diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-06-09 14:34:59 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-06-09 14:35:09 -0600 |
commit | 05656a60b3b089ce1735a1ebb02539cca9f68fb4 (patch) | |
tree | 3fb0db25f2c0a21225c89dc85fc438792ac64978 /caddyconfig/httpcaddyfile | |
parent | 1e92258dd670dc62a55b100d1e68e7f482da14a1 (diff) |
httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r-- | caddyconfig/httpcaddyfile/directives.go | 21 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 2 |
2 files changed, 22 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go index 5e19474..75fd473 100644 --- a/caddyconfig/httpcaddyfile/directives.go +++ b/caddyconfig/httpcaddyfile/directives.go @@ -478,6 +478,27 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string { return sblockHosts } +func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string { + // ensure each entry in our list is unique + hostMap := make(map[string]struct{}) + for _, addr := range sb.keys { + if addr.Host == "" { + continue + } + if addr.Scheme != "http" && addr.Port != httpPort { + hostMap[addr.Host] = struct{}{} + } + } + + // convert map to slice + sblockHosts := make([]string, 0, len(hostMap)) + for host := range hostMap { + sblockHosts = append(sblockHosts, host) + } + + return sblockHosts +} + // hasHostCatchAllKey returns true if sb has a key that // omits a host portion, i.e. it "catches all" hosts. func (sb serverBlock) hasHostCatchAllKey() bool { diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index b7a8f02..1bfddda 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -189,7 +189,7 @@ func (st ServerType) buildTLSApp( } // associate our new automation policy with this server block's hosts - ap.Subjects = sblockHosts + ap.Subjects = sblock.hostsFromKeysNotHTTP(httpPort) sort.Strings(ap.Subjects) // solely for deterministic test results // if a combination of public and internal names were given |