diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-02-16 13:31:53 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-02-16 14:05:31 -0700 |
commit | fbd00e4b53226164a9aae5f44bd52328d4e59d96 (patch) | |
tree | d605af61688f312d8c34507528638a3077661303 /modules/caddytls | |
parent | bafb562991598df703a744e13cbc06472e71349e (diff) |
Improve security warnings
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/tls.go | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 489d87f..fdff447 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -236,6 +236,18 @@ func (t *TLS) Validate() error { // Start activates the TLS module. func (t *TLS) Start() error { + // warn if on-demand TLS is enabled but no restrictions are in place + if t.Automation.OnDemand == nil || + (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) { + for _, ap := range t.Automation.Policies { + if ap.OnDemand { + t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place", + zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) + break + } + } + } + // now that we are running, and all manual certificates have // been loaded, time to load the automated/managed certificates err := t.Manage(t.automateNames) |