caddytls: Relax the warning for on-demand (#5384)

author: Francis Lavoie <lavofr@gmail.com> 2023-02-22 13:41:01 -0500
committer: GitHub <noreply@github.com> 2023-02-22 11:41:01 -0700
commit: be53e432fcac0a9b9accbc36885304639e8ca70b (patch)
tree: d7dbf7e9492e6e4a6e80876c346b85b2041a262e /modules/caddytls
parent: 79de6df93d0404790c3bfecfefa9e1458ffcff75 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 8051653..92004b8 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -22,6 +22,7 @@ import (
 	"log"
 	"net/http"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"
 
@@ -259,7 +260,17 @@ func (t *TLS) Start() error {
 	if t.Automation.OnDemand == nil ||
 		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
 		for _, ap := range t.Automation.Policies {
-			if ap.OnDemand {
+			isWildcardOrDefault := false
+			if len(ap.Subjects) == 0 {
+				isWildcardOrDefault = true
+			}
+			for _, sub := range ap.Subjects {
+				if strings.HasPrefix(sub, "*") {
+					isWildcardOrDefault = true
+					break
+				}
+			}
+			if ap.OnDemand && isWildcardOrDefault {
 				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
 					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
 				break
author	Francis Lavoie <lavofr@gmail.com>	2023-02-22 13:41:01 -0500
committer	GitHub <noreply@github.com>	2023-02-22 11:41:01 -0700
commit	be53e432fcac0a9b9accbc36885304639e8ca70b (patch)
tree	d7dbf7e9492e6e4a6e80876c346b85b2041a262e /modules/caddytls
parent	79de6df93d0404790c3bfecfefa9e1458ffcff75 (diff)