summaryrefslogtreecommitdiff
path: root/modules/caddyhttp
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-12-28 23:56:08 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2019-12-28 23:56:08 -0700
commit2b33d9a5e5d1bd12d27bea2cfe8341fd1e5703b2 (patch)
tree8dbf34223bc9a89783ab953459df7a6f2591339c /modules/caddyhttp
parent5c8b502964457646ada348c6bc8ba7180771b7ca (diff)
http: Enable TLS for servers listening only on HTTPS port
It seems silly to have to add a single, empty TLS connection policy to a server to enable TLS when it's only listening on the HTTPS port. We now do this for the user as part of automatic HTTPS (thus, it can be disabled / overridden). See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
Diffstat (limited to 'modules/caddyhttp')
-rw-r--r--modules/caddyhttp/caddyhttp.go12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index 756a6c3..d3be288 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -326,6 +326,18 @@ func (app *App) automaticHTTPS() error {
continue
}
+ // if all listeners are on the HTTPS port, make sure
+ // there is at least one TLS connection policy; it
+ // should be obvious that they want to use TLS without
+ // needing to specify one empty policy to enable it
+ if !srv.listenersUseAnyPortOtherThan(app.httpsPort()) && len(srv.TLSConnPolicies) == 0 {
+ app.logger.Info("server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS",
+ zap.String("server_name", srvName),
+ zap.Int("https_port", app.httpsPort()),
+ )
+ srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy))
+ }
+
// find all qualifying domain names, de-duplicated
domainSet := make(map[string]struct{})
for routeIdx, route := range srv.Routes {