diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-12-13 16:32:27 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-12-13 16:32:27 -0700 |
commit | 6ea121ddf8c5be6de892971782d6f0fe2938ebbf (patch) | |
tree | 055f6f78c8e779787e365fadd7f6cf05ff01defb /caddyconfig | |
parent | 8005b7ab73c264ee3c1d7b10c39bc5565ef57c02 (diff) |
tls: Ensure conn policy is created when providing certs in Caddyfile
Fixes #2929
Diffstat (limited to 'caddyconfig')
-rw-r--r-- | caddyconfig/httpcaddyfile/builtins.go | 39 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/httptype.go | 21 |
2 files changed, 44 insertions, 16 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index e92aa9d..b523d95 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -81,7 +81,7 @@ func parseRoot(h Helper) ([]ConfigValue, error) { func parseTLS(h Helper) ([]ConfigValue, error) { var configVals []ConfigValue - cp := new(caddytls.ConnectionPolicy) + var cp *caddytls.ConnectionPolicy var fileLoader caddytls.FileLoader var folderLoader caddytls.FolderLoader var mgr caddytls.ACMEManagerMaker @@ -131,12 +131,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) { if _, ok := caddytls.SupportedProtocols[args[0]]; !ok { return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0]) } + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } cp.ProtocolMin = args[0] } if len(args) > 1 { if _, ok := caddytls.SupportedProtocols[args[1]]; !ok { return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1]) } + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } cp.ProtocolMax = args[1] } case "ciphers": @@ -144,6 +150,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok { return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val()) } + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } cp.CipherSuites = append(cp.CipherSuites, h.Val()) } case "curves": @@ -151,6 +160,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { if _, ok := caddytls.SupportedCurves[h.Val()]; !ok { return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val()) } + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } cp.Curves = append(cp.Curves, h.Val()) } case "alpn": @@ -158,6 +170,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { if len(args) == 0 { return nil, h.ArgErr() } + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } cp.ALPN = args // certificate folder loader @@ -183,24 +198,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) { } } - // connection policy - configVals = append(configVals, ConfigValue{ - Class: "tls.connection_policy", - Value: cp, - }) - // certificate loaders if len(fileLoader) > 0 { configVals = append(configVals, ConfigValue{ Class: "tls.certificate_loader", Value: fileLoader, }) + // ensure server uses HTTPS by setting non-nil conn policy + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } } if len(folderLoader) > 0 { configVals = append(configVals, ConfigValue{ Class: "tls.certificate_loader", Value: folderLoader, }) + // ensure server uses HTTPS by setting non-nil conn policy + if cp == nil { + cp = new(caddytls.ConnectionPolicy) + } + } + + // connection policy + if cp != nil { + configVals = append(configVals, ConfigValue{ + Class: "tls.connection_policy", + Value: cp, + }) } // automation policy diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go index 2b2855d..d8fde46 100644 --- a/caddyconfig/httpcaddyfile/httptype.go +++ b/caddyconfig/httpcaddyfile/httptype.go @@ -275,6 +275,9 @@ func (st *ServerType) hostsFromServerBlockKeys(sb caddyfile.ServerBlock) ([]stri return nil, fmt.Errorf("parsing server block key: %v", err) } addr = addr.Normalize() + if addr.Host == "" { + continue + } hostMap[addr.Host] = struct{}{} } @@ -328,20 +331,20 @@ func (st *ServerType) serversFromPairings( // tls connection policies for _, cpVal := range cpVals { cp := cpVal.Value.(*caddytls.ConnectionPolicy) - // only create if there is a non-empty policy - if !reflect.DeepEqual(cp, new(caddytls.ConnectionPolicy)) { - // make sure the policy covers all hostnames from the block - hosts, err := st.hostsFromServerBlockKeys(sblock.block) - if err != nil { - return nil, err - } - // TODO: are matchers needed if every hostname of the config is matched? + // make sure the policy covers all hostnames from the block + hosts, err := st.hostsFromServerBlockKeys(sblock.block) + if err != nil { + return nil, err + } + + // TODO: are matchers needed if every hostname of the config is matched? + if len(hosts) > 0 { cp.MatchersRaw = caddy.ModuleMap{ "sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones } - srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp) } + srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp) } // TODO: consolidate equal conn policies } |