain fronting is desired and access is not restricted
+ // based on hostname
+ if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
+ app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
+ zap.String("server_name", srvName),
+ )
+ trueBool := true
+ srv.StrictSNIHost = &trueBool
+ }
+
+ // process each listener address
+ for i := range srv.Listen {
+ lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
+ if err != nil {
+ return fmt.Errorf("server %s, listener %d: %v",
+ srvName, i, err)
+ }
+ srv.Listen[i] = lnOut
+ }
+
+ // set up each listener modifier
+ if srv.ListenerWrappersRaw != nil {
+ vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw")
+ if err != nil {
+ return fmt.Errorf("loading listener wrapper modules: %v", err)
+ }
+ var hasTLSPlaceholder bool
+ for i, val := range vals.([]interface{}) {
+ if _, ok := val.(*tlsPlaceholderWrapper); ok {
+ if i == 0 {
+ // putting the tls placeholder wrapper first is nonsensical because
+ // that is the default, implicit setting: without it, all wrappers
+ // will go after the TLS listener anyway
+ return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default")
+ }
+ if hasTLSPlaceholder {
+ return fmt.Errorf("TLS listener wrapper can only be specified once")
+ }
+ hasTLSPlaceholder = true
+ }
+ srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper))
+ }
+ // if any wrappers were configured but the TLS placeholder wrapper is
+ // absent, prepend it so all defined wrappers come after the TLS
+ // handshake; this simplifies logic when starting the server, since we
+ // can simply assume the TLS placeholder will always be there
+ if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 {
+ srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
+ }
+ }
+
+ // pre-compile the primary handler chain, and be sure to wrap it in our
+ // route handler so that important security checks are done, etc.
+ primaryRoute := emptyHandler
+ if srv.Routes != nil {
+ err := srv.Routes.ProvisionHandlers(ctx)
+ if err != nil {
+ return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err)
+ }
+ primaryRoute = srv.Routes.Compile(emptyHandler)
+ }
+ srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute)
+
+ // pre-compile the error handler chain
+ if srv.Errors != nil {
+ err := srv.Errors.Routes.Provision(ctx)
+ if err != nil {
+ return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err)
+ }
+ srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler)
+ }
+
+ // prepare the TLS connection policies
+ err = srv.TLSConnPolicies.Provision(ctx)
+ if err != nil {
+ return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err)
+ }
+ }
+
+ return nil
+}
+
+// Validate ensures the app's configuration is valid.
+func (app *App) Validate() error {
+ // each server must use distinct listener addresses
+ lnAddrs := make(map[string]string)
+ for srvName, srv := range app.Servers {
+ for _, addr := range srv.Listen {
+ listenAddr, err := caddy.ParseNetworkAddress(addr)
+ if err != nil {
+ return fmt.Errorf("invalid listener address '%s': %v", addr, err)
+ }
+ // check that every address in the port range is unique to this server;
+ // we do not use <= here because PortRangeSize() adds 1 to EndPort for us
+ for i := uint(0); i < listenAddr.PortRangeSize(); i++ {
+ addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i)))
+ if sn, ok := lnAddrs[addr]; ok {
+ return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn)
+ }
+ lnAddrs[addr] = srvName
+ }
+ }
+ }
+
+ return nil
+}
+
+// Start runs the app. It finishes automatic HTTPS if enabled,
+// including management of certificates.
