httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)

In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
author: Matthew Holt <mholt@users.noreply.github.com> 2021-06-09 14:34:59 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2021-06-09 14:35:09 -0600
commit: 05656a60b3b089ce1735a1ebb02539cca9f68fb4 (patch)
tree: 3fb0db25f2c0a21225c89dc85fc438792ac64978 /caddyconfig/httpcaddyfile/directives.go
parent: 1e92258dd670dc62a55b100d1e68e7f482da14a1 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go
index 5e19474..75fd473 100644
--- a/caddyconfig/httpcaddyfile/directives.go
+++ b/caddyconfig/httpcaddyfile/directives.go
@@ -478,6 +478,27 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
 	return sblockHosts
 }
 
+func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
+	// ensure each entry in our list is unique
+	hostMap := make(map[string]struct{})
+	for _, addr := range sb.keys {
+		if addr.Host == "" {
+			continue
+		}
+		if addr.Scheme != "http" && addr.Port != httpPort {
+			hostMap[addr.Host] = struct{}{}
+		}
+	}
+
+	// convert map to slice
+	sblockHosts := make([]string, 0, len(hostMap))
+	for host := range hostMap {
+		sblockHosts = append(sblockHosts, host)
+	}
+
+	return sblockHosts
+}
+
 // hasHostCatchAllKey returns true if sb has a key that
 // omits a host portion, i.e. it "catches all" hosts.
 func (sb serverBlock) hasHostCatchAllKey() bool {
author	Matthew Holt <mholt@users.noreply.github.com>	2021-06-09 14:34:59 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2021-06-09 14:35:09 -0600
commit	05656a60b3b089ce1735a1ebb02539cca9f68fb4 (patch)
tree	3fb0db25f2c0a21225c89dc85fc438792ac64978 /caddyconfig/httpcaddyfile/directives.go
parent	1e92258dd670dc62a55b100d1e68e7f482da14a1 (diff)