diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2020-03-13 19:14:49 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2020-03-13 19:14:49 -0600 |
commit | 7a4548c5823e85bab0a2e2f40a3ea00f64ce8552 (patch) | |
tree | d689258be31245bd115e7a3140c585781c2371c5 /modules/caddytls | |
parent | 6cbd93736fcd2e202fb4d5cfc3f9dd45b6121b0b (diff) |
Some hotfixes for beta 16
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/acmeissuer.go | 6 | ||||
-rw-r--r-- | modules/caddytls/connpolicy.go | 7 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 19 |
3 files changed, 21 insertions, 11 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index f108d72..53638fe 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -144,6 +144,10 @@ func (m *ACMEIssuer) SetConfig(cfg *certmagic.Config) { m.magic = cfg } +// TODO: I kind of hate how each call to these methods needs to +// make a new ACME manager to fill in defaults before using; can +// we find the right place to do that just once and then re-use? + // PreCheck implements the certmagic.PreChecker interface. func (m *ACMEIssuer) PreCheck(names []string, interactive bool) error { return certmagic.NewACMEManager(m.magic, m.template).PreCheck(names, interactive) @@ -156,7 +160,7 @@ func (m *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (* // IssuerKey returns the unique issuer key for the configured CA endpoint. func (m *ACMEIssuer) IssuerKey() string { - return m.template.IssuerKey() // does not need storage and cache + return certmagic.NewACMEManager(m.magic, m.template).IssuerKey() } // Revoke revokes the given certificate. diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 5b830f9..7618db4 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -55,6 +55,11 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error { cp[i].certSelector = val.(certmagic.CertificateSelector) } + // enable HTTP/2 by default + if len(pol.ALPN) == 0 { + pol.ALPN = append(pol.ALPN, defaultALPN...) + } + // pre-build standard TLS config so we don't have to at handshake-time err = pol.buildStandardTLSConfig(ctx) if err != nil { @@ -452,3 +457,5 @@ func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error { type ConnectionMatcher interface { Match(*tls.ClientHelloInfo) bool } + +var defaultALPN = []string{"h2", "http/1.1"} diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index f91229f..0b39c71 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -181,7 +181,6 @@ func (t *TLS) Validate() error { // ensure that host aren't repeated; since only the first // automation policy is used, repeating a host in the lists // isn't useful and is probably a mistake - // TODO: test this hostSet := make(map[string]int) for i, ap := range t.Automation.Policies { for _, h := range ap.Hosts { @@ -279,8 +278,8 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool { if ap.magic.Issuer == nil { return false } - if am, ok := ap.magic.Issuer.(*certmagic.ACMEManager); ok { - return am.HandleHTTPChallenge(w, r) + if am, ok := ap.magic.Issuer.(*ACMEIssuer); ok { + return certmagic.NewACMEManager(am.magic, am.template).HandleHTTPChallenge(w, r) } return false } @@ -709,7 +708,7 @@ const automateKey = "automate" // (beta 16 changed the storage path for certificates), // after which this function can be deleted func (t *TLS) moveCertificates() error { - log := t.logger.Named("automigrate") + logger := t.logger.Named("automigrate") baseDir := caddy.AppDataDir() @@ -760,7 +759,7 @@ func (t *TLS) moveCertificates() error { } if len(oldAcmeSites) > 0 { - log.Warn("certificate storage path has changed; attempting one-time auto-migration", + logger.Warn("certificate storage path has changed; attempting one-time auto-migration", zap.String("old_folder", oldAcmeSitesDir), zap.String("new_folder", newBaseDir), zap.String("details", "https://github.com/caddyserver/caddy/issues/2955")) @@ -775,13 +774,13 @@ func (t *TLS) moveCertificates() error { // move the folder oldPath := filepath.Join(oldAcmeSitesDir, siteInfo.Name()) newPath := filepath.Join(newBaseDir, siteInfo.Name()) - log.Info("moving certificate assets", + logger.Info("moving certificate assets", zap.String("ca", oldCA), zap.String("site", siteInfo.Name()), zap.String("destination", newPath)) err = os.Rename(oldPath, newPath) if err != nil { - log.Error("failed moving site to new path; skipping", + logger.Error("failed moving site to new path; skipping", zap.String("old_path", oldPath), zap.String("new_path", newPath), zap.Error(err)) @@ -792,7 +791,7 @@ func (t *TLS) moveCertificates() error { metaFilePath := filepath.Join(newPath, siteInfo.Name()+".json") metaContents, err := ioutil.ReadFile(metaFilePath) if err != nil { - log.Error("could not read metadata file", + logger.Error("could not read metadata file", zap.String("filename", metaFilePath), zap.Error(err)) continue @@ -806,12 +805,12 @@ func (t *TLS) moveCertificates() error { } newMeta, err := json.MarshalIndent(cr, "", "\t") if err != nil { - log.Error("encoding new metadata file", zap.Error(err)) + logger.Error("encoding new metadata file", zap.Error(err)) continue } err = ioutil.WriteFile(metaFilePath, newMeta, 0600) if err != nil { - log.Error("writing new metadata file", zap.Error(err)) + logger.Error("writing new metadata file", zap.Error(err)) continue } } |