+func (app *App) Start() error {
+ for srvName, srv := range app.Servers {
+ s := &http.Server{
+ ReadTimeout: time.Duration(srv.ReadTimeout),
+ ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout),
+ WriteTimeout: time.Duration(srv.WriteTimeout),
+ IdleTimeout: time.Duration(srv.IdleTimeout),
+ MaxHeaderBytes: srv.MaxHeaderBytes,
+ Handler: srv,
+ }
+
+ for _, lnAddr := range srv.Listen {
+ listenAddr, err := caddy.ParseNetworkAddress(lnAddr)
+ if err != nil {
+ return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err)
+ }
+ for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ {
+ // create the listener for this socket
+ hostport := listenAddr.JoinHostPort(portOffset)
+ ln, err := caddy.Listen(listenAddr.Network, hostport)
+ if err != nil {
+ return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err)
+ }
+
+ // wrap listener before TLS (up to the TLS placeholder wrapper)
+ var lnWrapperIdx int
+ for i, lnWrapper := range srv.listenerWrappers {
+ if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
+ lnWrapperIdx = i + 1 // mark the next wrapper's spot
+ break
+ }
+ ln = lnWrapper.WrapListener(ln)
+ }
+
+ // enable TLS if there is a policy and if this is not the HTTP port
+ useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
+ if useTLS {
+ // create TLS listener
+ tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx)
+ ln = tls.NewListener(ln, tlsCfg)
+
+ /////////
+ // TODO: HTTP/3 support is experimental for now
+ if srv.ExperimentalHTTP3 {
+ app.logger.Info("enabling experimental HTTP/3 listener",
+ zap.String("addr", hostport),
+ )
+ h3ln, err := caddy.ListenPacket("udp", hostport)
+ if err != nil {
+ return fmt.Errorf("getting HTTP/3 UDP listener: %v", err)
+ }
+ h3srv := &http3.Server{
+ Server: &http.Server{
+ Addr: hostport,
+ Handler: srv,
+ TLSConfig: tlsCfg,
+ },
+ }
+ go h3srv.Serve(h3ln)
+ app.h3servers = append(app.h3servers, h3srv)
+ app.h3listeners = append(app.h3listeners, h3ln)
+ srv.h3server = h3srv
+ }
+ /////////
+ }
+
+ // finish wrapping listener where we left off before TLS
+ for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
+ ln = srv.listenerWrappers[i].WrapListener(ln)
+ }
+
+ app.logger.Debug("starting server loop",
+ zap.String("address", lnAddr),
+ zap.Bool("http3", srv.ExperimentalHTTP3),
+ zap.Bool("tls", useTLS),
+ )
+
+ go s.Serve(ln)
+ app.servers = append(app.servers, s)
+ }
+ }
+ }
+
+ // finish automatic HTTPS by finally beginning
+ // certificate management
+ err := app.automaticHTTPSPhase2()
+ if err != nil {
+ return fmt.Errorf("finalizing automatic HTTPS: %v", err)
+ }
+
+ return nil
+}
+
+// Stop gracefully shuts down the HTTP server.
+func (app *App) Stop() error {
+ ctx := context.Background()
+ if app.GracePeriod > 0 {
+ var cancel context.CancelFunc
+ ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod))
+ defer cancel()
+ }
+ for _, s := range app.servers {
+ err := s.Shutdown(ctx)
+ if err != nil {
+ return err
+ }
+ }
+
+ // close the http3 servers; it's unclear whether the bug reported in
+ // https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566
+ // was ever truly fixed, since it seemed racey/nondeterministic; but
+ // recent tests in 2020 were unable to replicate the issue again after
+ // repeated attempts (the bug manifested after a config reload; i.e.
+ // reusing a http3 server or listener was problematic), but it seems
+ // to be working fine now
+ for _, s := range app.h3servers {
+ // TODO: CloseGracefully, once implemented upstream
+ // (see https://github.com/lucas-clemente/quic-go/issues/2103)
+ err := s.Close()
+ if err != nil {
+ return err
+ }
+ }
+
+ // closing an http3.Server does not close their underlying listeners
+ // since apparently the listener can be used both by servers and
+ // clients at the same time; so we need to manually call Close()
+ // on the underlying h3 listeners (see lucas-clemente/quic-go#2103)
+ for _, pc := range app.h3listeners {
+ err := pc.Close()
+ if err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+func (app *App) httpPort() int {
+ if app.HTTPPort == 0 {
+ return DefaultHTTPPort
+ }
+ return app.HTTPPort
+}
+
+func (app *App) httpsPort() int {
+ if app.HTTPSPort == 0 {
+ return DefaultHTTPSPort
+ }
+ return app.HTTPSPort
+}
+
+// Interface guards
+var (
+ _ caddy.App = (*App)(nil)
+ _ caddy.Provisioner = (*App)(nil)
+ _ caddy.Validator = (*App)(nil)
+)
diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index 718025e..4fd09a2 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -16,10 +16,7 @@ package caddyhttp
import (
"bytes"
- "context"
- "crypto/tls"
"encoding/json"
- "fmt"
"io"
weakrand "math/rand"
"net"
@@ -28,412 +25,15 @@ import (
"time"
"github.com/caddyserver/caddy/v2"
- "github.com/caddyserver/caddy/v2/modules/caddytls"
- "github.com/lucas-clemente/quic-go/http3"
- "go.uber.org/zap"
)
func init() {
weakrand.Seed(time.Now().UnixNano())
- err := caddy.RegisterModule(App{})
+ err := caddy.RegisterModule(tlsPlaceholderWrapper{})
if err != nil {
caddy.Log().Fatal(err.Error())
}
-
- err = caddy.RegisterModule(tlsPlaceholderWrapper{})
- if err != nil {
- caddy.Log().Fatal(err.Error())
- }
-}
-
-// App is a robust, production-ready HTTP server.
