Improve security warnings

author: Matthew Holt <mholt@users.noreply.github.com> 2021-02-16 13:31:53 -0700
committer: Matthew Holt <mholt@users.noreply.github.com> 2021-02-16 14:05:31 -0700
commit: fbd00e4b53226164a9aae5f44bd52328d4e59d96 (patch)
tree: d605af61688f312d8c34507528638a3077661303 /modules/caddytls
parent: bafb562991598df703a744e13cbc06472e71349e (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 489d87f..fdff447 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -236,6 +236,18 @@ func (t *TLS) Validate() error {
 
 // Start activates the TLS module.
 func (t *TLS) Start() error {
+	// warn if on-demand TLS is enabled but no restrictions are in place
+	if t.Automation.OnDemand == nil ||
+		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
+		for _, ap := range t.Automation.Policies {
+			if ap.OnDemand {
+				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
+					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
+				break
+			}
+		}
+	}
+
 	// now that we are running, and all manual certificates have
 	// been loaded, time to load the automated/managed certificates
 	err := t.Manage(t.automateNames)
author	Matthew Holt <mholt@users.noreply.github.com>	2021-02-16 13:31:53 -0700
committer	Matthew Holt <mholt@users.noreply.github.com>	2021-02-16 14:05:31 -0700
commit	fbd00e4b53226164a9aae5f44bd52328d4e59d96 (patch)
tree	d605af61688f312d8c34507528638a3077661303 /modules/caddytls
parent	bafb562991598df703a744e13cbc06472e71349e (diff)