summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2021-06-09 14:34:59 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2021-06-09 14:35:09 -0600
commit05656a60b3b089ce1735a1ebb02539cca9f68fb4 (patch)
tree3fb0db25f2c0a21225c89dc85fc438792ac64978 /caddyconfig/httpcaddyfile
parent1e92258dd670dc62a55b100d1e68e7f482da14a1 (diff)
httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)
In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r--caddyconfig/httpcaddyfile/directives.go21
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go2
2 files changed, 22 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go
index 5e19474..75fd473 100644
--- a/caddyconfig/httpcaddyfile/directives.go
+++ b/caddyconfig/httpcaddyfile/directives.go
@@ -478,6 +478,27 @@ func (sb serverBlock) hostsFromKeys(loggerMode bool) []string {
return sblockHosts
}
+func (sb serverBlock) hostsFromKeysNotHTTP(httpPort string) []string {
+ // ensure each entry in our list is unique
+ hostMap := make(map[string]struct{})
+ for _, addr := range sb.keys {
+ if addr.Host == "" {
+ continue
+ }
+ if addr.Scheme != "http" && addr.Port != httpPort {
+ hostMap[addr.Host] = struct{}{}
+ }
+ }
+
+ // convert map to slice
+ sblockHosts := make([]string, 0, len(hostMap))
+ for host := range hostMap {
+ sblockHosts = append(sblockHosts, host)
+ }
+
+ return sblockHosts
+}
+
// hasHostCatchAllKey returns true if sb has a key that
// omits a host portion, i.e. it "catches all" hosts.
func (sb serverBlock) hasHostCatchAllKey() bool {
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index b7a8f02..1bfddda 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -189,7 +189,7 @@ func (st ServerType) buildTLSApp(
}
// associate our new automation policy with this server block's hosts
- ap.Subjects = sblockHosts
+ ap.Subjects = sblock.hostsFromKeysNotHTTP(httpPort)
sort.Strings(ap.Subjects) // solely for deterministic test results
// if a combination of public and internal names were given