-//
-// HTTPS is enabled by default if host matchers with qualifying names are used
-// in any of routes; certificates are automatically provisioned and renewed.
-// Additionally, automatic HTTPS will also enable HTTPS for servers that listen
-// only on the HTTPS port but which do not have any TLS connection policies
-// defined by adding a good, default TLS connection policy.
-//
-// In HTTP routes, additional placeholders are available (replace any `*`):
-//
-// Placeholder | Description
-// ------------|---------------
-// `{http.request.cookie.*}` | HTTP request cookie
-// `{http.request.header.*}` | Specific request header field
-// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo
-// `{http.request.host}` | The host part of the request's Host header
-// `{http.request.hostport}` | The host and port from the request's Host header
-// `{http.request.method}` | The request method
-// `{http.request.orig_method}` | The request's original method
-// `{http.request.orig_uri.path.dir}` | The request's original directory
-// `{http.request.orig_uri.path.file}` | The request's original filename
-// `{http.request.orig_uri.path}` | The request's original path
-// `{http.request.orig_uri.query}` | The request's original query string (without `?`)
-// `{http.request.orig_uri}` | The request's original URI
-// `{http.request.port}` | The port part of the request's Host header
-// `{http.request.proto}` | The protocol of the request
-// `{http.request.remote.host}` | The host part of the remote client's address
-// `{http.request.remote.port}` | The port part of the remote client's address
-// `{http.request.remote}` | The address of the remote client
-// `{http.request.scheme}` | The request scheme
-// `{http.request.tls.version}` | The TLS version name
-// `{http.request.tls.cipher_suite}` | The TLS cipher suite
-// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection
-// `{http.request.tls.proto}` | The negotiated next protocol
-// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server
-// `{http.request.tls.server_name}` | The server name requested by the client, if any
-// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate
-// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate
-// `{http.request.tls.client.serial}` | The serial number of the client certificate
-// `{http.request.tls.client.subject}` | The subject DN of the client certificate
-// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left)
-// `{http.request.uri.path.dir}` | The directory, excluding leaf filename
-// `{http.request.uri.path.file}` | The filename of the path, excluding directory
-// `{http.request.uri.path}` | The path component of the request URI
-// `{http.request.uri.query.*}` | Individual query string value
-// `{http.request.uri.query}` | The query string (without `?`)
-// `{http.request.uri}` | The full request URI
-// `{http.response.header.*}` | Specific response header field
-// `{http.vars.*}` | Custom variables in the HTTP handler chain
-type App struct {
- // HTTPPort specifies the port to use for HTTP (as opposed to HTTPS),
- // which is used when setting up HTTP->HTTPS redirects or ACME HTTP
- // challenge solvers. Default: 80.
- HTTPPort int `json:"http_port,omitempty"`
-
- // HTTPSPort specifies the port to use for HTTPS, which is used when
- // solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed
- // but no specific port number is given. Default: 443.
- HTTPSPort int `json:"https_port,omitempty"`
-
- // GracePeriod is how long to wait for active connections when shutting
- // down the server. Once the grace period is over, connections will
- // be forcefully closed.
- GracePeriod caddy.Duration `json:"grace_period,omitempty"`
-
- // Servers is the list of servers, keyed by arbitrary names chosen
- // at your discretion for your own convenience; the keys do not
- // affect functionality.
- Servers map[string]*Server `json:"servers,omitempty"`
-
- servers []*http.Server
- h3servers []*http3.Server
- h3listeners []net.PacketConn
-
- ctx caddy.Context
- logger *zap.Logger
- tlsApp *caddytls.TLS
-
- // used temporarily between phases 1 and 2 of auto HTTPS
- allCertDomains []string
-}
-
-// CaddyModule returns the Caddy module information.
-func (App) CaddyModule() caddy.ModuleInfo {
- return caddy.ModuleInfo{
- ID: "http",
- New: func() caddy.Module { return new(App) },
- }
-}
-
-// Provision sets up the app.
