diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-01-19 14:16:06 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-01-19 14:16:06 -0700 |
commit | d68cff8eb6211be10fc79d3e8d469562420b78cd (patch) | |
tree | 6182b9a420a658979fedb35da8e3dc6fc552cf4c /caddyconfig/httpcaddyfile/tlsapp.go | |
parent | 8f6f9865d49d044e2fdc5e97bb0cc4fac155162e (diff) |
httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977)
This is probably an invasive change, but existing tests continue to pass.
It seems to make sense this way. There is likely an edge case I haven't
considered.
Diffstat (limited to 'caddyconfig/httpcaddyfile/tlsapp.go')
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 10b5e7d..dbf3cc7 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -40,6 +40,10 @@ func (st ServerType) buildTLSApp( tlsApp := &caddytls.TLS{CertificatesRaw: make(caddy.ModuleMap)} var certLoaders []caddytls.CertificateLoader + httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort) + if hp, ok := options["http_port"].(int); ok { + httpPort = strconv.Itoa(hp) + } httpsPort := strconv.Itoa(caddyhttp.DefaultHTTPSPort) if hsp, ok := options["https_port"].(int); ok { httpsPort = strconv.Itoa(hsp) @@ -91,6 +95,11 @@ func (st ServerType) buildTLSApp( } for _, p := range pairings { + // avoid setting up TLS automation policies for a server that is HTTP-only + if !listenersUseAnyPortOtherThan(p.addresses, httpPort) { + continue + } + for _, sblock := range p.serverBlocks { // get values that populate an automation policy for this block ap, err := newBaseAutomationPolicy(options, warnings, true) |