-func (app *App) Provision(ctx caddy.Context) error {
- // store some references
- tlsAppIface, err := ctx.App("tls")
- if err != nil {
- return fmt.Errorf("getting tls app: %v", err)
- }
- app.tlsApp = tlsAppIface.(*caddytls.TLS)
- app.ctx = ctx
- app.logger = ctx.Logger(app)
-
- repl := caddy.NewReplacer()
-
- // this provisions the matchers for each route,
- // and prepares auto HTTP->HTTPS redirects, and
- // is required before we provision each server
- err = app.automaticHTTPSPhase1(ctx, repl)
- if err != nil {
- return err
- }
-
- // prepare each server
- for srvName, srv := range app.Servers {
- srv.tlsApp = app.tlsApp
- srv.logger = app.logger.Named("log")
- srv.errorLogger = app.logger.Named("log.error")
-
- // only enable access logs if configured
- if srv.Logs != nil {
- srv.accessLogger = app.logger.Named("log.access")
- }
-
- // if not explicitly configured by the user, disallow TLS
- // client auth bypass (domain fronting) which could
- // otherwise be exploited by sending an unprotected SNI
- // value during a TLS handshake, then putting a protected
- // domain in the Host header after establishing connection;
- // this is a safe default, but we allow users to override
- // it for example in the case of running a proxy where
- // domain fronting is desired and access is not restricted
- // based on hostname
- if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
- app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
- zap.String("server_name", srvName),
- )
- trueBool := true
- srv.StrictSNIHost = &trueBool
- }
-
- // process each listener address
- for i := range srv.Listen {
- lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
- if err != nil {
- return fmt.Errorf("server %s, listener %d: %v",
- srvName, i, err)
- }
- srv.Listen[i] = lnOut
- }
-
- // set up each listener modifier
- if srv.ListenerWrappersRaw != nil {
- vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw")
- if err != nil {
- return fmt.Errorf("loading listener wrapper modules: %v", err)
- }
- var hasTLSPlaceholder bool
- for i, val := range vals.([]interface{}) {
- if _, ok := val.(*tlsPlaceholderWrapper); ok {
- if i == 0 {
- // putting the tls placeholder wrapper first is nonsensical because
- // that is the default, implicit setting: without it, all wrappers
- // will go after the TLS listener anyway
- return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default")
- }
- if hasTLSPlaceholder {
- return fmt.Errorf("TLS listener wrapper can only be specified once")
- }
- hasTLSPlaceholder = true
- }
- srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper))
- }
- // if any wrappers were configured but the TLS placeholder wrapper is
- // absent, prepend it so all defined wrappers come after the TLS
- // handshake; this simplifies logic when starting the server, since we
- // can simply assume the TLS placeholder will always be there
- if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 {
- srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
- }
- }
-
- // pre-compile the primary handler chain, and be sure to wrap it in our
- // route handler so that important security checks are done, etc.
- primaryRoute := emptyHandler
- if srv.Routes != nil {
- err := srv.Routes.ProvisionHandlers(ctx)
- if err != nil {
- return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err)
- }
- primaryRoute = srv.Routes.Compile(emptyHandler)
- }
- srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute)
-
- // pre-compile the error handler chain
- if srv.Errors != nil {
- err := srv.Errors.Routes.Provision(ctx)
- if err != nil {
- return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err)
- }
- srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler)
- }
-
- // prepare the TLS connection policies
- err = srv.TLSConnPolicies.Provision(ctx)
- if err != nil {
- return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err)
- }
- }
-
- return nil
-}
-
-// Validate ensures the app's configuration is valid.
-func (app *App) Validate() error {
- // each server must use distinct listener addresses
- lnAddrs := make(map[string]string)
- for srvName, srv := range app.Servers {
- for _, addr := range srv.Listen {
- listenAddr, err := caddy.ParseNetworkAddress(addr)
- if err != nil {
- return fmt.Errorf("invalid listener address '%s': %v", addr, err)
- }
- // check that every address in the port range is unique to this server;
- // we do not use <= here because PortRangeSize() adds 1 to EndPort for us
- for i := uint(0); i < listenAddr.PortRangeSize(); i++ {
- addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i)))
- if sn, ok := lnAddrs[addr]; ok {
- return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn)
- }
- lnAddrs[addr] = srvName
- }
- }
- }
-
- return nil
-}
-
-// Start runs the app. It finishes automatic HTTPS if enabled,
-// including management of certificates.
-func (app *App) Start() error {
- for srvName, srv := range app.Servers {
- s := &http.Server{
- ReadTimeout: time.Duration(srv.ReadTimeout),
- ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout),
- WriteTimeout: time.Duration(srv.WriteTimeout),
- IdleTimeout: time.Duration(srv.IdleTimeout),
- MaxHeaderBytes: srv.MaxHeaderBytes,
- Handler: srv,
- }
-
- for _, lnAddr := range srv.Listen {
- listenAddr, err := caddy.ParseNetworkAddress(lnAddr)
- if err != nil {
- return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err)
- }
- for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ {
- // create the listener for this socket
- hostport := listenAddr.JoinHostPort(portOffset)
- ln, err := caddy.Listen(listenAddr.Network, hostport)
- if err != nil {
- return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err)
- }
-
- // wrap listener before TLS (up to the TLS placeholder wrapper)
- var lnWrapperIdx int
- for i, lnWrapper := range srv.listenerWrappers {
- if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
- lnWrapperIdx = i + 1 // mark the next wrapper's spot
- break
- }
- ln = lnWrapper.WrapListener(ln)
- }
-
- // enable TLS if there is a policy and if this is not the HTTP port
- useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
- if useTLS {
- // create TLS listener
- tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx)
- ln = tls.NewListener(ln, tlsCfg)
-
- /////////
- // TODO: HTTP/3 support is experimental for now
- if srv.ExperimentalHTTP3 {
- app.logger.Info("enabling experimental HTTP/3 listener",
- zap.String("addr", hostport),
- )
- h3ln, err := caddy.ListenPacket("udp", hostport)
- if err != nil {
- return fmt.Errorf("getting HTTP/3 UDP listener: %v", err)
- }
- h3srv := &http3.Server{
- Server: &http.Server{
- Addr: hostport,
- Handler: srv,
- TLSConfig: tlsCfg,
- },
- }
- go h3srv.Serve(h3ln)
- app.h3servers = append(app.h3servers, h3srv)
- app.h3listeners = append(app.h3listeners, h3ln)
- srv.h3server = h3srv
- }
- /////////
- }
-
- // finish wrapping listener where we left off before TLS
- for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
- ln = srv.listenerWrappers[i].WrapListener(ln)
- }
-
- app.logger.Debug("starting server loop",
- zap.String("address", lnAddr),
- zap.Bool("http3", srv.ExperimentalHTTP3),
- zap.Bool("tls", useTLS),
- )
-
- go s.Serve(ln)
- app.servers = append(app.servers, s)
- }
- }
- }
-
- // finish automatic HTTPS by finally beginning
- // certificate management
- err := app.automaticHTTPSPhase2()
- if err != nil {
- return fmt.Errorf("finalizing automatic HTTPS: %v", err)
- }
-
- return nil
-}
-
-// Stop gracefully shuts down the HTTP server.
-func (app *App) Stop() error {
- ctx := context.Background()
- if app.GracePeriod > 0 {
- var cancel context.CancelFunc
- ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod))
- defer cancel()
- }
- for _, s := range app.servers {
- err := s.Shutdown(ctx)
- if err != nil {
- return err
- }
- }
-
- // close the http3 servers; it's unclear whether the bug reported in
- // https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566
- // was ever truly fixed, since it seemed racey/nondeterministic; but
- // recent tests in 2020 were unable to replicate the issue again after
- // repeated attempts (the bug manifested after a config reload; i.e.
- // reusing a http3 server or listener was problematic), but it seems
- // to be working fine now
- for _, s := range app.h3servers {
- // TODO: CloseGracefully, once implemented upstream
- // (see https://github.com/lucas-clemente/quic-go/issues/2103)
- err := s.Close()
- if err != nil {
- return err
- }
- }
-
- // closing an http3.Server does not close their underlying listeners
- // since apparently the listener can be used both by servers and
- // clients at the same time; so we need to manually call Close()
- // on the underlying h3 listeners (see lucas-clemente/quic-go#2103)
- for _, pc := range app.h3listeners {
- err := pc.Close()
- if err != nil {
- return err
- }
- }
- return nil
-}
-
-func (app *App) httpPort() int {
- if app.HTTPPort == 0 {
- return DefaultHTTPPort
- }
- return app.HTTPPort
-}
-
-func (app *App) httpsPort() int {
- if app.HTTPSPort == 0 {
- return DefaultHTTPSPort
- }
- return app.HTTPSPort
}
// RequestMatcher is a type that can match to a request.
@@ -618,11 +218,5 @@ const (
DefaultHTTPSPort = 443
)
-// Interface guards
-var (
- _ caddy.App = (*App)(nil)
- _ caddy.Provisioner = (*App)(nil)
- _ caddy.Validator = (*App)(nil)
-
- _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil)
-)
+// Interface guard
+var _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil)